Avatar of Jerry Seinfield
Jerry Seinfield

asked on 

GPO to create several registry keys for domain controllers and member servers issues

Hello Experts,

I was able to successfully created a GPO and linked to the Domain controllers OU that imports or creates 4 registry keys, however I am running into the following issue:

a. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"
b. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InternetExplorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING with "iexplore.exe" set to "1"


The first two registry keys above are successfully created per screenshots attached, but the other ones below are not created

a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
 
 
I ran gpresult and the GPO is being applied to the DCs, in fact the two first registry keys are created via GPO, but for some reason the last two are running into this issue

I did try to create another GPO only to push these 2 keys with no luck, ran gpupdate/force same results,

The issue is that I do not want to manually create these key from regedit editor or via PowerShell script. it must be created via GPO same as the first two keys

Any ideas on why I unable to create these registry keys via GPO? I did try the action create instead of replace from the registry wizard with no luck

Please, see attached images for more info

User generated image 
as you can see below the Feature_Allow_User32 key is being created via GPO
User generated image
PowershellWindows Server 2016Windows Server 2012Active DirectoryWindows 10

Avatar of undefined
Last Comment
arnold
Avatar of arnold
arnold
Flag of United States of America image

Are you looking at controlling the IE enhanced security option which is enabled by default?
Replace means the key/value must exist to be replaced.
Related to https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-124

See if the following is helpful, though MS is reaching an end to its support for IE. many vendors are also shifting away from IE.
MS Edge (chrome base) is the app MS now distributes

https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11

you could use something like this
@echo off
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" 
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" /v "iexplore.exe" /t "REG_DWORD" /d 1

Open in new window


as a startup or shutdown script.
The registry section you could just add the key FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING to HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl
eliminating the first line in the script example.
Avatar of Jerry Seinfield
Jerry Seinfield

ASKER

Yes, we are looking to implement a GPO for harding IE  and resolve vulnerabilities with MS 15-124

These are the ones that for some reason I can't create via GPO

. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX iexplore.exe is missing.

PowerShell script is not an option here:

Any other suggestions?

Avatar of arnold
arnold
Flag of United States of America image

The registry can only add keys not values.

you can look at the code example and adjust

you could use a test to
if %PROCESSOR_ARCHITECTURE%  ==x86

does this need to be added to both 32 and 64 bit version of IE?

@echo off


reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" 
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" /v "iexplore.exe" /t "REG_DWORD" /d 1
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" 
reg add "HKLM\Software\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" /v "iexplore.exe" /t "REG_DWORD" /d 1

if %Processort_Architecture% == x86 (
echo do nothing
) else
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" 
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING" /v "iexplore.exe" /t "REG_DWORD" /d 1
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" 
reg add "HKLM\Software\WOW6432Node\Microsoft\Internet explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX" /v "iexplore.exe" /t "REG_DWORD" /d 1
)

Open in new window

a shutdown/startup .bat file
The first part adds the default path. the second if it is a 64 bit system adds the item in the32 bit registry section.
Avatar of arnold
arnold
Flag of United States of America image

If you do bat, the following might help cover different options/.examples

https://ss64.com/nt/syntax-64bit.html
Avatar of Jerry Seinfield

ASKER

Can someone please provide me with the PowerShell script to create following two registry keys for all domain controllers in my domain?

a. HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
b. HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
 
Avatar of arnold
arnold
Flag of United States of America image

See
https://devblogs.microsoft.com/scripting/update-or-add-registry-key-value-with-powershell/

note you have to run the powershell and HKLM is the HKEY_LOCAL_MACHINE shortcut

It has an exmaple using HKCU.
new-item to make sure the entiry path is there
new-item -path "HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX"

Powershell ISE can be useful
Avatar of Jerry Seinfield

ASKER

can you please test the script at your lab?
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo