Microsoftmdeklavon : Please try to deploy the below script forcing type REG_SZ instead of DWORD on both the nodes to mitigate CVE-2013-3900.
# Specify the registry path and values
$registryPath = "HKLM:\Software\Microsoft\Cryptography\Wintrust\Config"
$registryValues = @{
"EnableCertPaddingCheck" = "1"
}
# Set the registry values, forcing the type to String
foreach ($entry in $registryValues.GetEnumerator()) {
# Remove existing property if it exists
if (Test-Path -Path "$registryPath\$($entry.Key)") {
Remove-ItemProperty -Path $registryPath -Name $entry.Key -Force
}
# Create the property with the specified type and value
New-ItemProperty -Path $registryPath -Name $entry.Key -Value $entry.Value -PropertyType String -Force | Out-Null
}
# Additional registry path and key for type conversion
$wow64RegistryPath = "HKLM:\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config"
$wow64RegistryKey = "EnableCertPaddingCheck"
# Check if the registry path exists, and create it if it doesn't
if (-not (Test-Path $wow64RegistryPath)) {
New-Item -Path $wow64RegistryPath -Force | Out-Null
}
# Check if the registry key exists and is of type DWORD
if ((Test-Path -Path "$wow64RegistryPath\$wow64RegistryKey") -and
((Get-ItemProperty -Path $wow64RegistryPath -Name $wow64RegistryKey).$wow64RegistryKey.GetType().Name -eq "Int32")) {
# Remove the existing DWORD property
Remove-ItemProperty -Path $wow64RegistryPath -Name $wow64RegistryKey -Force
}
# Set the registry key with the type REG_SZ
New-ItemProperty -Path $wow64RegistryPath -Name $wow64RegistryKey -Value "1" -PropertyType String -Force | Out-Null
}
