Ensuring your Windows 10 Clients are protected from CryptoAPI bug
Two weeks ago, Microsoft patched a vulnerability in its cryptographic library (CryptoAPI) that was reported by the NSA. At the time, there were no reports that this vulnerability had being exploited in the wild, however both Microsoft and the NSA where keen for organisations to install patches as quickly as possible. In its second-ever emergency directive, DHS' CISA recommended organisations perform the required endpoint patching by the 29th of January. I wrote about the first CISA emergency directive in my Advice on Mitigating DNS Infrastructure Tampering.
Proof-of-concept exploit code was quickly made available, but there are still no reported attacks. With the potential of attackers exploiting the vulnerability to sign malicious executables, that is, making malicious executables appear as if they are from a trusted, legitimate source; there are plenty of reasons to make installing this patch a priority.
As administrators, we already have the tools at our disposal to ensure that our Windows 10 clients are protected. Intune and Azure AD Conditional Access can once again be used to protect clients, as we did with Spectre and Meltdown.
How does it work? Read my post Using Intune and AAD to protect against Spectre and Meltdown, to understand the basics of how we can implement checks to validate the version of Windows 10 installed for Intune enrolled devices.
You will need to specify either of these two values for the Minimum OS version in your Windows 10 complaince policy:
- For Windows 10 version 1903 (May 2019 Update): 10.0.18362.592
- For Windows 10 version 1909 (November 2019 Update): 10.0.18363.592
I recommend the later, 10.0.18363.592, as it will allow you to ensure that all your clients are running the very latest Windows 10 features.
Need help with Windows 10 version numbering? Check out Wikipedia’s Windows 10 Version History) page. It is an exceptionally detailed guide on what versions you need to be aware of.