This is a script which can be used to check and set certain registry keys. The defaults are geared toward enforcing security settings which are recommended by Defender and where Intune options may be lacking.
The defaults below:
- Disable Flash (bEnableFlash = 0) in Acrobat Reader DC, Acrobat DC, Acrobat 11
- Disable JavaScript (bDisableJavaScript = 1) in Acrobat Reader DC, Acrobat DC, Acrobat 11, Acrobat 2017
- Disable Chrome’s Background Mode (BackgroundModeEnabled = 0)
- Ensure RDP uses TLS (SecurityLayer = 2)
Flow:
If the KeyPath does not exist, the script exits.
If the KeyPath does exist but the KeyName does not, then a key with the KeyName is created and the value set.
If both the KeyPath and KeyName exist but the value differs then the registry value is changed to that dictated by the script below.
# Name: SecRegSettings.ps1
#
# About: This script will take a HashTable array made up of secure reg settings and loop through them.
# The script will check if the path exists, if so it will check if the item property exists. If
# the item property does not exist, it will create it.
#
# Arguments: @( [Ordered]@{KeyPath=<String>; KeyName=<String>; Value=<String>; Type=<String>} )
#
# KeyPath: Registry path which contains the key you want to ensure has a certain value
# KeyName: The name of the key which holds the value you want to check/settings
# Value: The value the key should be
# Type: The data type of the value
#
# Version: 1.0
# Date: 2022-07-31
#Configure the HashTable Array:
$regdata = @(
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown";KeyName="bEnableFlash";Value="0";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown";KeyName="bEnableFlash";Value="0";Data="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\11.0\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\11.0\FeatureLockDown";KeyName="bEnableFlash";Value="0";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Adobe\Acrobat\2017\FeatureLockDown";KeyName="bDisableJavaScript";Value="1";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SOFTWARE\Policies\Google\Chrome";KeyName="BackgroundModeEnabled";Value="0";Type="DWord"},
[Ordered]@{KeyPath="HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp";KeyName="SecurityLayer";Value="2";Type="DWord"}
)
# End Config
# Loop through HashTable Array
For ($i=0; $i -lt $regdata.Length; $i++) {
# Does reg path exist?
if(Test-Path -Path $regdata[$i].KeyPath) {
$item = Get-ItemProperty -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName -ErrorAction SilentlyContinue
# Does item alreaday exist in the path?
if( !($item) ) {
# If item does NOT exist, create it with value defined in HashTable
New-ItemProperty -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName -Value $regdata[$i].Value -PropertyType $regdata[$i].Type
} else {
# If item DOES exist, check to ensure value is set to what HashTable says it should be
if ( (Get-ItemPropertyValue -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName) -ne $regdata[$i].Value ) {
# If the reg value differs from the expected value, set the value as defined in the HashTable
Set-ItemProperty -Path $regdata[$i].KeyPath -Name $regdata[$i].KeyName -Value $regdata[$i].Value
} #end set property if
} #end check item if
} #end path check if
} #end for loop