SOLVED

Acrobat DC Reader Vulnerabilities - Endpoint Manager - PowerShell

%3CLINGO-SUB%20id%3D%22lingo-sub-2090940%22%20slang%3D%22en-US%22%3EAcrobat%20DC%20Reader%20Vulnerabilities%20-%20Endpoint%20Manager%20-%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2090940%22%20slang%3D%22en-US%22%3E%3CP%3ETo%20whom%20it%20may%20concern%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20excuse%20me%20but%20I%20believe%20the%20post%20belongs%20here%20not%20in%20the%20PowerShell%20discussion.%3C%2FP%3E%3CP%3EI%20deleted%20the%20post%20placed%20in%20the%20PowerShell%20group%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBackground%3A%3C%2FP%3E%3COL%3E%3CLI%3EI%20have%20a%20test%20tenant%20that%20is%20pure%20%22Microsoft%20Modern%20Management%22%3C%2FLI%3E%3CLI%3EThere%20is%20no%20on-premise%20SCCM%20nor%20is%20there%20one%20in%20the%20cloud%3C%2FLI%3E%3CLI%3E2%20systems%20are%20joined%20(as%20they%20should%20be)%20the%20remaining%203%20are%20registered%20BYOD%3C%2FLI%3E%3CLI%3EAll%20solutions%20are%20applied%20from%20WDATP%20recommendations%20that%20can%20be%20without%20GP%20(so%20Intune%20direct%20or%20via%20registry%20entries%20(PowerShell)%3C%2FLI%3E%3CLI%3EAll%20systems%20are%20MDM%20managed%20not%20MAM%20(I%20have%20checked%20this%20at%20least%206%20times)%3C%2FLI%3E%3C%2FOL%3E%3CUL%3E%3CLI%3EI%20currently%20have%209%20PowerShell%20scripts%20that%20are%20deployed%20all%20users%20and%20all%20devices.%3C%2FLI%3E%3CLI%3EThis%20one%20is%20causing%20me%20grief%2C%20in%20that%20it%20has%20been%20set%20to%20check%20that%20the%20program%20is%20installed%2C%20and%20reset%20the%20values.%26nbsp%3B%26nbsp%3B%3C%2FLI%3E%3CLI%3EWhat%20I%20don't%20understand%20is%20why%20it%20is%20throwing%20an%20error.%26nbsp%3B%20It%20shouldn't%20throw%20anything.%3C%2FLI%3E%3CLI%3EWhat%20have%20I%20done%20wrong.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20code%20is%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%23Adobe%20DC%20Reader%20feature%20lockdown%0A%23Call%20the%20registry%20value%20and%20then%20set%20the%20value.%20%20If%20the%20value%20doesnt%20exit%20app%20not%20installed%20so%20exit%0A%23Updated%2024-01-2021%20and%20tested%20on%20machine%20with%20Adobe%20DC%20installed%20-%20MDM%20is%20failing%20where%20program%20doesnt%20exist%0A%0A%0AIf%20(Get-ItemProperty%20-Path%20'Registry%3A%3AHKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown')%0A%20%20%20%20%7B%0A%20%20%20%20%23If%20the%20key%20already%20exists%20just%20set%20the%20value%0A%20%20%20%20Write-Output%20%22True%22%0A%20%20%20%20Set-Itemproperty%20-Path%20'Registry%3A%3AHKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown'%20-Name%20'bDisableJavaScript'%20-value%20'1'%0A%20%20%20%20Set-Itemproperty%20-Path%20'Registry%3A%3AHKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown'%20-Name%20'bEnableFlash'%20-value%20'0'%0A%20%20%20%20Get-ItemProperty%20-Path%20'Registry%3A%3AHKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown'%0A%20%20%20%20%7D%0A%20%20%20%20else%0A%20%20%20%20%7B%0A%20%20%20%20%20%23If%20the%20key%20doesnt%20exist%20then%20the%20program%20is%20not%20installed%20and%20doesnt%20need%20rectification%0A%20%20%20%20%20Write-Output%20%22False%22%0A%20%20%20%20%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlthough%20it%20is%20not%20a%20Biggy%3C%2FP%3E%3COL%3E%3CLI%3EDoes%20this%20mean%20the%20code%20has%20failed%20because%20of%20code%20or%3C%2FLI%3E%3CLI%3EIs%20this%20is%20what%20it%20is%20meant%20to%20do%20and%20report%20in%20Endpoint%20manager%20(I%20like%20all%20green%20reports)%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20see%20the%20result%20in%20Endpoint%20Manager%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-01-24%20(1).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F248976i62D11E35E1F9FC14%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-01-24%20(1).png%22%20alt%3D%222021-01-24%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%26nbsp%3B%20I'm%20sure%20its%20programming%20but%20as%20I%20said%20I%20have%20another%205%20of%20these%20that%20are%20roughly%20the%20same%20sort%20of%20coding%20format%2C%20and%20I%20am%20not%20getting%20the%20same%20issues.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2090940%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2120084%22%20slang%3D%22en-US%22%3EBetreff%3A%20Acrobat%20DC%20Reader%20Vulnerabilities%20-%20Endpoint%20Manager%20-%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2120084%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F808322%22%20target%3D%22_blank%22%3E%40braedachau%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3Ethe%20issue%20is%20caues%20by%20the%20if%20condition%2C%20t%3CSPAN%3Ehe%20path%20you%20try%20to%20check%20cannot%20be%20found%20because%20it%20does%20not%20exist%20when%20Adobe%20DC%20is%20not%20installed.%20(I%20believe%20that%20the%20registries%20have%20not%20been%20set%20by%20Adobe%20DC%20then.)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ETry%20it%20with%20%22Test-Path%22%3C%2FP%3E%3CP%3EExample%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%23Check%20path%0AIf%20(Test-path%20-Path%20'Registry%3A%3AHKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown')%0A%7B%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

To whom it may concern,

 

Please excuse me but I believe the post belongs here not in the PowerShell discussion.

I deleted the post placed in the PowerShell group

 

Background:

  1. I have a test tenant that is pure "Microsoft Modern Management"
  2. There is no on-premise SCCM nor is there one in the cloud
  3. 2 systems are joined (as they should be) the remaining 3 are registered BYOD
  4. All solutions are applied from WDATP recommendations that can be without GP (so Intune direct or via registry entries (PowerShell)
  5. All systems are MDM managed not MAM (I have checked this at least 6 times)
  • I currently have 9 PowerShell scripts that are deployed all users and all devices.
  • This one is causing me grief, in that it has been set to check that the program is installed, and reset the values.  
  • What I don't understand is why it is throwing an error.  It shouldn't throw anything.
  • What have I done wrong.

 

The code is here.

 

 

 

#Adobe DC Reader feature lockdown
#Call the registry value and then set the value.  If the value doesnt exit app not installed so exit
#Updated 24-01-2021 and tested on machine with Adobe DC installed - MDM is failing where program doesnt exist


If (Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown')
    {
    #If the key already exists just set the value
    Write-Output "True"
    Set-Itemproperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' -Name 'bDisableJavaScript' -value '1'
    Set-Itemproperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown' -Name 'bEnableFlash' -value '0'
    Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
    }
    else
    {
     #If the key doesnt exist then the program is not installed and doesnt need rectification
     Write-Output "False"
     }

 

 

 

Although it is not a Biggy

  1. Does this mean the code has failed because of code or
  2. Is this is what it is meant to do and report in Endpoint manager (I like all green reports)

 

You can see the result in Endpoint Manager here.

 

2021-01-24 (1).png

 

Thanks in advance.  I'm sure its programming but as I said I have another 5 of these that are roughly the same sort of coding format, and I am not getting the same issues.

 

 

6 Replies
best response confirmed by braedachau (Contributor)
Solution

Hello @braedachau

the issue is caues by the if condition, the path you try to check cannot be found because it does not exist when Adobe DC is not installed. (I believe that the registries have not been set by Adobe DC then.)

Try it with "Test-Path"

Example:

#Check path
If (Test-path -Path 'Registry::HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown')
{}

 

Great. I'll do that, thanks
Hey @braedachau,

Did @MK_Nils suggestion work? If so, do you think you'd be willing to show me exactly where you added that "test-path" in to your code? I'm unfortunately self-teaching, our environment is setup the exact same way as yours (pure cloud, recommendations from WDATP, etc.), and I'm trying to follow those two same recommendations.
Travis,

All code in use is here. If you find issues let me know and you would obviously be aware that lag in the MSDE portal can take 24 hours to reflect changes.

https://github.com/Braedach/Intune-Registry-Scripts

Thanks

Wow. Thank you so much for this!!

@travisrauh 

 

Travis I just realized something that you need to know.

 

If you use PowerShell to manage devices, the controls will remain in place after the machine is offboarded.  So if the machine is a BYOD and the client disengages from the tenant he/she will be stuck with the changes in the registry, without a clean install..

 

This could be a problem.

 

Regards