Dec 31 2020 11:36 PM
Hello,
Really stupid question - has anybody written detection and remediation PowerShell scripts for the following
1. Disable Adobe Flash - Adobe DC Reader
2. Disable Java Script - Adobe DC Reader
3. ASR - Block persistence through WMI Event subscription.
This is probably not a problem for most of you as your systems are joined to a domain
However most of mine are not and are managed - yeah I know - don't say it.
Since Endpoint Analytics proactive remediation is not an option in a non joined scenario I need to run the PowerShell scripts within Intune to force the issue.
Thanks for your patience, and if you can share your scripts I would be truly grateful.
I might add - why has Microsoft not added these by default, even if they are not active. I obviously have a lot to learn, so if you have a lot of patience - feel free. I learn quickly.
I also note that a lot of security recommendations need alterations to the registry, so If you have one of these PowerShell scripts lying about, I wouldn't mind a look either.
I have attached a screenshot of my current security level. I though I was doing well
Sincerely.
A amateur Admin, but keen to learn and get certified.
Jan 02 2021 09:12 AM
Jan 05 2021 04:11 AM
Thanks for your reply.
You cant disable persistence via WMI via Intune.
This one you can - GUID - d1e49aac-8f56-4280-b9ba-993a6d77406c
This one you cant - GUID - e6db77e5-3df2-4cf1-b95a-636979351e5b
As explained here
It requires a PowerShell script to be written, signed with both the script and the signing certificate published to Windows endpoints. I haven't signed the PowerShell script yet and are figuring out a safe way to store it "publicly" - I have no website so are thinking about putting them into a SharePoint site that is available to all. I have run the PowerShell ASR script locally on 3 test machines and are waiting for Defender Endpoint to report back to see if the recommendation closes on these machines (which it should as this happens when I close recommendations on a test machine (test) then the entire tenant).
I will get back to you asap (probably a week - my day job isn't info tech) on the Acrobat problem and your recommendation, but now might investigate if I can close these via hash blocks in Defender Endpoint (some additional testing now required on how Acrobat runs java and flash).
Thanks.
Jan 05 2021 11:04 AM
Jan 13 2021 08:09 PM
I have enabled this via PowerShell although I found issues with Azure AD and Intune
I will move this to the native solution when available and keep developing PowerShell scripts to deploy to fix the other short comings.
Thanks
Jun 04 2021 08:28 AM
Hello ,
#Disable autorun/autoplay on all drives
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v NoAutoplayfornonVolume /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 255 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAutorun /t REG_DWORD /d 1 /f
#Disable Flash on Adobe Reader DC : Flash is an unsecure technology with many known vulnerabilities
REG ADD "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bEnableFlash /t REG_DWORD /d 0 /f
#Disable JavaScript on Adobe Reader DC
reg add "HKLM\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bDisableJavaScript /t REG_DWORD /d 00000001 /f
Jun 04 2021 01:47 PM