Enhance Security through windows Registry

Hi all,

I want to get your advice about how to manage the following settings.

By default we have implemented through GPO the configuration of Adobe Reader DC that we want to keep on the registry but we are having some issues.

All of them are set to Update and as a REG_DWORD

bEnhancedSecurityInBrowser  HKEY_LOCAL_MACHINE SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

bEnhancedSecurityInBrowser  HKEY_CURRENT_USER SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager

bEnhancedSecurityInBrowser  HKEY_LOCAL_MACHINE SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

bEnhancedSecurityStandalone  HKEY_LOCAL_MACHINE SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

bEnhancedSecurityStandalone HKEY_CURRENT_USER SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager

bEnhancedSecurityStandalone HKEY_LOCAL_MACHINE SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

bProtectedMode HKEY_LOCAL_MACHINE SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

bProtectedMode HKEY_CURRENT_USER SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager

bProtectedMode HKEY_LOCAL_MACHINE SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

iProtectedView HKEY_LOCAL_MACHINE SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

iProtectedView HKEY_CURRENT_USER SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager

iProtectedView HKEY_LOCAL_MACHINE SOFTWARE\Wow6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown

This configuration leaves the Reader with the following configuration

Some users are having issue with this configuration so we have decided to let the users modify the settings.

But other issue appears.

How to reproduce:

Start adobe reader – settings – security (enhanced)  uncheck “Enable Protected Mode at startup”

No problem so far, then force a GPupdate /force – this then activates the settings

Protected View:  “Files from potentially unsafe locations”   and keeps the “Enable Protected mode at startup “ un checked = this setting is a Unsupported configuration (https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/protectedmode.html)

That situation will cause the error below. As soon a pdf file is launched from a potential unsafe location. (= any pdf file from the Internet)

I believe we should ensure that we cannot fall into a unsupported configuration =

When  “Enable Protected Mode at startup” is unchecked – then Protected View:  must be set on Off

This issue will only be experienced when a User is unchecking “Enable Protected Mode at startup” but once this is done and the next GPO Update appears these Users will have an error.

Any advice will be welcome.

Thanks in advance.

Best Regards.