PSE15 causing bootloops? Win 10 (1607), Bitlocker, AD Domain

Report · Mar 15, 2017

Hi, all...

Just got a new copy of PSE 15 for some of our staff. The machines in question are Thinkpads on Windows 10 (Build 1607) joined to an AD domain with a functional level of 2016. All of our machines run with Bitlocker drive encryption, DeviceGaurd, and Applocker rules set to check path and hash (programfiles, sysWOW64, and System32), but not enforce signatures.

Both machines are now unable to boot (single user ok.) into windows, doesn't seem to be any hardware error related log entries on either. When in singleuser I checked Autoruns and found a few unsigned codec and multiplexor services loading on boot, but disabling them in registry doesn't seem to fix it. System restore and startup repair both fail after some time, and moving to restore points does not work either.

If there's any code that it requires to load from outside of programfiles I need to know the path so I can update the applocker policy accordingly.

Considering that this is userspace software, I see no reason to require exceptions to our security policies. Injecting code into the BCD or requiring any system services to start as nt\system is unnecessary and very insecure.

So, the question is, has anyone had similar experiences with this software causing system failures, and if so how it was resolved.

Report · Mar 17, 2017

Update on the issue: After turning off DeviceGuard and disabling Virtualization Based Security, I was able to boot back into the machine in multiuser mode. However, this is absolutely unacceptable under our security policy. After uninstalling, the AGSservice was still in %Programfiles%\Common\Adobe\AGSclient and still existed under HKLM:\System\CurrentControlSet\Services as a startup service running under the system context. Even after uninstalling the software the system was unable to fully cycle with VBS and DeviceGuard turned on and running. Where I come from that's called 'malware.'

Is anyone aware of a simple way to neuter the AGSservice and allow our machines to remain secure while running Adobe products? I'm not against the concept of anti-piracy software, but when they interfere with fundamental security measures and introduce vulnerabilities to our network, security has to come first. We all know Adobe doesn't exactly have a great track record for handling vulnerabilities well in the past.

Thanks,

NB

Report · Mar 17, 2017

From my experience in this forum as well as the feedback forum, I think you should not expect an answer from Adobe: they have been once very clear that they won't offer any help for the use of a network for Elements, even if they prefer today to simply ignore such questions.

After all, Elements is considered as a 'consumer' product designed to work on personal computers, not networks. Some expert users seem to be able to manage NASs, but I never see them coming in this forum for help.

Sorry to be negative; it's a real pleasure when one can help...

Report · Mar 20, 2017

Had a chat with their support and was given the following:

1. AD Domains are not supported

2. Users must have local admin privilege

So if you are trying to run a secure network, do not use this software.

That's all, folks...

Report · Mar 20, 2017

nb-kwe wrote
So if you are trying to run a secure network, do not use this software.
That's all, folks...

What I said:

If you want to really enjoy this software, don't use networks!

There are other ways to share your creativity; be free and pity the poor network administrators.