Configuration Item for Windows 10 64 Bit

Boopathi Subramaniam 3,196 Reputation points
2021-09-13T17:37:51.437+00:00

Hi Team,

I need to create a configuration item as per the CVE-2021-40444.
All the devices are Windows 10 64 bit Opearting system.

Please let me now which registry to be used from the below to create configuration item

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion

or

HKEY_LOCAL_MACHINE\SOFTWARE\Policies**WOW6432Node**\Microsoft\Windows\CurrentVersion

Please help.

Microsoft Configuration Manager
0 comments
Accepted answer
  1. AllenLiu-MSFT 40,551 Reputation points Microsoft Vendor
    2021-09-14T02:39:33.307+00:00

    Hi, @Boopathi Subramaniam
    Thank you for posting in Microsoft Q&A forum.

    As per the article: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444
    This registry is for all internet zones for 64-bit and 32-bit processes.
    And we know Wow6432Node is the registry accessed by 32-bit programs running in 64-bit system, so we should not use the path with Wow6432Node.
    We just need to use the registry as the article listed.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Garth Jones 1,351 Reputation points
    2021-09-13T18:38:45.793+00:00

    The KB for this should tell you exactly which reg key to use.

    0 comments
  2. Philippe Levesque 5,691 Reputation points MVP
    2021-09-13T19:04:30.313+00:00

    Hi, it's in the path without WoW. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones*

    Per the KB:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
    "1001"=dword:00000003
    "1004"=dword:00000003

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
    "1001"=dword:00000003
    "1004"=dword:00000003

    This sets the URLACTION_DOWNLOAD_SIGNED_ACTIVEX (0x1001) and URLACTION_DOWNLOAD_UNSIGNED_ACTIVEX (0x1004) to DISABLED (3) for all internet zones for >>>64-bit and 32-bit processes<<<. New ActiveX controls will not be installed. Previously-installed ActiveX controls will continue to run.

    Thanks

    0 comments