Need a PS Script to Search Registry and Delete Keys

Benjamin_Donato 

I feel like there's not enough information on what sits below the GUID to write a safe script, but the sample below "should" be okay so long as you run it on the client before it is enrolled into InTune.

Once the client has been enrolled in InTune, I would expect this script to no longer be safe to run as it is scoped to all accounts registered below
HKLM:\SOFTWARE\Microsoft\Provisioning\omadm\Accounts.

I feel like if we knew what the structures below
HKLM:\SOFTWARE\Microsoft\Provisioning\omadm\Accounts looked like, we might be able to better-scope a script to the outgoing MDM.

Anyhow, with those disclaimers aside, here's a basic skeleton that will do what you asked with a little bit of checking and reporting thrown in.

$AccountsPath = "HKLM:\SOFTWARE\Microsoft\Provisioning\omadm\Accounts";
$SearchPaths = @("HKLM:\SOFTWARE\Microsoft\Enrollments", "HKLM:\SOFTWARE\Microsoft\EnterpriseResourceManager\Tracked");

(Get-ChildItem -Path $AccountsPath).PSChildName |
    ForEach-Object {
        $Account = $_;
        $OkayToRemoveAccount = $true;

        $SearchPaths |
            ForEach-Object {
                $RegPath = "$_\$Account";

                if (Test-Path -Path $RegPath)
                {
                    try
                    {
                        # Try removing the path and throw an exception if we cannot for some reason.
                        Remove-Item -Path $RegPath -Recurse -ErrorAction:Stop -Force;
                    }
                    catch
                    {
                        # If an error was thrown, indicate that we are not yet in a position to delete the account entry and report the error as a warning.
                        $OkayToRemoveAccount = $false;
                        Write-Warning -Message "$($_.CategoryInfo.Category) on $RegPath.";
                    }
                }
                else
                {
                    # Report that we couldn't find this particular path, which might occur if a previous run was partially-successful and we're running the script a second (or more) time.
                    # This is not really an issue though, so there's no actions worth taking beyond notifying the operator.
                    Write-Warning "Skipping due to path not found: $RegPath.";
                }
            }

        if ($OkayToRemoveAccount)
        {
            Remove-Item -Path "$AccountsPath\$Account" -Recurse -ErrorAction:Continue -Force;
        }
        else
        {
            Write-Warning "Unwilling to remove $AccountsPath\$Account due to an earlier error.";
        }
}

And here's some example output for each basic scenario.

NOTE: I don't use an MDM so I created a basic subkey named "1" instead. In your case, this "1" corresponds to your GUID-based "FE600696-F255-4BB9-AE5E-63CC2A35047D" subkey from your post.

Access denied scenario

The key takeaway here is that the account is not removed, which allows you to safely run the script again after fixing the access denied issue.

Skipping a path that's already been deleted

Ignore the access denied, as they key takeaway in this example is the reporting of the path being skipped, indicating it's already been deleted (which is fine based on what you're trying to achieve.)

A successful result with one path having been skipped

In a successful removal where no paths have been skipped, there will be no output.

Again, do not run this on a client if it has already been enrolled into InTune.

Cheers,

Lain