Configuring Adobe Acrobat Reader DC policy settings using Intune for AAD devices
I recently had a requirement for setting up policies for Adobe Acrobat Reader DC to lockdown and configure some features against Autopilot provisioned AAD devices. Adobe does provide GPO templates, but what's astonishing is that these templates do not support all the settings. According to Adobe, the templates are basic starter templates containing the most important setting and are broadly spread across the following categories:
1. General enterprise settings: Features such as disabling updates and setting the default PDF handler.
2. Security: Application security features such as enhanced security, sandboxing, and JS controls.
3. TrustManager: Trusting Windows OS security zones as defined in Internet Explorer.
4. Digital Signatures: Adobe Acrobat Trust List integration.
I imported the templates in Intune to check what all policies are supported in Intune and there were only a handful settings.
According to Adobe, one can use Preference Reference to extend the templates, but this doesn't seem like a viable option to me.
If you do want to refer to the templates, then I have provided the links below -
So, what is the solution then? According to me there are two ways to set this up -
1. Configure relevant registries and create your own GPO template.
2. Use PowerShell to configure the relevant registries.
I decide to use the PS option as I didn't want the overhead of running and maintaining the custom GPO templates whenever the settings needed an update.
Back in Feb'22, I had published a post on addressing Defender security recommendation 'Disabling JavaScript' on Adobe Reader 2017 using Proactive remediation script in Intune. I will be using the same approach and shall be covering the details in the blog.
Note - In order to use Proactive Remediation feature, you need additional licenses. So, if you are using it for the first time, then you will be presented with the following popup where you need to confirm the terms before you can start using the feature.
In order to configure this under Proactive Remediation, we need 2 scripts. Detection and Remediation.
Detection - Now there are multiple ways to script this. Because I am configuring multiple registry values (as part of the remediation script), I am checking against all.
$val0 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown"
$val1 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices"
$val2 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint"
$val3 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen"
$val4 = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM"
if ( ($val1.bUpdater -eq '0') -and ($val1.bToggleWebConnectors -eq '1') -and ($val1.bToggleAdobeSign -eq '1') -and ($val2.bDisableSharePointFeatures -eq '1') -and ($val3.bShowWelcomeScreen -eq '0') -and ($val0.bAcroSuppressUpsell -eq '1') -and ($val4.bDontShowMsgWhenViewingDoc -eq '0') -and ($val1.bTogglePrefsSync -eq '1')
) {
Write-Output 'Value exists'
exit 0
} else{
Write-Output 'Value does not exist'
exit 1
}
Remediation - If the exit code of the detection script is 1, then the remediation script will run, and the string in the detection script (provided above) will be generated as output in the compliance status in Intune.
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen" }
If ($(Test-Path -Path "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM") -eq $False) { New-Item "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM" }
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bUpdater" -Value 0 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bToggleWebConnectors" -Value 1 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bToggleAdobeSign" -Value 1 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cSharePoint" -Name "bDisableSharePointFeatures" -Value 1 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cWelcomeScreen" -Name "bShowWelcomeScreen" -Value 0 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" -Name "bAcroSuppressUpsell" -Value 1 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM" -Name "bDontShowMsgWhenViewingDoc" -Value 0 -PropertyType "DWord" -Force
New-ItemProperty "HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices" -Name "bTogglePrefsSync" -Value 1 -PropertyType "DWord" -Force
Putting it together in Intune-
1. Sign-in to the Microsoft Endpoint Management Admin Center.
2. Browse to Reports > Endpoint Analytics > Proactive Remediations > Create a Script Package
3. Fill the relevant fields like Name, Description, Publisher and hit Next.
4. In the settings section, select the relevant detection and remediation scripts as covered above in the blog. It should then look something like this.
5. Run the script in 64-bit PowerShell and leave the rest of the options as Default.
6. Assign the scope tags if required and then assign to device\user based group. You can define the frequency and add filters of the execution of the Proactive script. I set to run Daily.
End Result
The Intune management extension agent checks with Intune once every hour and after every reboot for any new scripts or changes. On execution, the compliance can be tracked in Intune.
Happy days..
Comments
Post a Comment