In order to fully enable the fix for CVE-2023-32019 as part of the 2023-06 CU, a specific registry value must be configured, depending on OS version. More info can be found here: KB5028407: How to manage the vulnerability associated with CVE-2023-32019.
I’ve put together the following PowerShell scripts that can be used to detect/remediate the registry setting via ConfigMgr DCM, which are also available in my GitHub. These could easily be retrofitted to be used via Intune Remediation as well, which I hope to also have available soon.
2023-06-22 Update: I converted the scripts to be utilized as a [Proactive] Remediation via Intune by modifying the detection script a bit; the remediation script is the same. These scripts are also now in my GitHub.
Detection Script: This script will get the OS build number and patch level, then check to see if the necessary registry path exists and if the required registry value if configured correctly. If the path does not exist, or the value is not set correctly, it will return false, otherwise it will return true.
NOTE: If the OS is unsupported (e.g. Server 2012 R2), or the OS is not at the correct patch level, the script will still return true/compliant.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
| $Compliant = $true
$BuildNumber = (Get-CimInstance -ClassName Win32_OperatingSystem).BuildNumber
$UBR = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' -Name 'UBR').UBR
switch ($BuildNumber) {
# Windows 10 21H2/22H2
{$_ -in '19044', '19045'} {
if ($UBR -ge 3086) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4103588492' -ErrorAction Ignore
if ($Value) {
if ($Value.4103588492 -ne 1) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
# Windows 11 21H2
'22000' {
if ($UBR -ge 2057) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4204251788' -ErrorAction Ignore
if ($Value) {
if ($Value.4204251788 -ne 1) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
# Windows 11 22H2
'22621' {
if ($UBR -ge 1848) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4237806220' -ErrorAction Ignore
if ($Value) {
if ($Value.4237806220 -ne 1) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
# Server 2016
'14393' {
if ($UBR -ge 5989) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Name 'LazyRetryOnCommitFailure' -ErrorAction Ignore
if ($Value) {
if ($Value.LazyRetryOnCommitFailure -ne 0) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
# Server 2019
'17763' {
if ($UBR -ge 4499) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Name 'LazyRetryOnCommitFailure' -ErrorAction Ignore
if ($Value) {
if ($Value.LazyRetryOnCommitFailure -ne 0) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
# Server 2022
'20348' {
if ($UBR -ge 1787) {
$Value = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4137142924' -ErrorAction Ignore
if ($Value) {
if ($Value.4137142924 -ne 1) {
$Compliant = $false
}
}
else {
$Compliant = $false
}
}
}
}
return $Compliant
|
Remediation Script: This script will get the OS build number and patch level, then if necessary, create the required registry path, and configure the required value.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| $BuildNumber = (Get-CimInstance -ClassName Win32_OperatingSystem).BuildNumber
$UBR = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\' -Name 'UBR').UBR
switch ($BuildNumber) {
# Windows 10 21H2/22H2
{$_ -in '19044', '19045'} {
if ($UBR -ge 3086) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4103588492' -PropertyType DWord -Value 1 -Force
}
}
# Windows 11 21H2
'22000' {
if ($UBR -ge 2057) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4204251788' -PropertyType DWord -Value 1 -Force
}
}
# Windows 11 22H2
'22621' {
if ($UBR -ge 1848) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4237806220' -PropertyType DWord -Value 1 -Force
}
}
# Server 2016
'14393' {
if ($UBR -ge 5989) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Name 'LazyRetryOnCommitFailure' -PropertyType DWord -Value 0 -Force
}
}
# Server 2019
'17763' {
if ($UBR -ge 4499) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager' -Name 'LazyRetryOnCommitFailure' -PropertyType DWord -Value 0 -Force
}
}
# Server 2022
'20348' {
if ($UBR -ge 1787) {
if (-not (Test-Path -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides')) {
New-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Force
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides' -Name '4137142924' -PropertyType DWord -Value 1 -Force
}
}
}
|