Pages

Friday, January 8, 2016

Disabling “Enable Protected Mode at startup” and “Enable Enhanced Security” for Adobe Acrobat Reader DC 2015

I recently had to troubleshoot an issue with PDFs failing to launch within an Internet Explorer window which lead to a resolution that required two security features in Adobe Acrobat Reader DC 2015 to be disabled and thought that I’d write this post to demonstrate the process so I could reference it when I write the post describing that issue.  Note that I am not recommending to disable these features as it renders the reader much less secure so please carefully evaluate other alternatives if they exist.

The reader I’ll be modifying will be the Adobe Acrobat Reader DC 2015 Release | Version 2015.009.20079

image

The two features we’ll be disabling are:

Enable Protected Mode at startup

… and:

Enable Enhanced Security

… listed in the Security (Enhanced) category:

image

To disable the Enable Protected Mode at startup configuration, navigate to the following registry key:

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Privledged

… then modify the bProtectedMode REG_DWORD value to 0 to disable and 1 to enable:

image

To disable the Enable Enhanced Security configuration, navigate to the following registry key:

HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\TrustManager

… then modify the bEnhancedSecurityStandalone REG_DWORD value to 0 to disable and 1 to enable:

image

Perform the same change to bEnhancedSecurityInBrowser if you want the same change for PDFs launched in browsers.

To automate these configuration changes, you can either use a GPO that launches a batch file containing REG ADD:

reg add "HKCU\Software\Adobe\Acrobat Reader\DC\Privileged" /v "bProtectedMode" /t REG_DWORD /d 0 /f

reg add "HKCU\Software\Adobe\Acrobat Reader\DC\TrustManager" /v "bEnhancedSecurityStandalone" /t REG_DWORD /d 0 /f

reg add "HKCU\Software\Adobe\Acrobat Reader\DC\TrustManager" /v "bEnhancedSecurityInBrowser" /t REG_DWORD /d 0 /f

… or use Group Policy Preferences to add/update the key.

2 comments:

Anonymous said...

You are partially correct: However with the information you provided it was of great assistance, so I will give you the entire process.By updating the ntuser.dat for the default user it will work for anyone that connects.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bProtectedMode /t REG_DWORD /d "0x00000000" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bUpdater /t REG_DWORD /d "0x00000000" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bUsageMeasurement /t REG_DWORD /d "0x00000000" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bProtectedMode /t REG_DWORD /d "0x00000000" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown" /v bUpdater /t REG_DWORD /d "0x00000000" /f

echo loading NTUSER.DAT hive...
reg load "hku\temp" "C:\Users\Default\NTUSER.DAT"

Korrozia said...

This solution works for can print from windows service using Adobe Reader.