Feature lockdown policy per user

Report · May 30, 2024

Hello all,

We are managing many customers with a virtual desktop environment. Many of them uses some kind of shared virtual user host (could bij Citrix, VMware, RDS or AVD). This means one virtual desktop is beïng used by multiple users.

At some of those customers they are using Adobe Acrobat DC Reader and Pro, depending on the license which is assigned per user. Because it is not possible anymore to install Acrobat Reader and Pro on the same client, we use the pro version and are using the lockdownfeature policies to hide the login screen of the users which do not have a Pro license.

But we can only find these policies based per device, so in the HKEY_LOCAL_MACHINE. This will not work if on the virtual desktop we have a mix of users which uses reader and Pro.

Is it possible to setup these lockdownfeature policies per user so in the HKEY_CURRENT_USER\Software\Policy instead of HKEY_LOCAL_MACHINE?

Specifc policies we are using:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

bIsSCReducedModeEnforcedEx

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cServices

bUpdater

Report · May 30, 2024

Having a policy in HKCU will allow any not elevated process to prevent Services from being updated?

In Response To LeoUpdaterX · May 30, 2024

Hello,

No, this is not applicable because these policies only hide certain features.
Policies, like disabling autoupdate, cannot be an user policy and has to be a device policy.
But the policies mentioned for hiding the login prompt should be available per user. This is also logical because we are using user based licenses.

Can you help me with this?
We are having this issues at many customers because of this limitation.
We prefer to have this as a user policy but if this is not possible yet, is there a workarround to hide those options per user?

Met vriendelijke groet, Kind regards,?

Ronald Bevers
Principal Consultant

Secoya Campus (gebouw E) • Papendorpseweg 91 • Utrecht • NL • +31 30 662 97 29
Mobiel: + 31 6 53 54 14 28 • E-mail: Ronald.Bevers@PQR.NL • www.PQR.com
LinkedIn
Twitter
Facebook
YouTube

In Response To Ronald26762575kxln · May 30, 2024

...\cServices\bUpdater registry value is responsible for Services updates. It cannot be in HKCU.

It would also make sense that any not elevated process should not be able to change ReducedMode related registry.

In Response To LeoUpdaterX · May 31, 2024

Yes that make sence. bUpdater should be in local machine. We are using a different solution for updating the services so thats no problem.

To answer your question:
It would also make sense that any not elevated process should not be able to change ReducedMode related registry.
A standard non elevated user can not change the HKEY_CURRENT_USER\Software\Policy keys if setup the same way as Microsoft inteded. On the HKEY_CURRENT_USER\Software\Policy key a normal user will only have read permissions. This way you can set policies in the user profile, without the user being able to change or remove them. This is by design.

As soon as we have tested the mentioned option I will get back to you.

Met vriendelijke groet, Kind regards,?

Ronald Bevers
[P.I removed by the moderator]