Protected View Enabled For Local Admin, But Not Domain Users

Report · Mar 20, 2018

When logged into the local admin account on Windows 7 x64 where Acrobat Standard 2015 was installed, Acrobat opens PDFs in the browser in Protected View as I have configured it. But when I logon to a domain account (accounts both with and without admin rights), the browser does not open the documents in Protected View as Reader does. We need to deploy Acrobat across the organization and have it behave consistently in Protected View. DC Customization Wizard was used to create the build. I have double-checked HKCU for conflicting entries for these settings. Enhanced Security shows as enabled on the Security tab and "Protected View" shows that it is turned on for "Files from unsafe locations" (also tried changing that value to 2 for All files without any change in the issue).

Registry:

bEnhancedSecurityStandalone = 1

bEnhancedSecurityInBrowser = 1

bProtectedMode = 1

iProtectedView =1

Local Admin (software installed under this account for testing purposes):

Copy opened in Acrobat was saved to local desktop using IE.

Domain User Account on same PC...just log off/on:

Copy opened in Acrobat was saved to local desktop using IE.

Report · Mar 21, 2018

Did you try using the HKLM settings which lock the feature? See Trust Manager

You're going to want to do that anyway so users can't change your configuration.

Top level link: Preference Reference for Acrobat and Adobe Reader

In Response To EnterpriseHelp · Mar 22, 2018

Yes, I am using the HKLM registry settings to lock down these settings -- using the most restrictive ones documented in Enhanced Security — Acrobat Application Security Guide.

I worked methodically through different options like eliminating the Customization Wizard, rolling back to the Adobe download and installed with defaults and then updating the settings minimally, using different patches, etc. Looks like the issue is due to our using IE's Enhanced Protected Mode. If this is disabled then Acrobat's Protected View works properly. Obviously, turning EPM off is not an option and frankly I cannot believe in 2018 Acrobat still does not support security controls provided by IE that were created YEARS ago. Reader's Protected View works perfectly so the only solution I see is to deploy Reader to the Acrobat systems and then tweak the file settings to use Acrobat outside of the web browser.

EPM in registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main"Isolation"="PMEM"