cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Controlling Adobe Acrobat DC 2017 Pro with Group Policy

jwckauman
Community Beginner ,
Jan 24, 2020 Jan 24, 2020

Copy link to clipboard

Copied

Has anyone used the Group Policy/Active Directory instructions Adobe provides to control Adobe Acrobat DC 2017 Professional?  Here is the webpage Adobe provides users who want to do this.

 

https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDeployment/gpo.html

 

I have downloaded their admin templates and installed them in my Active Directory domain.  I can make the setting changes i want in the Group Policy but Adobe Acrobat doesnt pay attention to them.  For example, the Group Policy template has a setting that lets you disable automatic updates. When i enable this setting (which means 'disabled automatic updates'), Adobe Acrobat still does its own automatic updates.  It isnt doing what the policy is telling it to do.  

 

I have called Adobe support and its like they dont even know anything about it.  Or want to test it to ensure it works.  They keep telling me to hack the registry with Group Policy instead.  

TOPICS
General troubleshooting , How to

Views

5.5K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 8 Replies 8
latest latest Jump to latest reply
ls_rbls Community Expert
Community Expert ,
Jan 25, 2020 Jan 25, 2020

Copy link to clipboard

Copied

Hi, 

 

Let me begin by apologizing for a long reply,  and perhaps because it may sound as  ridiculuous as uneccessary lecturing. But Adobe support is right about hacking the registry.

 

I personally wouldn't call it hacking though.

 

Sadly, there's  too much negative connotations associated to that word (and this is probably in great part to the stereotypes in movies and TV shows that in great part are also fueled  with ignorant media outlets who appear to behave irresponsibly when an editorial staff gives zero rats about the content that  hard-news journalists are occasionaly talking about).

 

Oxford Online Dictionary defines Hacking as:
the gaining of unauthorized access to data in a system or computer.

 

You have to ask yourself if this is really what editing registry keys in a windows box means.

 

Thomas-Fenner-Woods Agency, Inc.  explains on CyberAwareness:
People tend to treat “hacker” and “cyber-criminal” as interchangeable terms. The truth is that legal hacking isn’t the exception to the rule, illegal hacking is the exception. All hacking really consists of is cracking a system, and not all systems are illegal to crack.

Computer hacking refers to the practice of modifying or altering computer software and hardware to accomplish a goal that is considered to be outside of the creator's original objective. Those individuals who engage in computer hacking activities are typically referred to as “hackers.”

 

So basically,  in this wide and generic context everyone in these forums are hackers.

 

Morover, the Computer Misuse Act 1990 defines hacking as:
Unauthorised access to computer material, punishable by up to two years in prison or a fine or both. Section 36. Unauthorised acts with intent to impair operation of computer, etc. ... Making, supplying or obtaining articles for use in computer misuse offences, punishable by up to two years in prison or a fine or both.

 

And now that that part is out of the way, I may add that editing the registry settings has nothing to do with "hacking" in the context of the Oxford Online Dictionary and the Computer Misuse Act of 1990.

 

As a matter of fact, knowing how to document yourself to become a professional in this area literally separates you from the jungle in contrast to  whatever evreybody else talks about registry.

 

The same would apply if someone who performs as a network administrator needs to  use packet sniffers, port-scanning vulnerability tools, password cracking and decryption tools with remote administration capabilities to be able to enforce the desired  security standards of their organization. This includes, but is not limited to,  harnessing routers and firewalls to improve the overall security of the network they're responsible for.

 

In that context, those activities  doesn't make a network admin professional a "hacker" as defined " by  the Oxford Online Dictionary and the Computer Misuse Act of 1990.

 

Anyone who performs in an IT management-level role is supposed to know enough in order  to be able to change the generic manufacturer configurations that were shipped with the operating system when it was installed for the first time.

 

And in your case,  if some of the things are not working properly for a particular deployment, then yes;  there are times that you will find that some settings are locked by default so the users are not allowed to modify them. When this is the case you may need to get under the hood to perform "repairs" or enhancements.

 

This brings me to ask you if you're using the appropriate administrative rights to unlock some of the settings that you're trying to modify via Group Policy.

 

My other observation is that you are correct in using the Group Policy / Active Directory templates but, since it looks like we may be missing a step somewhere,  you may also  need to combine Group Policy editing with the Customization Wizard and the Preferences Reference  https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/preferences.html

 

See  Updater-Win (Windows Updates)  section here: https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Updater-Win.html#idkeyname_1_2657...  and evaluate this note:  Updater (basic settings)

These preferences turn the Updater on and off.

There are two bUpdater preferences: One for disabling services plugins and one for other product updates.
DC Continuous track web and desktop updates are released in tandem to ensure cloud and desktop features and functionality remain synchronized and compatible. Failure to update desktop components while leaving services enabled may lead to an unsupported configuration. In other words, set both bUpdater preferences to the same value.
Updater preferences in the UI have been changed to only show the "Auto" and "Off" options. The Continous track of Reader does not provide any UI options and the default is "Auto".
Both bUpdater and Mode can be used to disable the Updater, but only bUpdater removes the update UI.
Most other updater registry settings have been deprecated and only apply to 11.x and earlier.

 

See also full Preferences Reference here: 

https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/index.html  and check  for other additional details  here: https://www.adobe.com/devnet-docs/etk_deprecated/tools/QuickKeys/index.html#updates

  

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
jwckauman
Community Beginner ,
Jan 25, 2020 Jan 25, 2020

Copy link to clipboard

Copied

In Response To ls_rbls
Hi. Thanks for the clarification. I won't use the term hack. I'll use edit. 
 
Can you take a look at this Adobe webpage for me? 
 
 
So in my original post, I mentioned that Adobe provides two starter templates for Acrobat and Reader. These templates contain a few of the most important settings, but we can use the Preference Reference to extend them further if needed. I only need to manipulate settings that these templates can manage and have no use for the Preference Reference. Should I expect these templates to work? 
 
We use Acrobat DC 2017 (Classic track). 
 
On the web page I posted at the top, scroll down to 'GPO registry template'. You'll see the starter template for DC 2017 Classic. 
 

DC 2017 (Classic track only)

 

Should I expect that starter template to work with Adobe Acrobat DC 2017 Professional? Should I expect Adobe Acrobat DC 2017 Pro to do what the template policies to do? If it doesn't, should I expect Adobe support to fix it or explain why it isn't working anymore? 
 
What bothers me is that Adobe provides a solution to control their product. When I use it and it doesn't work, they don't help me troubleshoot. They just tell me to use something else. If you bought a car with air conditioning and it wouldn't cool the car in the summer, would you expect the car manufacturer to fix the air conditioning or would you be ok if they told you to roll down the windows instead if you wanted to cool off. Because that is what support basically did to me. 
 
Appreciate you listening and your feedback

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Jan 26, 2020 Jan 26, 2020

Copy link to clipboard

Copied

In Response To jwckauman

Yes, totally understood and all you said is acknowledged.

 

Before I post my next reply, I need a little more info about what OS your clients are running in  your network.

 

Which MS Windows Server version(s) are you using for this deployment? 

 

Are you also using Configuration Manager to handle Group Policies, and Security Policies in the Active Directories?

 

In how many machines  are you pushing out this installation of Acrobat Classic 2017, and what is the average of  user accounts that are autorized  per machine in that domain?

 

NOTE: You should also post this same question in a Microsoft support forum since the scenario that you're replicating for your Acrobat  Pro 2017 Classic Track  was tested only with Windows Server 2012 (or earlier) and Windows 8 clients or earlier. If you're still using Windows Server 2008  & 2008R2 version,  Micrososft support  reached its EOL just a few days ago  this month.

 

Both Adobe and Microsoft  also recommend  specific standards for this deployment.

 

Key detail here is that Adobe recommends to move to Named User License from a seriliazed licensing installation of their product, and the fact that this deployment is only supported with per-machine installs, not  for per-user installs.

 

See here: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/licensing.html 

 

Adobe also indicates in the Preferences Reference that most of the registry editing options that used to work in earlier versions of Acrobat are now deprecated (it doesn't mean discontinued, mainly just unsupported and at your own risk).

 

But like I said earlier in my first reply, maybe we're missing a step, and it would be a good idea to keep in mind a migration path backup plan to move to Acrobat DC Named User License install model in the near future (just a suggestion).

 

If you remain patient and read a little more, the Admin Reference Guide that I posted for you above basically suggests getting rid of the headache when trying  to disable automatic updates.

 

It won't be necessary since the actual action of applying updates to Acrobat  would handled by the users  in  a per-machine install setup,  giving them  access to the Acrobat application only when they're logged in with their roaming profile credentials (which you can control with GPO in an Active Directory domain by removing access for the user to all updating features at the OS level see here: https://support.microsoft.com/en-us/help/4014345/how-to-block-user-access-to-windows-update-on-windo... ). 

 

See also this older thread for  machine-wide disabling updates here: https://helpx.adobe.com/creative-suite/kb/disable-auto-updates-application-manager.html#main_user_ac... 

 

You can also test before deploying using something like the Windows Management Instrumentation (WMI)  watchdog script with GPO  https://gallery.technet.microsoft.com/WMI-service-watchdog-script-4fab1282  (now talking about real hacking ! 😁  )

 

 

If you don't mind replying back with a brief description of the steps that  you've  followed when applying the  Group Policy templates in your installation, it would be helpful.

 

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
jwckauman
Community Beginner ,
Jan 26, 2020 Jan 26, 2020

Copy link to clipboard

Copied

In Response To ls_rbls

Hi. Thanks for your reply.  To answer your question, I have 5 computers running Windows 10 Enterprise (version 1903) and have manually installed Adobe Acrobat DC 2017 (Classic Track) on each computer (by hand - not using deployment software).  These are out-of-the-box installs of Adobe ACrobat DC 2017 (Classic Track). I didnt change anything and took all the defaults during the install.  All five computers are licensed to run Adobe Acrobat.  Now that Adobe Acrobat is already installed, i simply want to use Adobe's Admin Templates for Group Policy for various purposes.  While the admin templates install fine in my AD domain, and they push out to the computers fine as well, the Adobe Acrobat DC 2017 (Classic Track) software wont do what Adobe's own policies are telling them to do. I would like to know why.  Thanks!

 

In summary, here's what i did

1. Installed Adobe Acrobat DC 2017 (Classic Track) on Windows 10 Enterprise (1903). Licensed the software succesfully.

2. Downloaded Adobe Acrobat DC 2017 (Classic Track) Admin Templates 

3. Installed templates into Active Directory

4. Created a new Group Policy using templates

5. Applied new Group Policy to 5 computers running Adobe ACrobat DC 2017 (Classic Track)

6. Confirmed policy is being applied (ran RSOP.MSC and saw policies)

7. Tested policies in Adobe Acrobat  - policies are not doing what they said they would do.  For example, policy says 'disable automatic updates'. Adobe Acrobat DC 2017 still has automatic updates enabled.

 

Thanks!!

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Jan 27, 2020 Jan 27, 2020

Copy link to clipboard

Copied

In Response To jwckauman

Hi,

 

After much reading there is a bunch of opened ends in regards of disabling automatic updates in per machine installs.

 

It is not well documented and the IT guy who will be applying the admin templates is left to its own devices and intuition.

 

So, for starters, disabling  automatic updates based on user accounts  doesn't apply here.

 

However, disabling automatic updates machine-wide is possible but it is not accomplished a 100% because there's more than just one service associated to AcroServicesUpdater.exe   which is found in  for example, in :

 

C:\Program Files(x86)\Adobe\AcrobatDC\Acrobat\AcroCEF

 

of the machine where the product was installed.

 

You also have task schedulers and other related services that need to be disabled via registry Preferences keys in addition to the bUpdater preference set to 0.

 

In other words, the automatic updates will not be fully disabled by using  just the GUI portion of the GPO Policy Manager Editor together with the default Admin Templates.

 

The approach you've attempted could've work  if :

  • Adobe Acrobat   was not installed in your clients yet 
  • If You had customized  first a hardware-independent image of both MS Windows and the Adobe Acrobat with auto-updates disabled machine-wide.
  • This is achieved using the Adobe Customization Wizard  to edit the templates and prepare a deployment package; then push out to the clients the installation image of Acrobat using GPO 

 

Since you already installed Acrobat on each machine individually, manual editing of some text and XML files is necessary to interact properly with the registry preferences in those clients with Acrobat.

 

 

Can you open the Admin templates that you used  after the GPO was applied and post it  back here?

 

I would like to see what you have and see if we can add the lines that your templates could be missing.

 

 

 

 

 

 

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Jan 28, 2020 Jan 28, 2020

Copy link to clipboard

Copied

In Response To jwckauman

The following walk through is a PDF document with slides showing how to configure perpetual deployments using the Acrobat DC  Customization Wizard:

 

Acrobat Customization Wizard - Perpetual Deployment How-to 

 

Navigate through pages 28 - 32 and you will see some relevant configuration options to disable updates and other related services before Adobe Acrobat is deployed for installation.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Jan 28, 2020 Jan 28, 2020

Copy link to clipboard

Copied

In Response To jwckauman

I also forgot to add this other shared link:

 

Windows Updater Quick Key (for all settings) 

 

This Quick Key reference outlines all the updater services involved that you need to define as additional policies.

 

 

Using the Windows Updater Quick Key as a reference we need to manually add more policies to this file then re-test how it works when you apply Group Policy. 

 

What I meant earlier is that you've mentioned that you ran RSOP.MSC and was able to see policies.  So I was asking if you can compare how the Acrobat2017.adm file looks before and after your said policies were applied to disable the automatic updates.

 

Below is the Admin Template for Acrobat 2017 Pro (Classic Track Only). These are the default configurations.

 

We need to Compare these default poilcies (as provided by Adobe in the Preferences Reference documentation) with what you get after your policies were applied in your clients.

 

If your Acrobat 2017 admin template looks exactly the same as the one I've posted below, we need to modify and include additional  entries following the same format required by Micrososft when you edit this file.

 

 

 

 

CLASS MACHINE
 
	CATEGORY "Adobe Acrobat 2017"
 
		CATEGORY Preferences
 
			CATEGORY General
				POLICY "Disable PDF handler switching"
					#if version >= 3
					EXPLAIN !!EXPLAIN1
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
					VALUENAME bDisablePDFHandlerSwitching
					VALUEON NUMERIC 1
					VALUEOFF NUMERIC 0
				END POLICY ;Disable PDF handler switching

				POLICY "Disable automatic updates"
					#if version >= 3
					EXPLAIN !!EXPLAIN2
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
					VALUENAME bUpdater
					VALUEON NUMERIC 1
					VALUEOFF NUMERIC 0
				END POLICY ;Disable automatic updates

				POLICY "Turn off user participation in the feedback program"
					#if version >= 3
					EXPLAIN !!EXPLAIN3
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
					VALUENAME bUsageMeasurement
					VALUEON NUMERIC 1
					VALUEOFF NUMERIC 0
				END POLICY ;Turn off user participation in the feedback program

				POLICY "Show messages when I launch Acrobat"
					#if version >= 3
					EXPLAIN !!EXPLAIN4
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown\cIPM"
					VALUENAME bShowMsgAtLaunch
					VALUEON NUMERIC 1
					VALUEOFF NUMERIC 0
				END POLICY ;Show messages when I launch Acrobat

				POLICY "Auto Complete"
					#if version >= 3
					EXPLAIN !!EXPLAIN6
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
					VALUENAME bAutoFill
					VALUEON NUMERIC 1
					VALUEOFF NUMERIC 0
				END POLICY ;Auto Complete

			END CATEGORY ;General
 
			CATEGORY Startup
				POLICY "Protected View (Acrobat)"
					#if version >= 3
					EXPLAIN !!EXPLAIN7
					#endif
					KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
 
					PART ProtectedView DROPDOWNLIST
						KEYNAME "SOFTWARE\Policies\Adobe\Adobe Acrobat\2017\FeatureLockdown"
						VALUENAME iProtectedView
						REQUIRED 
						ITEMLIST
							NAME "Disable Protected View" VALUE NUMERIC  0 
							NAME "Enable Protected View for unsafe locations" VALUE NUMERIC  1 
							NAME "Enable Protected View for all files" VALUE NUMERIC  2 
						END ITEMLIST
					END PART ;ProtectedView
				END POLICY ;Protected View (Acrobat)

			END CATEGORY ;Startup
 
			CATEGORY Security
 
				CATEGORY DigitalSignature
				END CATEGORY ;DigitalSignature
 
				CATEGORY TrustManager
				END CATEGORY ;TrustManager
			END CATEGORY ;Security
		END CATEGORY ;Preferences
	END CATEGORY ;Adobe Acrobat 2017


CLASS USER
 
		CATEGORY "Adobe Acrobat 2017"
 
			CATEGORY Preferences
 
				CATEGORY General

					POLICY "Display splash screen at launch"
						#if version >= 3
						EXPLAIN !!EXPLAIN9
						#endif
						KEYNAME "Software\Adobe\Adobe Acrobat\2017\Originals"
						VALUENAME bDisplayAboutDialog
						VALUEON NUMERIC 1
						VALUEOFF NUMERIC 0
					END POLICY ;Display splash screen at launch

				END CATEGORY ;General
 
				CATEGORY Startup
				END CATEGORY ;Startup
 
				CATEGORY Security
					POLICY "Enable Acrobat JavaScript"
						#if version >= 3
						EXPLAIN !!EXPLAIN10
						#endif
						KEYNAME "Software\Adobe\Adobe Acrobat\2017\JSPrefs"
						VALUENAME bEnableJS
						VALUEON NUMERIC 1
						VALUEOFF NUMERIC 0
					END POLICY ;Enable Acrobat JavaScript

					POLICY "Ask before installing checkbox"
						#if version >= 3
						EXPLAIN !!EXPLAIN11
						#endif
						KEYNAME "Software\Adobe\Adobe Acrobat\2017\Security\cDigSig\cAdobeDownload"
						VALUENAME bAskBeforeInstalling
						VALUEON NUMERIC 1
						VALUEOFF NUMERIC 0
					END POLICY ;Ask before installing checkbox

					POLICY "Load security settings from a server"
						#if version >= 3
						EXPLAIN !!EXPLAIN12
						#endif
						KEYNAME "Software\Adobe\Adobe Acrobat\2017\Security\cDigSig\cAdobeDownload"
						VALUENAME bLoadSettingsFromURL
						VALUEON NUMERIC 1
						VALUEOFF NUMERIC 0
					END POLICY ;Load security settings from a server

 
					CATEGORY DigitalSignature
					END CATEGORY ;DigitalSignature
 
					CATEGORY TrustManager
						POLICY "Automatically trust sites for Win OS security zones"
							#if version >= 3
							EXPLAIN !!EXPLAIN13
							#endif
							KEYNAME "Software\Adobe\Adobe Acrobat\2017\TrustManager"
							VALUENAME bTrustOSTrustedSites
							VALUEON NUMERIC 1
							VALUEOFF NUMERIC 0
						END POLICY ;Automatically trust sites for Win OS security zones

					END CATEGORY ;TrustManager
				END CATEGORY ;Security
			END CATEGORY ;Preferences
		END CATEGORY ;Adobe Acrobat 2017

 

 

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
ls_rbls Community Expert
Community Expert ,
Apr 26, 2020 Apr 26, 2020

Copy link to clipboard

Copied

LATEST
In Response To jwckauman

Hey james,

 

We broke contact long time ago now. I just found this thread again while I am  trying to assist other users.

 

Were you able to find any of this guidance useful?   Were you able to put an end to the automatic updating?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
About Adobe Acrobat
Adobe Acrobat Learn & Support
Adobe Inc
Whats new in Acrobat DC
Adobe Inc
Plan and Pricing
Adobe Inc
Adobe Acrobat features and tools
Adobe Inc
Adobe Acrobat Feature & Workflow
Edit PDFs
Edit Scanned PDFs
PDF Forms
Sign a PDF
FAQs
How to Edit Scanned or Secured document
Rotate | move | delete and renumber PDF pages
Acrobat download and installation help
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices