Hello,

We just had an internal security check and one finding was this: https://www.tenable.com/plugins/nessus/161691

Nessus just checks for the presence of this key. I know it is easy to add a preference that deletes this key, but we built a SCCM package where we use exported Group Policies and apply them with lgpo.exe to standalone servers. Unfortunately lgpo.exe only applies admx files, no preferences.

As I have no clue on how to build custom admx files - is it possible to delete the ms-msdt key with a custom built admx?

Thanks a lot for your help!

Brgds Deas

Hi,

This is indeed possible (to delete keys with an ADMX template), as you can see for the certificate padding policy: https://github.com/Harvester57/Security-ADMX/blob/main/AdditionalHardening.admx#L107-L117

But as far as I know, this can only be used for HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER hives, not for HKEY_CLASSES_ROOT :(