{"id":9365,"date":"2025-11-25T09:50:08","date_gmt":"2025-11-25T09:50:08","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=9365"},"modified":"2025-11-25T09:50:10","modified_gmt":"2025-11-25T09:50:10","slug":"encrypt-ldap-client-traffic-to-protect-sensitive-data-in-transit-intune","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/encrypt-ldap-client-traffic-to-protect-sensitive-data-in-transit-intune","title":{"rendered":"Encrypt LDAP client traffic to protect sensitive data in transit – Intune"},"content":{"rendered":"\n

Unlike “Require LDAP client signing to prevent tampering and protect directory authentication” Network security: LDAP client signing requirements , This does not an Intune Config<\/p>\n\n\n\n

# Detection script - checks if LDAPClientConfidentiality = 2\n$RegPath = \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ldap\"\n$RegName = \"LDAPClientConfidentiality\"\n$ExpectedValue = 2\n\ntry {\n    $CurrentValue = (Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Stop).$RegName\n    if ($CurrentValue -eq $ExpectedValue) {\n        Write-Host \"Compliant: $RegName is already $ExpectedValue\"\n        exit 0\n    }\n    else {\n        Write-Host \"Non-compliant: $RegName is $CurrentValue (expected $ExpectedValue)\"\n        exit 1\n    }\n}\ncatch {\n    Write-Host \"Non-compliant: $RegName does not exist\"\n    exit 1\n}<\/code><\/pre>\n\n\n\n
# Remediation script - sets registry key only (no service restart, no reboot)\n$RegPath  = \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\ldap\"\n$RegName  = \"LDAPClientConfidentiality\"\n$RegValue = 2\n$RegType  = \"DWORD\"\n\ntry {\n    # Ensure the registry path exists\n    if (-not (Test-Path $RegPath)) {\n        New-Item -Path $RegPath -Force | Out-Null\n    }\n\n    # Set\/create the value\n    Set-ItemProperty -Path $RegPath -Name $RegName -Value $RegValue -Type $RegType -Force\n\n    Write-Host \"SUCCESS: $RegPath\\$RegName set to $RegValue (DWORD)\"\n    Write-Host \"Note: The new LDAP confidentiality setting will take effect on next LDAP client use or after a reboot.\"\n    exit 0\n}\ncatch {\n    Write-Error \"FAILED: $_\"\n    exit 1\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Unlike “Require LDAP client signing to prevent tampering and protect directory authentication” Network security: LDAP client signing requirements , This does not an Intune Config<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9365","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9365","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=9365"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9365\/revisions"}],"predecessor-version":[{"id":9366,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/9365\/revisions\/9366"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=9365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=9365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=9365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}