Configuring Adobe Acrobat Reader DC policy settings using Intune for AAD devices

-
I recently had a requirement for setting up policies for Adobe Acrobat Reader DC to lockdown and configure some features against Autopilot provisioned AAD devices. Adobe does provide GPO templates, but what's astonishing is that these templates do not support all the settings. According to Adobe, the templates are basic starter templates containing the most important setting and are broadly spread across the following categories:

1. General enterprise settings: Features such as disabling updates and setting the default PDF handler.
2. Security: Application security features such as enhanced security, sandboxing, and JS controls.
3. TrustManager: Trusting Windows OS security zones as defined in Internet Explorer.
4. Digital Signatures: Adobe Acrobat Trust List integration.

I imported the templates in Intune to check what all policies are supported in Intune and there were only a handful settings.


According to Adobe, one can use Preference Reference to extend the templates, but this doesn't seem like a viable option to me.

If you do want to refer to the templates, then I have provided the links below -


So, what is the solution then? According to me there are two ways to set this up -

1. Configure relevant registries and create your own GPO template.
2. Use PowerShell to configure the relevant registries.

I decide to use the PS option as I didn't want the overhead of running and maintaining the custom GPO templates whenever the settings needed an update.

Back in Feb'22, I had published a post on addressing Defender security recommendation 'Disabling JavaScript' on Adobe Reader 2017 using Proactive remediation script in Intune. I will be using the same approach and shall be covering the details in the blog.

Note - In order to use Proactive Remediation feature, you need additional licenses. So, if you are using it for the first time, then you will be presented with the following popup where you need to confirm the terms before you can start using the feature.


In order to configure this under Proactive Remediation, we need 2 scripts. Detection and Remediation.

Detection - Now there are multiple ways to script this. Because I am configuring multiple registry values (as part of the remediation script), I am checking against all.

$val0 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
$val1 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices"
$val2 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint"
$val3 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen"
$val4 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM"
if ( ($val1.bUpdater -eq '0') -and ($val1.bToggleWebConnectors -eq '1') -and ($val1.bToggleAdobeSign -eq '1') -and ($val2.bDisableSharePointFeatures -eq '1') -and ($val3.bShowWelcomeScreen -eq '0') -and ($val0.bAcroSuppressUpsell -eq '1') -and ($val4.bDontShowMsgWhenViewingDoc -eq '0') -and ($val1.bTogglePrefsSync -eq '1') 
) { 
        Write-Output 'Value exists'
        exit 0
    } else{
        Write-Output 'Value does not exist'
        exit 1
          }

Remediation - If the exit code of the detection script is 1, then the remediation script will run, and the string in the detection script (provided above) will be generated as output in the compliance status in Intune.

         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen" }
         If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM" }
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bUpdater" -Value 0 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bToggleWebConnectors" -Value 1 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bToggleAdobeSign" -Value 1 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint" -Name "bDisableSharePointFeatures" -Value 1 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen" -Name "bShowWelcomeScreen" -Value 0 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name "bAcroSuppressUpsell" -Value 1 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM" -Name "bDontShowMsgWhenViewingDoc" -Value 0 -PropertyType "DWord" -Force
         New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bTogglePrefsSync" -Value 1 -PropertyType "DWord" -Force

Putting it together in Intune-

2. Browse to Reports > Endpoint Analytics > Proactive Remediations > Create a Script Package
3. Fill the relevant fields like Name, Description, Publisher and hit Next.
4. In the settings section, select the relevant detection and remediation scripts as covered above in the blog. It should then look something like this.



5. Run the script in 64-bit PowerShell and leave the rest of the options as Default.
6. Assign the scope tags if required and then assign to device\user based group. You can define the frequency and add filters of the execution of the Proactive script. I set to run Daily.

End Result

The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. On execution, the compliance can be tracked in Intune.


Happy days..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Intune: UAC Elevation Prompt Behavior for Standard Users

-
Image
Implementing and maintaining a good security posture is an integral part of overall IT security governance for most organizations now. While you want to harden the security of infrastructure and give least number of privileges to your end users, sometimes you may need to cut back on the restrictions to ensure a good user experience and an effective IT support process. Recently, I had a requirement where the customer wanted to ease the restriction on the end user devices to make the helpdesk support process more efficient. This involved easing the UAC level access for the Standard users and if you are managing your devices using Intune, then this blog may just help you. Let us see what all is involved and some of the ways that you can use to implement this easily. Policy CSP – LocalPoliciesSecurityOptions LocalPoliciesSecurityOptions has many CSP settings and if you are managing these settings at an individual level, then the CSP that we need to concern ourselves with here is U
Read more