Jerry Seinfield
asked on
GPO to create several registry keys for domain controllers and member servers issues
Hello Experts,
I was able to successfully created a GPO and linked to the Domain controllers OU that imports or creates 4 registry keys, however I am running into the following issue:
a. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"
b. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"
The first two registry keys above are successfully created per screenshots attached, but the other ones below are not created
a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
I ran gpresult and the GPO is being applied to the DCs, in fact the two first registry keys are created via GPO, but for some reason the last two are running into this issue
I did try to create another GPO only to push these 2 keys with no luck, ran gpupdate/force same results,
The issue is that I do not want to manually create these key from regedit editor or via PowerShell script. it must be created via GPO same as the first two keys
Any ideas on why I unable to create these registry keys via GPO? I did try the action create instead of replace from the registry wizard with no luck
Please, see attached images for more info
as you can see below the Feature_Allow_User32 key is being created via GPO
I was able to successfully created a GPO and linked to the Domain controllers OU that imports or creates 4 registry keys, however I am running into the following issue:
a. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"
b. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"
The first two registry keys above are successfully created per screenshots attached, but the other ones below are not created
a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
I ran gpresult and the GPO is being applied to the DCs, in fact the two first registry keys are created via GPO, but for some reason the last two are running into this issue
I did try to create another GPO only to push these 2 keys with no luck, ran gpupdate/force same results,
The issue is that I do not want to manually create these key from regedit editor or via PowerShell script. it must be created via GPO same as the first two keys
Any ideas on why I unable to create these registry keys via GPO? I did try the action create instead of replace from the registry wizard with no luck
Please, see attached images for more info
as you can see below the Feature_Allow_User32 key is being created via GPO
ASKER
Yes, we are looking to implement a GPO for harding IE and resolve vulnerabilities with MS 15-124
These are the ones that for some reason I can't create via GPO
. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
PowerShell script is not an option here:
Any other suggestions?
These are the ones that for some reason I can't create via GPO
. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
PowerShell script is not an option here:
Any other suggestions?
The registry can only add keys not values.
you can look at the code example and adjust
you could use a test to
if %PROCESSOR_ARCHITECTURE% ==x86
does this need to be added to both 32 and 64 bit version of IE?
The first part adds the default path. the second if it is a 64 bit system adds the item in the32 bit registry section.
you can look at the code example and adjust
you could use a test to
if %PROCESSOR_ARCHITECTURE% ==x86
does this need to be added to both 32 and 64 bit version of IE?
@echo off
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING"
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" /v "iexplore.exe" /t "REG_DWORD" /d 1
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX"
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" /v "iexplore.exe" /t "REG_DWORD" /d 1
if %Processort_Architecture% == x86 (
echo do nothing
) else
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING"
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" /v "iexplore.exe" /t "REG_DWORD" /d 1
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX"
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" /v "iexplore.exe" /t "REG_DWORD" /d 1
)
a shutdown/startup .bat fileThe first part adds the default path. the second if it is a 64 bit system adds the item in the32 bit registry section.
If you do bat, the following might help cover different options/.examples
https://ss64.com/nt/syntax-64bit.html
https://ss64.com/nt/syntax-64bit.html
ASKER
Can someone please provide me with the PowerShell script to create following two registry keys for all domain controllers in my domain?
a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
See
https://devblogs.microsoft.com/scripting/update-or-add-registry-key-value-with-powershell/
note you have to run the powershell and HKLM is the HKEY_LOCAL_MACHINE shortcut
It has an exmaple using HKCU.
new-item to make sure the entiry path is there
new-item -path "HKLM\SOFTWARE\WOW6432Node \Microsoft \Internet Explorer\Main\FeatureContr ol\FEATURE _ENABLE_PR INT_INFO_D ISCLOSURE_ FIX"
Powershell ISE can be useful
https://devblogs.microsoft.com/scripting/update-or-add-registry-key-value-with-powershell/
note you have to run the powershell and HKLM is the HKEY_LOCAL_MACHINE shortcut
It has an exmaple using HKCU.
new-item to make sure the entiry path is there
new-item -path "HKLM\SOFTWARE\WOW6432Node
Powershell ISE can be useful
ASKER
can you please test the script at your lab?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Replace means the key/value must exist to be replaced.
Related to https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-124
See if the following is helpful, though MS is reaching an end to its support for IE. many vendors are also shifting away from IE.
MS Edge (chrome base) is the app MS now distributes
https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11
you could use something like this
Open in new window
as a startup or shutdown script.
The registry section you could just add the key FEATURE_ALLOW_USER32_EXCEP
eliminating the first line in the script example.