-
-
Save p0w3rsh3ll/917dad7ec1df970d69dc1a51cee68cd2 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -RunasAdministrator | |
#Requires -Modules ActiveDirectory,GroupPolicy | |
[CmdletBinding()] | |
Param() | |
Begin{} | |
Process { | |
# Make sure we can reach the PDC | |
$PDC = (Get-ADDomainController -Service 1 -Discover -ErrorAction SilentlyContinue).Hostname | |
if ($PDC) { | |
# Get the domain name | |
$DomainName = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name | |
# Create the GPO | |
try { | |
$GPO = New-GPO -Name 'Workaround for CVE-2021-40444' -Domain "$($DomainName)" -ErrorAction Stop | |
} catch { | |
Write-Warning -Message "Failed to create GPO because $($_.Exception.Message)" | |
} | |
if ($GPO) { | |
# Don't need user settings | |
$GPO.GpoStatus = [Microsoft.GroupPolicy.GpoStatus]::UserSettingsDisabled | |
$HT = @{ GUID = ($GPO).Id ; ErrorAction = 'Stop' } | |
# Zones | |
0..3 | | |
ForEach-Object { | |
$ZoneId = $_ | |
1, # URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) | |
4 | # URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) | |
ForEach-Object { | |
$Value = $_ | |
$reg = @{ | |
Key = 'HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\{0}' -f $ZoneId | |
ValueName = '100{0}' -f $Value | |
Type = 'DWORD' | |
Value = 3 | |
} | |
try { | |
Set-GPRegistryValue @HT @reg | |
} catch { | |
Write-Warning -Message "Faile to set GPO setting because $($_.Exception.Message)" | |
} | |
} | |
} | |
} | |
} | |
} | |
End{} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment