• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

Feature lockdown policy per user

New Here ,
May 30, 2024 May 30, 2024

Copy link to clipboard

Copied

Hello all,

 

We are managing many customers with a virtual desktop environment. Many of them uses some kind of shared virtual user host (could bij Citrix, VMware, RDS or AVD). This means one virtual desktop is beïng used by multiple users. 

At some of those customers they are using Adobe Acrobat DC Reader and Pro, depending on the license which is assigned per user. Because it is not possible anymore to install Acrobat Reader and Pro on the same client, we use the pro version and are using the lockdownfeature policies to hide the login screen of the users which do not have a Pro license.

But we can only find these policies based per device, so in the HKEY_LOCAL_MACHINE. This will not work if on the virtual desktop we have a mix of users which uses reader and Pro. 

 

Is it possible to setup these lockdownfeature policies per user so in the HKEY_CURRENT_USER\Software\Policy instead of HKEY_LOCAL_MACHINE?

 

Specifc policies we are using:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

bIsSCReducedModeEnforcedEx

 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cServices

bUpdater

TOPICS
How to , Install update and subscribe to Acrobat , Modern Acrobat

Views

322

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
May 30, 2024 May 30, 2024

Copy link to clipboard

Copied

Having a policy in HKCU will allow any not elevated process to prevent Services from being updated?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 30, 2024 May 30, 2024

Copy link to clipboard

Copied

Hello,

No, this is not applicable because these policies only hide certain features.
Policies, like disabling autoupdate, cannot be an user policy and has to be a device policy.
But the policies mentioned for hiding the login prompt should be available per user. This is also logical because we are using user based licenses.

Can you help me with this?
We are having this issues at many customers because of this limitation.
We prefer to have this as a user policy but if this is not possible yet, is there a workarround to hide those options per user?



Met vriendelijke groet, Kind regards,?



Ronald Bevers
Principal Consultant



Secoya Campus (gebouw E) • Papendorpseweg 91 • Utrecht • NL • +31 30 662 97 29
Mobiel: + 31 6 53 54 14 28 • E-mail: Ronald.Bevers@PQR.NL • www.PQR.com
LinkedIn
Twitter
Facebook
YouTube

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Advocate ,
May 30, 2024 May 30, 2024

Copy link to clipboard

Copied

...\cServices\bUpdater registry value is responsible for Services updates. It cannot be in HKCU.

It would also make sense that any not elevated process should not be able to change ReducedMode related registry.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
May 31, 2024 May 31, 2024

Copy link to clipboard

Copied

LATEST

Yes that make sence. bUpdater should be in local machine. We are using a different solution for updating the services so thats no problem.

To answer your question:
It would also make sense that any not elevated process should not be able to change ReducedMode related registry.
A standard non elevated user can not change the HKEY_CURRENT_USER\Software\Policy keys if setup the same way as Microsoft inteded. On the HKEY_CURRENT_USER\Software\Policy key a normal user will only have read permissions. This way you can set policies in the user profile, without the user being able to change or remove them. This is by design.

As soon as we have tested the mentioned option I will get back to you.


Met vriendelijke groet, Kind regards,?



Ronald Bevers
[P.I removed by the moderator]

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines