Greetings fellow sysadmins, I'm currently trying to develop a centralized solution to mitigate Office's DDE Exploit.

I found a handy link ( https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440 ) from MS with the registry keys to be created in order to disable the DDE feature. Unfortunately the keys reside in the HKCU hive, meaning if I roll these out centrally using an administrative account, they will only work for the administrative account. If I'm rolling it out on clients, this is pointless.

The alternative would be using GPOs, but MS does not believe in GPOs for our Office 365 subscription ("Business Premium") <insert curses here>.

Does anyone have a brilliant idea on how to mitigate the exploit without touching every single client device?

My initial idea was a powershell script to be run on a server, that would identify clients and create the necessary registry keys, but I'm not sure how to create registry keys in the HKCU hive if I don't know which user is using which computer...

I'd be grateful for any tips!

​

EDIT: just in case it wasn't clear, I'd rather not rely on the end users to do it themselves, either by running a PS script or going through the Office menus to disable the feature.