Ctrl + Alt + Delete Enforcement in an Imprivata Onesign Envrionment
I had this challenge today: Enforce Ctrl + Alt + Delete being required at log on and unlock. This is easy to do via group policy normally (Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL), except in environments that have computers with Imprivata Onesign (single sign-on) Agent installed on them, where this setting has to be turned off to allow a badge tap or fingerprint read to automatically unlock the workstation. Sure, you could set up a group and make sure your PCs were in it, but that would mean making sure all the PCs with Imprivata OneSign currently installed were members of that group manually... yuck, automation is much better, right?
Ideal behavior would be to have Ctrl + Alt + Delete on logon enabled if Imprivata Onesign is not installed, and Ctrl + Alt + Delete on logon disabled if Imprivata is installed.
The solution I ended up coming up with was an SCCM Compliance Item. It utilizes the same registry key set by the GPO setting mentioned above, but the setting itself is a powershell script with a little logic to apply the GPO setting accordingly if it isn't already compliant.
Script Setting needs to be set to Value of type Boolean for the scripts below to work.
Also exported the compliance item and placed it into a .7z archive if you want to just import it and begin using it.
Discovery Script: $CTRLALTDELValue = $(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").disablecad $ImprivataPresent = ((Test-Path -Path "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXAgent.exe") -or (Test-Path -Path "C:\Program Files\Imprivata\OneSign Agent\ISXAgent.exe")) if ($ImprivataPresent -eq $true) { switch ($CTRLALTDELValue) { 0 { return $false } 1 { return $true } default { return $false } } } else { switch ($CTRLALTDELValue) { 0 { return $true } 1 { return $false } default { return $false } } } Remediation Script: $CTRLALTDELValue = $(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").disablecad $ImprivataPresent = ((Test-Path -Path "C:\Program Files (x86)\Imprivata\OneSign Agent\ISXAgent.exe") -or (Test-Path -Path "C:\Program Files\Imprivata\OneSign Agent\ISXAgent.exe")) if ($ImprivataPresent -eq $true) { switch ($CTRLALTDELValue) { 0 { $CTRLALTDELValue Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 1 | out-null } 1 { Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 1 | out-null } default { Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 1 | out-null } } } else { switch ($CTRLALTDELValue) { 0 { Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 0 | out-null } 1 { Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 0 | out-null } default { Set-ItemProperty -Name "disablecad" -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Value 0 | out-null } } }