@@ -921,9 +921,9 @@ function Invoke-ComServerRegistryPermissionCheck {
921921
922922 process {
923923 Get-ComClassFromRegistry |
924- Where-Object { $null -ne $_.HandlerRegPath } |
925- Invoke-CommandMultithread - InitialSessionState $ (Get-InitialSessionState ) - Command " Get-ModifiableComClassEntryRegistryPath" - InputParameter " ComClassEntry" |
926- ForEach-Object { $AllResults += $_ }
924+ Where-Object { $null -ne $_.HandlerRegPath } |
925+ Invoke-CommandMultithread - InitialSessionState $ (Get-InitialSessionState ) - Command " Get-ModifiableComClassEntryRegistryPath" - InputParameter " ComClassEntry" |
926+ ForEach-Object { $AllResults += $_ }
927927
928928 $CheckResult = New-Object - TypeName PSObject
929929 $CheckResult | Add-Member - MemberType " NoteProperty" - Name " Result" - Value $AllResults
@@ -959,9 +959,9 @@ function Invoke-ComServerImagePermissionCheck {
959959
960960 process {
961961 Get-ComClassFromRegistry |
962- Where-Object { ($_.HandlerType -like " *server*" -and ($null -ne $_.HandlerData ) } |
963- Invoke-CommandMultithread - InitialSessionState $ (Get-InitialSessionState ) - Command " Get-ModifiableComClassEntryImagePath" - InputParameter " ComClassEntry" - OptionalParameter @ { " CheckedPaths" = $AlreadyCheckedPaths } |
964- ForEach-Object { $AllResults += $_ }
962+ Where-Object { ($_.HandlerType -like " *server*" -and ($null -ne $_.HandlerData ) } |
963+ Invoke-CommandMultithread - InitialSessionState $ (Get-InitialSessionState ) - Command " Get-ModifiableComClassEntryImagePath" - InputParameter " ComClassEntry" - OptionalParameter @ { " CheckedPaths" = $AlreadyCheckedPaths } |
964+ ForEach-Object { $AllResults += $_ }
965965
966966 $CheckResult = New-Object - TypeName PSObject
967967 $CheckResult | Add-Member - MemberType " NoteProperty" - Name " Result" - Value $AllResults
@@ -1302,33 +1302,46 @@ function Invoke-NtlmDowngradeAttackCheck {
13021302 NtlmMinClientSecDescription : Require 128-bit encryption
13031303 RestrictSendingNTLMTraffic : 0
13041304 RestrictSendingNTLMTrafficDescription : Allow all
1305-
13061305 #>
13071306
13081307 [CmdletBinding ()]
13091308 param (
13101309 [UInt32 ] $BaseSeverity
13111310 )
13121311
1312+ begin {
1313+ $CredentialGuard = Get-CredentialGuardConfiguration
1314+ }
1315+
13131316 process {
13141317 $Vulnerable = $false
1315- $NtlmConfig = Get-LanManagerConfiguration
1318+ $Result = Get-LanManagerConfiguration
13161319
13171320 # Auth level must be lower than "Send NTLMv2 response only".
1318- if ($NtlmConfig .LmCompatibilityLevel -lt 3 ) {
1321+ if ($Result .LmCompatibilityLevel -lt 3 ) {
13191322
13201323 # Min client sec must not include "Require NTLMv2 session security".
1321- if (($NtlmConfig .NtlmMinClientSec -band 0x80000 ) -ne 0x80000 ) {
1324+ if (($Result .NtlmMinClientSec -band 0x80000 ) -ne 0x80000 ) {
13221325
13231326 # Outgoing NTLM traffic must not be set to "Deny all".
1324- if ($NtlmConfig.RestrictSendingNTLMTraffic -ne 2 ) {
1327+ if (($null -eq $Result.RestrictSendingNTLMTraffic ) -or ($Result.RestrictSendingNTLMTraffic -ne 2 )) {
1328+
1329+ # "Block NTLMv1 SSO" must not be enforced (Windows 11 24H2).
1330+ if (($null -eq $Result.BlockNtlmv1SSO ) -or ($Result.BlockNtlmv1SSO -eq 0 )) {
13251331
1326- $Vulnerable = $true
1332+ $Vulnerable = $true
1333+ }
13271334 }
13281335 }
13291336 }
13301337
1331- $Result = $NtlmConfig | Select-Object LmCompatibilityLevel, LmCompatibilityLevelDescription, NtlmMinClientSec, NtlmMinClientSecDescription, RestrictSendingNTLMTraffic, RestrictSendingNTLMTrafficDescription
1338+ $Result | Add-Member - MemberType " NoteProperty" - Name " CredentialGuard" - Value $CredentialGuard.CredentialGuardDescription
1339+
1340+ # If the config is vulnerable but Credential Guard is running, the system
1341+ # overall is not vulnerable.
1342+ if ($Vulnerable -and $CredentialGuard.CredentialGuardRunning ) {
1343+ $Vulnerable = $false
1344+ }
13321345
13331346 $CheckResult = New-Object - TypeName PSObject
13341347 $CheckResult | Add-Member - MemberType " NoteProperty" - Name " Result" - Value $Result
0 commit comments