You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MS will change behavior in current builds and we need to adapt our logic in advance to be able to cover systems using either the new or the old way. See below article for details.
Luckily its explained pretty easy. The following RegistryKeys have to be exchanged with the corresponding cmdlets and their fields
Procedure:
It is important to also check via RegistryPath, due to the reason, that older systems may not have the cmdlets available. Following logic will be implemented:
Check in a try clause cmdlets and try to get values
If cmdlets cannot be found, the process will go into the catch area, where we then test SMB via Registry path.
=> This will lead in a priority for the powershell cmdlets and the RegistryPaths act as a backup.
try {
if((Get-SmbClguration).RequireSecuritySignature -eq$True){
return@{
Message="RequireSecuritySignature is not set to True"Status="False"
}
}
return@{
Message="Compliant"Status="True"
}
}
catch {
try{
$regValue=Get-ItemProperty-ErrorAction Stop `-Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters"`-Name "RequireSecuritySignature"`|Select-Object-ExpandProperty "RequireSecuritySignature"if ($regValue-ne1) {
return@{
Message="Registry value is '$regValue'. Expected: 1"Status="False"
}
}
return@{
Message="Compliant"Status="True"
}
}
catch [System.Management.Automation.PSArgumentException] {
return@{
Message="Registry value not found."Status="False"
}
}
catch [System.Management.Automation.ItemNotFoundException] {
return@{
Message="Registry key not found."Status="False"
}
}
}
MS will change behavior in current builds and we need to adapt our logic in advance to be able to cover systems using either the new or the old way. See below article for details.
Excerpt.
Any auditing tools that look at the registry could give false information. Use Get-SmbServerConfiguration and Get-SmbClientConfiguration or the CIM classes MSFT_SmbClientConfigurationand MSFT_SmbServerConfiguration and ensure any scripts or auditing tools use them (this has been the right approach for all SMB settings for a decade).
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-signing-required-by-default-in-windows-insider/ba-p/3831704
The text was updated successfully, but these errors were encountered: