Create a GPO for RegFix Required by MS15-124

Registry modification is required to fully mitigate against the IE ASLR Bypass vulnerability  (CVE-2015-6161) addressed in MS15-124 and patched in KB3116180 and newer IE cumulative updates.  Without the registry entries, systems are still vulnerable.  This will also cause the update to be listed as missing, or incomplete, in security scanners such as Tenable Nessus.

In large environments, Microsoft recommends deploying the registry fixes via GPO rather than via their downloadable fix-it program.  My experience has been that newer IE updates will sometimes remove the registry entries that need to be created, so having them in a GPO will ensure they persist through future patch cycles.

To create the GPO:

1. Open Group Policy Management
2. Create a new GPO and open it in the editor
3. Click Computer Configuration -> Preferences -> Windows Settings -> Registry -> Right-Click, Click on New Registry Item and create the following two entries.
• Reg Item 1:
• Action: Update
• Hive: HKLM
• Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
• Value Name: iexplore.exe
• Value Type: REG_DWORD
• Value Data: 1
• Reg Item 2:
• Action: Update
• Hive: HKLM
• Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
• Value Name: iexplore.exe
• Value Type: REG_DWORD
• Value Data: 1
4. Once the GPO is created, link it to any OUs containing computer objects.