Information
The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:
Search folders specified in the system path first, and then search the current working folder.
Search current working folder first, and then search the folders specified in the system path.
When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path.
Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems.
The recommended state for this setting is: Enabled.
Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs
Rationale:
If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render.
Impact:
None - this is the default behavior.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration/MSS (Legacy)
Setting Name: MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Enabled.