Forum Discussion
Proactive Remediations - Security Recommendations Defender Endpoint
Hello,
Really stupid question - has anybody written detection and remediation PowerShell scripts for the following
1. Disable Adobe Flash - Adobe DC Reader
2. Disable Java Script - Adobe DC Reader
3. ASR - Block persistence through WMI Event subscription.
This is probably not a problem for most of you as your systems are joined to a domain
However most of mine are not and are managed - yeah I know - don't say it.
Since Endpoint Analytics proactive remediation is not an option in a non joined scenario I need to run the PowerShell scripts within Intune to force the issue.
Thanks for your patience, and if you can share your scripts I would be truly grateful.
I might add - why has Microsoft not added these by default, even if they are not active. I obviously have a lot to learn, so if you have a lot of patience - feel free. I learn quickly.
I also note that a lot of security recommendations need alterations to the registry, so If you have one of these PowerShell scripts lying about, I wouldn't mind a look either.
I have attached a screenshot of my current security level. I though I was doing well
Sincerely.
A amateur Admin, but keen to learn and get certified.
Hello ,
#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f#Disable Flash on Adobe Reader DC : Flash is an unsecure technology with many known vulnerabilities
REG ADD "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bEnableFlash /t REG_DWORD /d 0 /f#Disable JavaScript on Adobe Reader DC
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 00000001 /f- Lassaad,
Pretty sure I got this covered but I'll check it all again, see here. Thanks.
https://github.com/Braedach/Intune-Registry-Scripts
- Hi
First off, you stated 'Proactive remediation is not an option in a non joined scenario'. As long as your devices are hybrid AD joined or AAD Joined, you are good to go. What join method are you using?
I would recommend not using proactive remediations to configure settings as they can become quite cumbersome to maintain. I would advise to use different Intune profiles.
For ASR for example: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#intune
For the Adobe Reader, I would try to use a 'MST' configuration file during installation => https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/basics.html
Would this solve your issue?Thanks for your reply.
You cant disable persistence via WMI via Intune.
This one you can - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c
This one you cant - GUID - e6db77e5-3df2-4cf1-b95a-636979351e5b
As explained here
It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints. I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all. I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).
I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).
Thanks.
- Have you checked out regular Powershell script in Intune? These might suit you better, you can also sign these (but should also be possible with proactive remediations)
Btw: this setting is currently in development to be configured through the portal. If I were you I would hold on a little longer and configure it natively. https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmi
.png){kind=link}