1. Is there any way to restricted which patch policies a user can see? I want certain admins to be able to approve patches, but only in certain patch policies.
2. Is it possible, with an agent procedure, to check for a registry key value and add a machine to a patch policy based on the value?
I don't know about number 1.
But number 2 is something do via Policy Management.
Basically we create multiple patch policies for each of our clients (if needed) and this policy affects certain machines based on a custom variable, and that policy applies patching settings including the patch policy.
We either manually set that variable or use a audit type procedure to do so.
Hope that helps
Non-master admins see any patch policy s/he created and any patch policies which are assigned to at least one machine within his/her scope. If you want to restrict the visible policies for a specific admin, you would need to remove any orgs/groups/machines from his/her scope that are using the policy you don't want him/her to see. Patch policies do not have a "share" level function on each individual policy, though you might consider submitting a feature request for that level of functionality.
It is important to note that the Patch Policies function page does have a check box which allows you to show all patch policies to all users. Only Master admins see this option. If enabled, all users would see all patch policies, even if a particular policy isn't assigned to any endpoints within the user's scope.
As far as adding patch policies based on a specific registry value, Rowan Smith's suggestion is a great way to approach. Run an AP to check for the presence of a registry entry. Write an annotation to a custom field based on the value. Create views that filter to machines based on the custom field's value. Create Policy Management (KPM) Policies to assign the desired patch policy. Associate the desired view with the KPM policy and assign the KPM policy to the org/group. This would result in, for example, KPM Policy A assigning only to machines where custom field = A based on the machine's membership in the view filtering to machines where Custom Field = A.