Links such as the following suggest that I should be able to edit the registry without elevated privileges, as long as I only update HKEY_CURRENT_USER.
https://blog.codeinside.eu/2015/08/11/reg-exe-or-how-to-import-reg-files-without-admin-privileges/
However, my observation is that a command like this gets an error:
reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls" /v 1 /d {"pattern":"https://[*.]somedomain.com","filter":{"SUBJECT":{"CN":"MyCNValue"}}}
Is this expected, i.e. only administrators are permitted to update registry entries for anything, including HKEY_CURRENT_USER? Or have I overlooked something?
For what it's worth ... read queries of HKEY_CURRENT_USER are working fine without admin privileges:
The subkey HKEY_CURRENT_USER\SOFTWARE\ Policies is special.
Please check the security on it, you will notice your username is read-only and the built-in administrator's group is read/write.
This is done that way as GPO in domain environment that push per-user setting write there. To allow the user to erase or change them will yield no value to enforce enterprise policy per user.
For reference please see that Excel document, Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004), you will see all per-user setting all go there.
In your case if your customer got a domain, I would suggest to use Chrome .ADMX to set such settings. That way it's managed centrally, and the user got no prompt as it's the gpo that apply the settings to that registry place. You can get the ADMX there inside that pack, https://chromeenterprise.google/browser/download/#windows-tab.