Create Adobe GPO templates

Every good IT pro tries to follow best practices by updating and configuring workstations, software installed,…

Let’s consider specifically the PDF reader software provided by Adobe and the fact that the IT pro wants to harden the configuration to have a more resistant endpoint to this attack vector.

Adobe provides some GPO templates that you can find on their FTP website:

Version Reader Acrobat

If you load all these ADMX and ADML files in your policy definitions folder, you’ve got the following in the group policy editor console:

When you start to explore these templates and look for hardening the security settings, you get really disappointed because there’s only between 5 to 7 settings per node 😦

It’s a shame because Adobe took the time to document many registry settings in the Enterprise toolkit pages and for example on these pages:

But they failed to make these settings available in GPO templates 😦

Adobe fails, no problem, PowerShell to the rescue 😎

It appears I’m not the only one who thinks this way. The Information Assurance mission at NSA (iadgov) helps the Department of Defense (DoD) to apply baselines.
They have a huge github repository and even have an Adobe Reader DC template with around 45 settings. It’s not their first attempt. Before that they published recommended Adobe Reader XI settings.

However their single Adobe template has many problems that I won’t detail here when I loaded it on a Windows 7 workstation.
Kudos to iadgov! I’ve used some of their settings when appropriate, their categories but the main difference is that I created a PowerShell module that creates templates on demand for the Reader, Acrobat and their 2005, 2007 or DC versions 😎

I’d like the community to contribute to get more settings,… I’ve uploaded the module on github so that it’s easy to fork, track issues, follow changes.
I’ve also added a documentation of every settings on this page:

I’ve also uploaded the module on the PowerShell Gallery:

Here’s an overview of what you’ll get if you generate all the templates and move them to your local GPO templates folder:

That looks better, isn’t it? And there are more than 40 settings for each version of Adobe Software. 😀

  • How to start and create these templates?
    • Download the module
    • Find-Module -Name AdobeGPOTemplates -Repository PSGallery
      Save-Module -Name AdobeGPOTemplates -Path ~/Downloads -Repository PSGallery
      $HT = @{
       CatalogFilePath = "~/Downloads/AdobeGPOTemplates/1.0.0/"
       Path = "~/Downloads/AdobeGPOTemplates/1.0.0"
       Detailed = $true
       FilesToSkip = 'PSGetModuleInfo.xml'
      Test-FileCatalog @HT

    • Import the module, create templates and copy them to your local GPO templates folder
    • Import-Module ~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.psd1 -Force
      Get-Command New-AdobeGPOTemplate -Syntax
      # Get-Help New-AdobeGPOTemplate  -Examples
      New-AdobeGPOTemplate -Product Reader,Acrobat -Version DC,2017,2015
      copy .\*.admx -Destination C:\Windows\PolicyDefinitions\
      copy .\*.adml -Destination C:\Windows\PolicyDefinitions\en-US\

  • What’s the bare minimum config?
  • If you omit the first rule of hygiene that states that you need to update your software and the fact that the Adobe Reader has many “cloud-focused” features, I’d say that the 3 minimum settings to configure are:

    1. Disable JavaScript
    2. Disable the ability to execute any embedded object
    3. Have the protected view turned on for anything

    I know we may not agree and if you’ve an opinion about the bare minimum config, please share it in the comments.

    • Example of minimum config

    Let’s say you just want to change the following default settings at the user level without locking down everything based on the above 3 recommendations:

    After you configured the following GPO settings:

    You get this in the Reader UI:

5 thoughts on “Create Adobe GPO templates

  1. Pingback: Create Adobe GPO templates with a PowerShell module - How to Code .NET

  2. We have applied the Adobe Acrobat Pro DOC Continuous GPOs in our environment. But while testing Acrobat DC Pro for any issues related to the GPOs, it was found that when users are trying to access our internal SharePoint site, they are being asked for authentication credentials. Earlier they would connect automatically to the sharepoint site. Has anyone seen this before? If so, which GPO may be causing this?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.