Forum Discussion

braedachau's avatar
braedachau
Brass Contributor
Jan 24, 2021

Acrobat DC Reader Vulnerabilities - Endpoint Manager - PowerShell

To whom it may concern,

 

Please excuse me but I believe the post belongs here not in the PowerShell discussion.

I deleted the post placed in the PowerShell group

 

Background:

  1. I have a test tenant that is pure "Microsoft Modern Management"
  2. There is no on-premise SCCM nor is there one in the cloud
  3. 2 systems are joined (as they should be) the remaining 3 are registered BYOD
  4. All solutions are applied from WDATP recommendations that can be without GP (so Intune direct or via registry entries (PowerShell)
  5. All systems are MDM managed not MAM (I have checked this at least 6 times)
  • I currently have 9 PowerShell scripts that are deployed all users and all devices.
  • This one is causing me grief, in that it has been set to check that the program is installed, and reset the values.  
  • What I don't understand is why it is throwing an error.  It shouldn't throw anything.
  • What have I done wrong.

 

The code is here.

 

 

 

#Adobe DC Reader feature lockdown
#Call the registry value and then set the value.  If the value doesnt exit app not installed so exit
#Updated 24-01-2021 and tested on machine with Adobe DC installed - MDM is failing where program doesnt exist


If (Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown')
    {
    #If the key already exists just set the value
    Write-Output "True"
    Set-Itemproperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' -Name 'bDisableJavaScript' -value '1'
    Set-Itemproperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' -Name 'bEnableFlash' -value '0'
    Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
    }
    else
    {
     #If the key doesnt exist then the program is not installed and doesnt need rectification
     Write-Output "False"
     }

 

 

 

Although it is not a Biggy

  1. Does this mean the code has failed because of code or
  2. Is this is what it is meant to do and report in Endpoint manager (I like all green reports)

 

You can see the result in Endpoint Manager here.

 

 

Thanks in advance.  I'm sure its programming but as I said I have another 5 of these that are roughly the same sort of coding format, and I am not getting the same issues.

 

 

  • Hello braedachau

    the issue is caues by the if condition, the path you try to check cannot be found because it does not exist when Adobe DC is not installed. (I believe that the registries have not been set by Adobe DC then.)

    Try it with "Test-Path"

    Example:

    #Check path
    If (Test-path -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown')
    {}

     

  • MK_Nils's avatar
    MK_Nils
    Copper Contributor

    Hello braedachau

    the issue is caues by the if condition, the path you try to check cannot be found because it does not exist when Adobe DC is not installed. (I believe that the registries have not been set by Adobe DC then.)

    Try it with "Test-Path"

    Example:

    #Check path
    If (Test-path -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown')
    {}

     

      • travisrauh's avatar
        travisrauh
        Copper Contributor
        Hey braedachau,

        Did MK_Nils suggestion work? If so, do you think you'd be willing to show me exactly where you added that "test-path" in to your code? I'm unfortunately self-teaching, our environment is setup the exact same way as yours (pure cloud, recommendations from WDATP, etc.), and I'm trying to follow those two same recommendations.

Resources