Master in Progress IT blog

Welcome back to Master in Progress! Today, we’re diving into a topic that might feel like your machines have a bit of a rebellious streak: Group Policy Object (GPO) registry tattooing. Yes, it’s real, and no, it’s not as cool as it sounds. So, what’s the deal with these “tattoos” your GPOs are leaving behind, and why won’t they just go away?

What is GPO Registry Tattooing?

Let’s start with the basics.

GPO (Group Policy Object) registry tattooing occurs when a GPO applies specific settings to a machine’s registry, and when that GPO is removed, the registry settings aren’t automatically reset to their default values. The settings are “tattooed” onto the system, sticking around like a bad tattoo from your rebellious teenage years.

This can be especially persistent when it comes to security settings, as these settings are stored in a local database on your computer. Whenever a security setting is applied via GPO or local policy, it gets saved in this database. Even if the policy is later removed or unlinked, the security settings don’t automatically revert to previous values unless they were explicitly defined beforehand. If there’s no previous value in the database, the setting remains stuck with its last defined value, a behavior commonly referred to as “tattooing.”

Why Does This Happen?

Normally, when a GPO is removed, you expect the system to revert to its pre-GPO state. However, certain registry keys modified by the GPO remain unchanged unless specifically instructed otherwise.

Here’s why:

• One-Way Ticket: Some GPO settings are designed to apply a value but not revert it. Once the setting is tattooed into the registry, the GPO doesn’t include instructions for what happens when it’s removed.
• No Cleanup Logic: In some cases, the GPO doesn’t have logic to revert or reset the change after it’s no longer applied. The settings are left behind, sitting in the registry like an awkward guest who didn’t realize the party was over.

How to Avoid or Mitigate GPO Tattooing

Just like avoiding a bad tattoo, you can avoid GPO registry tattoos with careful planning. Here’s how to prevent or fix tattooed settings:

1. Set the GPO to the Desired Value Before Removal
   Instead of simply deleting or disabling a GPO, set the policy to the value you actually want. By explicitly setting the correct value before unlinking or removing the GPO, you ensure the desired state is applied. This avoids leaving an undesired setting stuck in place.
2. Run Cleanup Scripts
   If tattooing has already occurred, scripts can be a lifesaver. Use PowerShell scripts to manually reset the registry keys that were modified by the GPO. This is the manual “tattoo removal” you need to bring your systems back to a clean state. Example PowerShell snippet to reset a specific registry key:

   Set-ItemProperty -Path 'HKLM:\Software\Policies\' -Name 'YourKeyName' -Value 0

3. Leverage GPO Removal Features (Where Available)
   For certain policies, there may be an option to specify behavior on removal. If available, use this feature to automatically undo the settings when the GPO is no longer applied.

How to Identify Tattooed Registry Settings

Now that you’ve removed a GPO but suspect a lingering setting, how can you find the “tattooed” registry key? Here’s a practical approach:

1. Identify the Misbehaving Behavior
   First, pinpoint the behavior or setting that seems to be stuck. Let’s use an example where your system is still enforcing a custom SSL cipher suite order, even though you’ve removed the GPO that configured it. This could cause issues with SSL/TLS negotiations that are out of sync with your current security requirements.
2. Use Websites Like ADMX Help to Find Corresponding Registry Keys
   Now that you’ve identified the misbehaving setting, the next step is to track down the registry key associated with the GPO. ADMX Help is a great resource for this task. Let’s walk through how you can find the relevant registry key for the SSL Cipher Suite Order policy. Example: Tracking Down the Registry Key for SSL Cipher Suite Order Policy

• Step A: Navigate to ADMX Help.
  Head over to ADMX Help in your browser. This site provides a detailed breakdown of ADMX policies, including the registry paths and keys that they modify.
• Step B: Search for the GPO setting.
  In this case, you want to look up the SSL Cipher Suite Order policy. In the search bar, type “SSL Cipher Suite Order” or directly go to this link: ADMX Help – SSL Cipher Suite Order.
• Step C: Review the Policy Details.
  Once you land on the page for the SSL Cipher Suite Order policy, you’ll find all the critical information:
  • The policy name as it appears in the Group Policy Management Editor: “SSL Cipher Suite Order.”The ADMX file where this policy is defined: cipherstrength.admx.The registry path and key:
  Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 Value Name: Functions
  • The value this policy sets: a long string that specifies the order of SSL ciphers (for example, “TLS_RSA_WITH_AES_128_CBC_SHA256, …”).
• Step D: Check the Registry.
  With this information, open the Registry Editor (regedit.exe) on the machine where the GPO was previously applied. Navigate to the following path:
  HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
  Inside, look for the Functions value. If it’s still present with the custom cipher order, even though you’ve removed the GPO, then this is your tattooed setting. The machine is still enforcing this order because the registry key wasn’t reverted when the policy was removed.

3. Modify or Remove the Registry Entry
   Now that you’ve found the tattooed setting, you can manually modify the Functions value to reflect the default or desired cipher suite order. Alternatively, if you no longer want any custom order applied, you can simply delete the key or reset it to a neutral value. Example of removing the setting via PowerShell:

   Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
   Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions'
010002' -Name 'Functions'

4. PowerShell for Quick Queries
   To check for this tattooed setting on multiple machines, you can use PowerShell to quickly query the registry key. Here’s an example:

   Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL
   Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions'
010002' -Name 'Functions'

This will return the current value of the SSL Cipher Suite Order if it’s still applied. You can then decide whether to reset, modify, or remove it based on your requirements.

Conclusion

GPO registry tattooing might sound intimidating, but with tools like ADMX Help, identifying lingering registry keys becomes much easier. By taking the time to properly remove or reset these settings, you can ensure your systems aren’t following outdated rules.

Remember, always check the registry for tattooed settings and use resources like ADMX Help or Group Policy Search to track down the corresponding keys. For persistent policies, like the SSL Cipher Suite Order, manually resetting the registry key is key to keeping your systems secure and up-to-date.

Has GPO registry tattooing caused you trouble in the past? Share your experiences in the comments below, check other posts in Master in Progress for more tips, tricks, and insights into mastering Active Directory and beyond!

References

• Security policies