Addressing Defender Security Recommendation 'Disable JavaScript on Adobe Reader 2017' using Proactive Remediation Scripts in Intune

-
Microsoft 365 Defender portal is a one stop shop for monitoring and responding to threat activity and in the process also strengthening the security posture across identities, email, data, endpoints, and apps. Within the portal and under the Vulnerability section, Microsoft have included Recommendations that gives you insight into various mitigatation steps to address the vulnerabilites. The more you remediate, the more your security score improves and reduces the over all threat exposure of the devices within your organization.

I have been assisting a customer to improve their security score and I wanted to cover the steps I carried out to remediate one particular recommendation. The recommendation in question is 'Disable JavaScript on Adobe Reader 2017' and this is what I did.

The remediation steps involve configuring a registry key to disable bDisableJavaScript. The information can be accessed within the recommendation itself.


There are multiple ways to configure the registry key. In my case, since the devices have AAD identity and are managed using Intune, I decided to use PS script to configure the registry key. Infact, I decided to use Proactive remediation scripts to ensure that the key is configured on the devices the whole time. I am not sure if Adobe updates can reset the keys, but didn't want to take a chance. If you want to know more about Proactive remediation, then you can read all about it in one of my earlier posts.

Note - In order to use Proactive Remediation feature, you need additional licenses. So if you are using it for the first time, then you will be presented with the following popup where you need to confirm the terms before you can start using the feature.


In order to configure this under Proactive Remediation, we need 2 scripts. Detection and Remediation.

Detection - The intent here is to detect for the key first. If found, the value of bDisableJavaScript will be checked for DWORD 1 or 0 and a output will be generated based on the strings mentioned below.

$check=Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017\FeatureLockDown" | 
Select-Object -ExpandProperty bDisableJavaScript -ErrorAction SilentlyContinue
If(!$check){
         "Key does not exist"
           exit 1
          }
 Else{
 Switch($check){

          '1'{
          'Java script is disabled'
          }'0' {
         'Java script is enabled'
          } 
          }
          }

Remediation - If the exit code of the detection script is 1, then the remediation script will run. Otherwise the strings in the detection script (provided above) will be generated as output.

         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017\FeatureLockDown") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017\FeatureLockDown" }
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\2017\FeatureLockDown" -Name "bDisableJavaScript" -Value 1 -PropertyType "DWord" -Force

Now time to configure in Intune. 

2. Browse to Reports > Endpoint Analytics > Proactive Remediations > Create a Script Package
3. Fill the relevant fields like Name, Description, Publisher etc and hit Next.
4. In the settings section, select the relevant detection and remediation scripts as covered above in the blog. It should then look something like this.


5. Run the script in 64-bit Powershell and leave the rest of the options as Default.
6. Assign the scope tags if required and then assign to device\user based group. You can define the frequency and add filters of the execution of the Proactive script. I set to run Daily against all Windows 10 production devices to suit my requirements.


The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. The execution results can be monitored directly in Intune under Reports->Endpoint Analytics-><Name of your Proactive Script> as shown below.



Add addtional columns to display details on Remediation pre and post execution steps.



Until next time..

Comments

  1. HarryMarch 6, 2023 at 2:00 PM

    I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.Very interesting blog.
    crackplus.org
    Adobe Acrobat Pro DC Crack
    DriverDoc Crack
    XYplorer Crack
    Grand 5 Theft Auto V Crack
    SolidWorks Crack

    ReplyDelete
  2. https://crackbins.com/March 30, 2023 at 1:22 PM

    I am happy after visited this site. I like all your posts. You were very nice Thanks for the information provided, they helped me a lot crackbins.com I hope you have more information Great blog.

    Adobe Acrobat Pro DC

    ReplyDelete
  3. siddique shahMarch 31, 2023 at 7:32 PM

    I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.
    Very interesting blog.
    DriverDoc Crack

    ReplyDelete
  4. CracksiloMay 7, 2023 at 2:37 PM

    Nice Post, Thanks for sharing. I have used Adobe Acrobat Pro DC Crack Version for a long time, its amazing.You can also other software free download from cracksilo.org
    Adobe Acrobat Pro DC Crack

    ReplyDelete
  5. CracksiloMay 7, 2023 at 2:38 PM

    Nice Post, Thanks for sharing. I have used Adobe Acrobat Pro DC Crack Version for a long time, its amazing.You can also other software free download from cracksilo.org
    Adobe Acrobat Pro DC Crack

    ReplyDelete
  6. ZiyaJune 9, 2023 at 9:04 AM

    I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. I hope to have many more entries or so from you.Very interesting blog. erp customization examples

    ReplyDelete

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more