I caught (and foolishly dismissed) the difference yesterday, because we enforced the desired Point & Print values using the related Point & Print Restrictions Policy GP settings rather than pushing the keys directly, and when I confirmed the same keys I noticed the Update one had a different name. By default the keys don't exist, and in that state the behavior is the same as if they were set to 0, but if they're set to 1 the patch can be bypassed and RCE is still possible. The desired value for both keys is still "0" to prevent bypass. The originally published keys were NoWarningNoElevationOnInstall & NoWarningNoElevationOnUpdate, but the correct ones are NoWarningNoElevationOnInstall & UpdatePromptSettings. The registry keys they originally published were incorrect, and they quietly fixed them in the MSRC aticle last night (It was referred to as an "Informational Change Only").
0 Comments
Leave a Reply. |