There are plenty of how-tos out there about how to disable Adobe's PDF Reader add-on in IE11. For their part, it gets the job done. That is great if you are a home user or even a power user at work and would rather take care of it yourself than call the helpdesk. Translation: It is a per-user setting.
As a network admin, I needed to disable the add-on for all users which usually means group policy is involved. Again, there are existing articles out there that explain which group policy to enable and how to configure it. And again, it gets the job done...or so I thought.
After finding out the CLSID of the Adobe PDF Reader add-on, I added it to my add-on list with a value of 0 to disable it and not allow changes. A quick gpupdate later and I verified the add-on was now showing up as disabled in IE with the options disabled to change it. With everything looking good, I browsed to URL of a .pdf and watched with disappointment as it loaded right up in IE.
This is where we fire up an upbeat track from the 80's and cut to a montage.
My first discovery was that if you manually disable the add-on, everything works as expected. Of course that defeats the purpose of having a group policy...
Logged into a workstation as a user who's add-on would persist despite everything saying it was disabled, I 'reg load'ed up an NTUSER.dat from another user who's add-on was truly disabled. Since the behavior varied by user, I suspected the fix was buried somewhere in the HKCU hive. I searched for the CLSID and noted they keys/values from the mounted hive and compared it with the logged-in user's HKCU hive. When I added the key below, the add-on behaved correctly (in that it acted disabled) for the logged in user. Further testing with additional users proved the case.
Here is the exported key:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CLSID}]
"Flags"=dword:00000001
"Version"="*"
Replace {CLSID} with the CLSID of the offending add-on.
In my case, we use Ivanti Environment Manager so I was able to inject that key into a user's HKCU after logon but you could also do this in a logon script.
I suspect you'll see this similar behavior with any add-on that you have added to your group policy when it's key is not found in the above path.
No comments:
Post a Comment