Microsoft published a security advisory (ADV200001) containing mitigations against an actively exploited zero-day remote code execution (RCE) vulnerability in Internet Explorer. At time of writing, there is no patch for the vulnerability. Microsoft is expecting to release a patch as part of the usual Patch Tuesday (Wednesday for some of us) cycle.
Microsoft has provided some mitigation steps that can be applied; however, they only recommend taking these steps if there is an indication you are under elevated risk. One of the problems with the mitigation steps is that you MUST revert the changes before you can install any future updated.
The mitigations also come with some side-effects; their impact might be too much for some organisations. Side-effects include:
- Printing to HP printers and other USB printers mail fail.
- Windows Media Player is reported to break on playing MP4 files.
- Sfc.exe will break.
- Printing to "Microsoft Print to PDF" is reported to break.
- Proxy automatic configuration scripts (PAC scripts) may not work. For me, I couldn’t imagine managing some enterprise environments without PAC scripts. That alone would be a good reason to not deploy these fixes.
If after all of this, you want to still apply these mitigations. I put together some quick guidance for their implementation with Intune.
Enabling the mitigations
- Get a copy of the Enable-ADV200001.ps1 script from my GitHub repository.
- Sign-in to the Microsoft Endpoint Manager Admin Center.
- Select Devices > PowerShell scripts > Add.
- In Basics, enter the Name: Enable IE Mitigations for ADV200001, and select Next:
- In Script settings, browse to where you downloaded the Enable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
- Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
- Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
- In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.
Disabling the mitigations
- Get a copy of the Disable-ADV200001.ps1 script from my GitHub repository.
- Sign-in to the Microsoft Endpoint Manager Admin Center.
- Select Devices > PowerShell scripts > Add.
- In Basics, enter the Name: Disable IE Mitigations for ADV200001, and select Next:
- In Script settings, browse to where you downloaded the Disable-ADV200001.ps1 script, leave everything else at their default settings, and select Next:
- Select Scope tags. Scope tags are optional, if you don’t use this feature, select Next.
- Select Assignments > Select groups to include. Select with groups this script should be applied to, select Next.
- In Review + add, a summary is shown of the settings you configured. Select Add to save the script. When you select Add, the policy is deployed to the groups you chose.
More guidance can be found here Use PowerShell scripts on Windows 10 devices in Intune
Just remember that before your next patch cycle, you need to disable the mitigations, otherwise the updates will fail.