Encrypt LDAP client traffic to protect sensitive data in transit – Intune

Unlike “Require LDAP client signing to prevent tampering and protect directory authentication” Network security: LDAP client signing requirements , This does not an Intune Config

# Detection script - checks if LDAPClientConfidentiality = 2
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\ldap"
$RegName = "LDAPClientConfidentiality"
$ExpectedValue = 2

try {
    $CurrentValue = (Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Stop).$RegName
    if ($CurrentValue -eq $ExpectedValue) {
        Write-Host "Compliant: $RegName is already $ExpectedValue"
        exit 0
    }
    else {
        Write-Host "Non-compliant: $RegName is $CurrentValue (expected $ExpectedValue)"
        exit 1
    }
}
catch {
    Write-Host "Non-compliant: $RegName does not exist"
    exit 1
}
# Remediation script - sets registry key only (no service restart, no reboot)
$RegPath  = "HKLM:\SYSTEM\CurrentControlSet\Services\ldap"
$RegName  = "LDAPClientConfidentiality"
$RegValue = 2
$RegType  = "DWORD"

try {
    # Ensure the registry path exists
    if (-not (Test-Path $RegPath)) {
        New-Item -Path $RegPath -Force | Out-Null
    }

    # Set/create the value
    Set-ItemProperty -Path $RegPath -Name $RegName -Value $RegValue -Type $RegType -Force

    Write-Host "SUCCESS: $RegPath\$RegName set to $RegValue (DWORD)"
    Write-Host "Note: The new LDAP confidentiality setting will take effect on next LDAP client use or after a reboot."
    exit 0
}
catch {
    Write-Error "FAILED: $_"
    exit 1
}
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely