Proactive Remediations - Security Recommendations Defender Endpoint

%3CLINGO-SUB%20id%3D%22lingo-sub-2025139%22%20slang%3D%22en-US%22%3EProactive%20Remediations%20-%20Security%20Recommendations%20Defender%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2025139%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReally%20stupid%20question%20-%20has%20anybody%20written%20detection%20and%20remediation%20PowerShell%20scripts%20for%20the%20following%3C%2FP%3E%3CP%3E1.%26nbsp%3B%20Disable%20Adobe%20Flash%20-%20Adobe%20DC%20Reader%3C%2FP%3E%3CP%3E2.%26nbsp%3B%20Disable%20Java%20Script%20-%20Adobe%20DC%20Reader%3C%2FP%3E%3CP%3E3.%26nbsp%3B%20ASR%20-%20Block%20persistence%20through%20WMI%20Event%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20probably%20not%20a%20problem%20for%20most%20of%20you%20as%20your%20systems%20are%20joined%20to%20a%20domain%3C%2FP%3E%3CP%3EHowever%20most%20of%20mine%20are%20not%20and%20are%20managed%20-%20yeah%20I%20know%20-%20don't%20say%20it.%3C%2FP%3E%3CP%3ESince%20Endpoint%20Analytics%20proactive%20remediation%20is%20not%20an%20option%20in%20a%20non%20joined%20scenario%20I%20need%20to%20run%20the%20PowerShell%20scripts%20within%20Intune%20to%20force%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20your%20patience%2C%20and%20if%20you%20can%20share%20your%20scripts%20I%20would%20be%20truly%20grateful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20might%20add%20-%20why%20has%20Microsoft%20not%20added%20these%20by%20default%2C%20even%20if%20they%20are%20not%20active.%26nbsp%3B%20I%20obviously%20have%20a%20lot%20to%20learn%2C%20so%20if%20you%20have%20a%20lot%20of%20patience%20-%20feel%20free.%26nbsp%3B%20I%20learn%20quickly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20note%20that%20a%20lot%20of%20security%20recommendations%20need%20alterations%20to%20the%20registry%2C%20so%20If%20you%20have%20one%20of%20these%20PowerShell%20scripts%20lying%20about%2C%20I%20wouldn't%20mind%20a%20look%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20attached%20a%20screenshot%20of%20my%20current%20security%20level.%26nbsp%3B%20I%20though%20I%20was%20doing%20well%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESincerely.%3C%2FP%3E%3CP%3EA%20amateur%20Admin%2C%20but%20keen%20to%20learn%20and%20get%20certified.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2025139%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2026837%22%20slang%3D%22en-US%22%3ERe%3A%20Proactive%20Remediations%20-%20Security%20Recommendations%20Defender%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2026837%22%20slang%3D%22en-US%22%3EHi%3CBR%20%2F%3E%3CBR%20%2F%3EFirst%20off%2C%20you%20stated%20'Proactive%20remediation%20is%20not%20an%20option%20in%20a%20non%20joined%20scenario'.%20As%20long%20as%20your%20devices%20are%20hybrid%20AD%20joined%20or%20AAD%20Joined%2C%20you%20are%20good%20to%20go.%20What%20join%20method%20are%20you%20using%3F%3CBR%20%2F%3E%3CBR%20%2F%3EI%20would%20recommend%20not%20using%20proactive%20remediations%20to%20configure%20settings%20as%20they%20can%20become%20quite%20cumbersome%20to%20maintain.%20I%20would%20advise%20to%20use%20different%20Intune%20profiles.%3CBR%20%2F%3EFor%20ASR%20for%20example%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-attack-surface-reduction%23intune%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fenable-attack-surface-reduction%23intune%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20Adobe%20Reader%2C%20I%20would%20try%20to%20use%20a%20'MST'%20configuration%20file%20during%20installation%20%3D%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fwww.adobe.com%2Fdevnet-docs%2Facrobatetk%2Ftools%2FWizard%2Fbasics.html%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.adobe.com%2Fdevnet-docs%2Facrobatetk%2Ftools%2FWizard%2Fbasics.html%3C%2FA%3E%3CBR%20%2F%3EWould%20this%20solve%20your%20issue%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2033997%22%20slang%3D%22en-US%22%3ERe%3A%20Proactive%20Remediations%20-%20Security%20Recommendations%20Defender%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2033997%22%20slang%3D%22en-US%22%3EHave%20you%20checked%20out%20regular%20Powershell%20script%20in%20Intune%3F%20These%20might%20suit%20you%20better%2C%20you%20can%20also%20sign%20these%20(but%20should%20also%20be%20possible%20with%20proactive%20remediations)%3CBR%20%2F%3E%3CBR%20%2F%3EBtw%3A%20this%20setting%20is%20currently%20in%20development%20to%20be%20configured%20through%20the%20portal.%20If%20I%20were%20you%20I%20would%20hold%20on%20a%20little%20longer%20and%20configure%20it%20natively.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%23new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmi%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Ffundamentals%2Fin-development%23new-setting-for-attack-surface-reduction-rules-to-block-malware-from-gaining-persistence-through-wmi%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2416620%22%20slang%3D%22en-US%22%3ERe%3A%20Proactive%20Remediations%20-%20Security%20Recommendations%20Defender%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2416620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F808322%22%20target%3D%22_blank%22%3E%40braedachau%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHello%20%2C%3C%2FP%3E%3CP%3E%23Disable%20autorun%2Fautoplay%20on%20all%20drives%3CBR%20%2F%3Ereg%20add%20%22HKLM%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindows%5CExplorer%22%20%2Fv%20NoAutoplayfornonVolume%20%2Ft%20REG_DWORD%20%2Fd%201%20%2Ff%3CBR%20%2F%3Ereg%20add%20%22HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5Cpolicies%5CExplorer%22%20%2Fv%20NoDriveTypeAutoRun%20%2Ft%20REG_DWORD%20%2Fd%20255%20%2Ff%3CBR%20%2F%3Ereg%20add%20%22HKLM%5CSOFTWARE%5CMicrosoft%5CWindows%5CCurrentVersion%5CPolicies%5CExplorer%22%20%2Fv%20NoAutorun%20%2Ft%20REG_DWORD%20%2Fd%201%20%2Ff%3C%2FP%3E%3CP%3E%23Disable%20Flash%20on%20Adobe%20Reader%20DC%20%3A%20Flash%20is%20an%20unsecure%20technology%20with%20many%20known%20vulnerabilities%3CBR%20%2F%3EREG%20ADD%20%22HKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown%22%20%2Fv%20bEnableFlash%20%2Ft%20REG_DWORD%20%2Fd%200%20%2Ff%3C%2FP%3E%3CP%3E%23Disable%20JavaScript%20on%20Adobe%20Reader%20DC%3CBR%20%2F%3Ereg%20add%20%22HKLM%5CSOFTWARE%5CPolicies%5CAdobe%5CAcrobat%20Reader%5CDC%5CFeatureLockDown%22%20%2Fv%20bDisableJavaScript%20%2Ft%20REG_DWORD%20%2Fd%2000000001%20%2Ff%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hello,

 

Really stupid question - has anybody written detection and remediation PowerShell scripts for the following

1.  Disable Adobe Flash - Adobe DC Reader

2.  Disable Java Script - Adobe DC Reader

3.  ASR - Block persistence through WMI Event subscription.

 

This is probably not a problem for most of you as your systems are joined to a domain

However most of mine are not and are managed - yeah I know - don't say it.

Since Endpoint Analytics proactive remediation is not an option in a non joined scenario I need to run the PowerShell scripts within Intune to force the issue.

 

Thanks for your patience, and if you can share your scripts I would be truly grateful.

 

I might add - why has Microsoft not added these by default, even if they are not active.  I obviously have a lot to learn, so if you have a lot of patience - feel free.  I learn quickly.

 

I also note that a lot of security recommendations need alterations to the registry, so If you have one of these PowerShell scripts lying about, I wouldn't mind a look either.

 

I have attached a screenshot of my current security level.  I though I was doing well

 

Sincerely.

A amateur Admin, but keen to learn and get certified.

 

6 Replies
Hi

First off, you stated 'Proactive remediation is not an option in a non joined scenario'. As long as your devices are hybrid AD joined or AAD Joined, you are good to go. What join method are you using?

I would recommend not using proactive remediations to configure settings as they can become quite cumbersome to maintain. I would advise to use different Intune profiles.
For ASR for example: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-at...

For the Adobe Reader, I would try to use a 'MST' configuration file during installation => https://www.adobe.com/devnet-docs/acrobatetk/tools/Wizard/basics.html
Would this solve your issue?

@Thijs Lecomte 

 

Thanks for your reply.

You cant disable persistence via WMI via Intune. 

This one you can  - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c

This one you cant - GUID -  e6db77e5-3df2-4cf1-b95a-636979351e5b

 

As explained here

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-su...

 

It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints.  I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all.  I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).

 

I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).

 

Thanks.

 

 

Have you checked out regular Powershell script in Intune? These might suit you better, you can also sign these (but should also be possible with proactive remediations)

Btw: this setting is currently in development to be configured through the portal. If I were you I would hold on a little longer and configure it natively. https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development#new-setting-for-attack-surfa...

@Thijs Lecomte 

 

I have enabled this via PowerShell although I found issues with Azure AD and Intune

 

I will move this to the native solution when available and keep developing PowerShell scripts to deploy to fix the other short comings.

 

Thanks

 

 

 

@braedachau 

 

Hello ,

#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f

#Disable Flash on Adobe Reader DC : Flash is an unsecure technology with many known vulnerabilities
REG ADD "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bEnableFlash /t REG_DWORD /d 0 /f

#Disable JavaScript on Adobe Reader DC
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 00000001 /f

 

 

Lassaad,

Pretty sure I got this covered but I'll check it all again, see here. Thanks.

https://github.com/Braedach/Intune-Registry-Scripts