azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: Auto-sync from ACG-M-L5090 at 2026-02-01 16:23:43

Browse Source
This commit is contained in:
Mike Swanson
2026-02-01 16:23:43 -07:00
parent b79c47acb9
commit 04a01f0324
26 changed files with 6954 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

212
clients/glaztech/DEPLOYMENT-READY.md Normal file
View File

@@ -0,0 +1,212 @@
# Glaztech PDF Fix - READY TO DEPLOY
**Status:** ✅ All scripts configured with Glaztech file server information
**File Server:** \\192.168.8.62\
**Created:** 2026-01-27
---
## Quick Deployment
### Option 1: Deploy via GuruRMM (Recommended for Multiple Computers)
```powershell
cd D:\ClaudeTools\clients\glaztech
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
```
This generates: `GuruRMM-Glaztech-PDF-Fix.ps1`
**Upload to GuruRMM:**
- Client: Glaztech Industries
- Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9
- Site: SLC - Salt Lake City
- Task Type: PowerShell Script
- Run As: SYSTEM
- Timeout: 5 minutes
### Option 2: Test on Single Computer First
```powershell
# Copy to target computer and run as Administrator:
.\Fix-PDFPreview-Glaztech-UPDATED.ps1
```
### Option 3: Deploy to Multiple Computers via PowerShell Remoting
```powershell
$Computers = @("GLAZ-PC001", "GLAZ-PC002", "GLAZ-PC003")
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```
---
## What's Configured
### File Server
- **IP:** 192.168.8.62
- **Automatically scanned paths:**
- \\192.168.8.62\alb_patterns
- \\192.168.8.62\boi_patterns
- \\192.168.8.62\brl_patterns
- \\192.168.8.62\den_patterns
- \\192.168.8.62\elp_patterns
- \\192.168.8.62\emails
- \\192.168.8.62\ftp_brl
- \\192.168.8.62\ftp_shp
- \\192.168.8.62\ftp_slc
- \\192.168.8.62\GeneReport
- \\192.168.8.62\Graphics
- \\192.168.8.62\gt_invoice
- \\192.168.8.62\Logistics
- \\192.168.8.62\phx_patterns
- \\192.168.8.62\reports
- \\192.168.8.62\shp_patterns
- \\192.168.8.62\slc_patterns
- \\192.168.8.62\sql_backup
- \\192.168.8.62\sql_jobs
- \\192.168.8.62\tuc_patterns
- \\192.168.8.62\vs_code
### Network Ranges
- glaztech.com domain
- 192.168.0.* through 192.168.9.* (all 10 sites)
- 192.168.8.62 (file server - explicitly added)
### Local Paths
- User Desktop
- User Downloads
- User Documents
---
## What the Script Does
1.**Unblocks PDFs** - Scans all configured paths and removes Zone.Identifier
2.**Trusts file server** - Adds 192.168.8.62 to Intranet security zone
3.**Trusts networks** - Adds all Glaztech IP ranges to Intranet zone
4.**Disables SmartScreen** - For Glaztech internal resources only
5.**Enables PDF preview** - Ensures preview handlers are active
6.**Creates log** - C:\Temp\Glaztech-PDF-Fix.log on each computer
---
## Recommended Pilot Test
Before mass deployment, test on 2-3 computers:
```powershell
# Test computers (adjust names as needed)
$TestComputers = @("GLAZ-PC001", "GLAZ-PC002")
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $TestComputers
```
**Verify on test computers:**
1. Open File Explorer
2. Navigate to: \\192.168.8.62\reports (or any folder with PDFs)
3. Select a PDF file
4. Enable Preview Pane: View → Preview Pane
5. **Expected:** PDF displays in preview pane
6. Check log: `C:\Temp\Glaztech-PDF-Fix.log`
---
## After Successful Pilot
### Deploy to All Computers
**Method A: GuruRMM (Best for large deployment)**
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM
# Schedule/execute on all Glaztech computers
```
**Method B: PowerShell (Good for AD environments)**
```powershell
# Get all Glaztech computers from Active Directory
$AllComputers = Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*" -or OperatingSystem -like "*Windows 11*"} -SearchBase "DC=glaztech,DC=com" | Select -ExpandProperty Name
# Deploy to all
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $AllComputers
```
**Method C: Site-by-Site (Controlled rollout)**
```powershell
# Site 1
$Site1 = Get-ADComputer -Filter * -SearchBase "OU=Site1,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Site1
# Verify, then continue to Site 2, 3, etc.
```
---
## Verification Commands
### Check if script ran successfully
```powershell
# View log on remote computer
Invoke-Command -ComputerName "GLAZ-PC001" -ScriptBlock {
Get-Content C:\Temp\Glaztech-PDF-Fix.log -Tail 20
}
```
### Check if file server is trusted
```powershell
# On local or remote computer
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\192.168.8.62" -ErrorAction SilentlyContinue
# Should return: file = 1
```
### Test PDF preview manually
```powershell
# Open file server in Explorer
explorer "\\192.168.8.62\reports"
# Enable Preview Pane, select PDF, verify preview works
```
---
## Files Available
| File | Purpose | Status |
|------|---------|--------|
| `Fix-PDFPreview-Glaztech-UPDATED.ps1` | Main fix script (use this one) | ✅ Ready |
| `Deploy-PDFFix-BulkRemote.ps1` | Bulk deployment script | ✅ Ready |
| `GPO-Configuration-Guide.md` | Group Policy setup guide | ✅ Ready |
| `README.md` | Complete documentation | ✅ Ready |
| `QUICK-REFERENCE.md` | Command cheat sheet | ✅ Ready |
| `DEPLOYMENT-READY.md` | This file | ✅ Ready |
---
## Support
**GuruRMM Access:**
- Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9
- Site: SLC - Salt Lake City
- Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de
- API Key: grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI
**Network Details:**
- Domain: glaztech.com
- File Server: \\192.168.8.62\
- Site Networks: 192.168.0-9.0/24
**Script Location:** D:\ClaudeTools\clients\glaztech\
---
## Next Steps
- [ ] Pilot test on 2-3 computers
- [ ] Verify PDF preview works on test computers
- [ ] Review logs for any errors
- [ ] Deploy to all affected computers
- [ ] (Optional) Configure GPO for permanent solution
- [ ] Document which computers were fixed
---
**Ready to deploy! Start with the pilot test, then proceed to full deployment via GuruRMM or PowerShell remoting.**

207
clients/glaztech/Deploy-PDFFix-BulkRemote.ps1 Normal file
View File

@@ -0,0 +1,207 @@
#requires -RunAsAdministrator
<#
.SYNOPSIS
Deploy PDF preview fix to multiple Glaztech computers remotely
.DESCRIPTION
Runs Fix-PDFPreview-Glaztech.ps1 on multiple remote computers via PowerShell remoting
or prepares for deployment via GuruRMM
.PARAMETER ComputerNames
Array of computer names to target
.PARAMETER Credential
PSCredential for remote access (optional, uses current user if not provided)
.PARAMETER UseGuruRMM
Export script as GuruRMM task instead of running directly
.EXAMPLE
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames "PC001","PC002","PC003"
.EXAMPLE
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames (Get-Content computers.txt)
.EXAMPLE
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
Generates GuruRMM deployment package
#>
param(
[string[]]$ComputerNames = @(),
[PSCredential]$Credential,
[switch]$UseGuruRMM,
[string[]]$ServerNames = @("192.168.8.62"),
[string[]]$AdditionalPaths = @()
)
$ScriptPath = Join-Path $PSScriptRoot "Fix-PDFPreview-Glaztech.ps1"
if (-not (Test-Path $ScriptPath)) {
Write-Host "[ERROR] Fix-PDFPreview-Glaztech.ps1 not found in script directory" -ForegroundColor Red
exit 1
}
if ($UseGuruRMM) {
Write-Host "[OK] Generating GuruRMM deployment package..." -ForegroundColor Green
Write-Host ""
$GuruRMMScript = @"
# Glaztech PDF Preview Fix - GuruRMM Deployment
# Auto-generated: $(Get-Date -Format "yyyy-MM-dd HH:mm:ss")
`$ScriptContent = @'
$(Get-Content $ScriptPath -Raw)
'@
# Save script to temp location
`$TempScript = "`$env:TEMP\Fix-PDFPreview-Glaztech.ps1"
`$ScriptContent | Out-File -FilePath `$TempScript -Encoding UTF8 -Force
# Build parameters
`$Params = @{}
"@
if ($ServerNames.Count -gt 0) {
$ServerList = ($ServerNames | ForEach-Object { "`"$_`"" }) -join ","
$GuruRMMScript += @"
`$Params['ServerNames'] = @($ServerList)
"@
}
if ($AdditionalPaths.Count -gt 0) {
$PathList = ($AdditionalPaths | ForEach-Object { "`"$_`"" }) -join ","
$GuruRMMScript += @"
`$Params['UnblockPaths'] = @($PathList)
"@
}
$GuruRMMScript += @"
# Execute script (includes automatic Explorer restart)
& `$TempScript @Params
# Cleanup
Remove-Item `$TempScript -Force -ErrorAction SilentlyContinue
"@
$GuruRMMPath = Join-Path $PSScriptRoot "GuruRMM-Glaztech-PDF-Fix.ps1"
$GuruRMMScript | Out-File -FilePath $GuruRMMPath -Encoding UTF8 -Force
Write-Host "[SUCCESS] GuruRMM script generated: $GuruRMMPath" -ForegroundColor Green
Write-Host ""
Write-Host "To deploy via GuruRMM:" -ForegroundColor Cyan
Write-Host "1. Log into GuruRMM dashboard"
Write-Host "2. Create new PowerShell task"
Write-Host "3. Copy contents of: $GuruRMMPath"
Write-Host "4. Target: Glaztech Industries (Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)"
Write-Host "5. Execute on affected computers"
Write-Host ""
Write-Host "GuruRMM API Key: grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI" -ForegroundColor Yellow
exit 0
}
if ($ComputerNames.Count -eq 0) {
Write-Host "[ERROR] No computer names provided" -ForegroundColor Red
Write-Host ""
Write-Host "Usage examples:" -ForegroundColor Yellow
Write-Host " .\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames 'PC001','PC002','PC003'"
Write-Host " .\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames (Get-Content computers.txt)"
Write-Host " .\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM"
exit 1
}
Write-Host "[OK] Deploying PDF fix to $($ComputerNames.Count) computers..." -ForegroundColor Green
Write-Host ""
$Results = @()
$ScriptContent = Get-Content $ScriptPath -Raw
foreach ($Computer in $ComputerNames) {
Write-Host "[$Computer] Connecting..." -ForegroundColor Cyan
try {
# Test connectivity
if (-not (Test-Connection -ComputerName $Computer -Count 1 -Quiet)) {
Write-Host "[$Computer] [ERROR] Cannot reach computer" -ForegroundColor Red
$Results += [PSCustomObject]@{
ComputerName = $Computer
Status = "Unreachable"
PDFsUnblocked = 0
ConfigChanges = 0
Error = "Cannot ping"
}
continue
}
# Build parameters
$RemoteParams = @{}
if ($ServerNames.Count -gt 0) { $RemoteParams['ServerNames'] = $ServerNames }
if ($AdditionalPaths.Count -gt 0) { $RemoteParams['UnblockPaths'] = $AdditionalPaths }
# Execute remotely
$InvokeParams = @{
ComputerName = $Computer
ScriptBlock = [ScriptBlock]::Create($ScriptContent)
ArgumentList = $RemoteParams
}
if ($Credential) {
$InvokeParams['Credential'] = $Credential
}
$Result = Invoke-Command @InvokeParams -ErrorAction Stop
Write-Host "[$Computer] [SUCCESS] PDFs: $($Result.PDFsUnblocked), Changes: $($Result.ConfigChanges)" -ForegroundColor Green
$Results += [PSCustomObject]@{
ComputerName = $Computer
Status = "Success"
PDFsUnblocked = $Result.PDFsUnblocked
ConfigChanges = $Result.ConfigChanges
Error = $null
}
# Note: Explorer restart is now handled by the main script automatically
} catch {
Write-Host "[$Computer] [ERROR] $($_.Exception.Message)" -ForegroundColor Red
$Results += [PSCustomObject]@{
ComputerName = $Computer
Status = "Failed"
PDFsUnblocked = 0
ConfigChanges = 0
Error = $_.Exception.Message
}
}
Write-Host ""
}
# Summary
Write-Host "========================================"
Write-Host "DEPLOYMENT SUMMARY"
Write-Host "========================================"
$Results | Format-Table -AutoSize
$SuccessCount = ($Results | Where-Object { $_.Status -eq "Success" }).Count
$FailureCount = ($Results | Where-Object { $_.Status -ne "Success" }).Count
Write-Host ""
Write-Host "Total Computers: $($Results.Count)"
Write-Host "Successful: $SuccessCount" -ForegroundColor Green
Write-Host "Failed: $FailureCount" -ForegroundColor $(if ($FailureCount -gt 0) { "Red" } else { "Green" })
# Export results
$ResultsPath = Join-Path $PSScriptRoot "deployment-results-$(Get-Date -Format 'yyyyMMdd-HHmmss').csv"
$Results | Export-Csv -Path $ResultsPath -NoTypeInformation
Write-Host ""
Write-Host "Results exported to: $ResultsPath"

347
clients/glaztech/Fix-PDFPreview-Glaztech-UPDATED.ps1 Normal file
View File

@@ -0,0 +1,347 @@
#requires -RunAsAdministrator
<#
.SYNOPSIS
Fix PDF preview issues in Windows Explorer for Glaztech Industries
.DESCRIPTION
Resolves PDF preview failures caused by Windows security updates (KB5066791/KB5066835)
by unblocking PDF files and configuring trusted zones for Glaztech network resources.
.PARAMETER UnblockPaths
Array of paths where PDFs should be unblocked. Supports UNC paths and local paths.
Default: User Desktop, Downloads, Documents, and Glaztech file server paths
.PARAMETER ServerNames
Array of server hostnames/IPs to add to trusted Intranet zone
Default: 192.168.8.2 (Glaztech main file server)
.PARAMETER WhatIf
Shows what changes would be made without actually making them
.EXAMPLE
.\Fix-PDFPreview-Glaztech-UPDATED.ps1
Run with defaults, unblock PDFs and configure zones
.NOTES
Company: Glaztech Industries
Domain: glaztech.com
Network: 192.168.0.0/24 through 192.168.9.0/24 (10 sites)
File Server: \\192.168.8.62\
Issue: Windows 10/11 security updates block PDF preview from network shares
Version: 1.1
Date: 2026-01-27
Updated: Added Glaztech file server paths
#>
[CmdletBinding(SupportsShouldProcess)]
param(
[string[]]$UnblockPaths = @(),
[string[]]$ServerNames = @(
"192.168.8.62" # Glaztech main file server
)
)
$ErrorActionPreference = "Continue"
$Script:ChangesMade = 0
# Logging function
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$Color = switch ($Level) {
"ERROR" { "Red" }
"WARNING" { "Yellow" }
"SUCCESS" { "Green" }
default { "White" }
}
$LogMessage = "[$Timestamp] [$Level] $Message"
Write-Host $LogMessage -ForegroundColor $Color
# Log to file
$LogPath = "C:\Temp\Glaztech-PDF-Fix.log"
if (-not (Test-Path "C:\Temp")) { New-Item -ItemType Directory -Path "C:\Temp" -Force | Out-Null }
Add-Content -Path $LogPath -Value $LogMessage
}
Write-Log "========================================"
Write-Log "Glaztech PDF Preview Fix Script v1.1"
Write-Log "Computer: $env:COMPUTERNAME"
Write-Log "User: $env:USERNAME"
Write-Log "========================================"
# Function to unblock files
function Remove-ZoneIdentifier {
param([string]$Path, [string]$Filter = "*.pdf")
if (-not (Test-Path $Path)) {
Write-Log "Path not accessible: $Path" "WARNING"
return 0
}
Write-Log "Scanning for PDFs in: $Path"
try {
$Files = Get-ChildItem -Path $Path -Filter $Filter -Recurse -File -ErrorAction SilentlyContinue
$UnblockedCount = 0
foreach ($File in $Files) {
try {
# Check if file has Zone.Identifier
$ZoneId = Get-Item -Path $File.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue
if ($ZoneId) {
if ($PSCmdlet.ShouldProcess($File.FullName, "Unblock file")) {
Unblock-File -Path $File.FullName -ErrorAction Stop
$UnblockedCount++
Write-Log " Unblocked: $($File.FullName)" "SUCCESS"
}
}
} catch {
Write-Log " Failed to unblock: $($File.FullName) - $($_.Exception.Message)" "WARNING"
}
}
if ($UnblockedCount -gt 0) {
Write-Log "Unblocked $UnblockedCount PDF files in $Path" "SUCCESS"
} else {
Write-Log "No blocked PDFs found in $Path"
}
return $UnblockedCount
} catch {
Write-Log "Error scanning path: $Path - $($_.Exception.Message)" "ERROR"
return 0
}
}
# Function to add sites to Intranet Zone
function Add-ToIntranetZone {
param([string]$Site)
$ZonePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
try {
# Parse site for registry path creation
if ($Site -match "^(\d+\.){3}\d+$") {
# IP address - add to ESC Domains
$EscPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\$Site"
if (-not (Test-Path $EscPath)) {
if ($PSCmdlet.ShouldProcess($Site, "Add IP to Intranet Zone")) {
New-Item -Path $EscPath -Force | Out-Null
Set-ItemProperty -Path $EscPath -Name "file" -Value 1 -Type DWord
Write-Log " Added IP to Intranet Zone: $Site" "SUCCESS"
$Script:ChangesMade++
}
} else {
Write-Log " IP already in Intranet Zone: $Site"
}
} elseif ($Site -match "^\\\\(.+)$") {
# UNC path - extract hostname
$Hostname = $Matches[1] -replace "\\.*", ""
Add-ToIntranetZone -Site $Hostname
} else {
# Hostname/domain
$Parts = $Site -split "\."
$BasePath = $ZonePath
# Build registry path (reverse domain order)
for ($i = $Parts.Count - 1; $i -ge 0; $i--) {
$BasePath = Join-Path $BasePath $Parts[$i]
}
if (-not (Test-Path $BasePath)) {
if ($PSCmdlet.ShouldProcess($Site, "Add domain to Intranet Zone")) {
New-Item -Path $BasePath -Force | Out-Null
Set-ItemProperty -Path $BasePath -Name "file" -Value 1 -Type DWord
Write-Log " Added domain to Intranet Zone: $Site" "SUCCESS"
$Script:ChangesMade++
}
} else {
Write-Log " Domain already in Intranet Zone: $Site"
}
}
} catch {
Write-Log " Failed to add $Site to Intranet Zone: $($_.Exception.Message)" "ERROR"
}
}
# Function to configure PDF preview handler
function Enable-PDFPreview {
$PreviewHandlerPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers"
$PDFPreviewCLSID = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"
try {
if ($PSCmdlet.ShouldProcess("PDF Preview Handler", "Enable")) {
# Ensure preview handler is registered
$HandlerExists = Get-ItemProperty -Path $PreviewHandlerPath -Name $PDFPreviewCLSID -ErrorAction SilentlyContinue
if (-not $HandlerExists) {
Write-Log "PDF Preview Handler not found in registry" "WARNING"
} else {
Write-Log "PDF Preview Handler is registered"
}
# Enable previews in Explorer
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowPreviewHandlers" -Value 1 -Type DWord -ErrorAction Stop
Write-Log "Enabled preview handlers in Windows Explorer" "SUCCESS"
$Script:ChangesMade++
}
} catch {
Write-Log "Failed to enable PDF preview: $($_.Exception.Message)" "ERROR"
}
}
# MAIN EXECUTION
Write-Log "========================================"
Write-Log "STEP 1: Unblocking PDF Files"
Write-Log "========================================"
# Glaztech file server paths
$GlaztechPaths = @(
"\\192.168.8.62\alb_patterns",
"\\192.168.8.62\boi_patterns",
"\\192.168.8.62\brl_patterns",
"\\192.168.8.62\den_patterns",
"\\192.168.8.62\elp_patterns",
"\\192.168.8.62\emails",
"\\192.168.8.62\ftp_brl",
"\\192.168.8.62\ftp_shp",
"\\192.168.8.62\ftp_slc",
"\\192.168.8.62\GeneReport",
"\\192.168.8.62\Graphics",
"\\192.168.8.62\gt_invoice",
"\\192.168.8.62\Logistics",
"\\192.168.8.62\phx_patterns",
"\\192.168.8.62\reports",
"\\192.168.8.62\shp_patterns",
"\\192.168.8.62\slc_patterns",
"\\192.168.8.62\sql_backup",
"\\192.168.8.62\sql_jobs",
"\\192.168.8.62\tuc_patterns",
"\\192.168.8.62\vs_code"
)
# Default local paths
$LocalPaths = @(
"$env:USERPROFILE\Desktop",
"$env:USERPROFILE\Downloads",
"$env:USERPROFILE\Documents"
)
# Combine all paths
$AllPaths = $LocalPaths + $GlaztechPaths + $UnblockPaths | Select-Object -Unique
$TotalUnblocked = 0
foreach ($Path in $AllPaths) {
$TotalUnblocked += Remove-ZoneIdentifier -Path $Path
}
Write-Log "Total PDFs unblocked: $TotalUnblocked" "SUCCESS"
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 2: Configuring Trusted Zones"
Write-Log "========================================"
# Add Glaztech domain
Write-Log "Adding Glaztech domain to Intranet Zone..."
Add-ToIntranetZone -Site "glaztech.com"
Add-ToIntranetZone -Site "*.glaztech.com"
# Add all 10 Glaztech site IP ranges (192.168.0.0/24 through 192.168.9.0/24)
Write-Log "Adding Glaztech site IP ranges to Intranet Zone..."
for ($i = 0; $i -le 9; $i++) {
$Network = "192.168.$i.*"
Add-ToIntranetZone -Site $Network
}
# Add Glaztech file server specifically
Write-Log "Adding Glaztech file server to Intranet Zone..."
foreach ($Server in $ServerNames) {
Add-ToIntranetZone -Site $Server
}
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 3: Enabling PDF Preview"
Write-Log "========================================"
Enable-PDFPreview
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 4: Configuring Security Policies"
Write-Log "========================================"
# Disable SmartScreen for Intranet Zone
try {
if ($PSCmdlet.ShouldProcess("Intranet Zone", "Disable SmartScreen")) {
$IntranetZonePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
if (-not (Test-Path $IntranetZonePath)) {
New-Item -Path $IntranetZonePath -Force | Out-Null
}
# Zone 1 = Local Intranet
# 2702 = Use SmartScreen Filter (0 = Disable, 1 = Enable)
Set-ItemProperty -Path $IntranetZonePath -Name "2702" -Value 0 -Type DWord -ErrorAction Stop
Write-Log "Disabled SmartScreen for Intranet Zone" "SUCCESS"
$Script:ChangesMade++
}
} catch {
Write-Log "Failed to configure SmartScreen: $($_.Exception.Message)" "ERROR"
}
Write-Log ""
Write-Log "========================================"
Write-Log "SUMMARY"
Write-Log "========================================"
Write-Log "PDFs Unblocked: $TotalUnblocked"
Write-Log "Configuration Changes: $Script:ChangesMade"
Write-Log "File Server: \\192.168.8.62\ (added to trusted zone)"
Write-Log ""
if ($Script:ChangesMade -gt 0 -or $TotalUnblocked -gt 0) {
Write-Log "Changes applied - restarting Windows Explorer..." "WARNING"
try {
# Stop Explorer
Stop-Process -Name explorer -Force -ErrorAction Stop
Write-Log "Windows Explorer stopped" "SUCCESS"
# Wait a moment for processes to clean up
Start-Sleep -Seconds 2
# Explorer will auto-restart, but we can force it if needed
$ExplorerRunning = Get-Process -Name explorer -ErrorAction SilentlyContinue
if (-not $ExplorerRunning) {
Start-Process explorer.exe
Write-Log "Windows Explorer restarted" "SUCCESS"
}
} catch {
Write-Log "Could not restart Explorer automatically: $($_.Exception.Message)" "WARNING"
Write-Log "Please restart Explorer manually: Stop-Process -Name explorer -Force" "WARNING"
}
Write-Log ""
Write-Log "COMPLETED SUCCESSFULLY" "SUCCESS"
} else {
Write-Log "No changes needed - system already configured" "SUCCESS"
}
Write-Log "Log file: C:\Temp\Glaztech-PDF-Fix.log"
Write-Log "========================================"
# Return summary object
[PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
PDFsUnblocked = $TotalUnblocked
ConfigChanges = $Script:ChangesMade
FileServer = "\\192.168.8.62\"
Success = ($TotalUnblocked -gt 0 -or $Script:ChangesMade -gt 0)
LogPath = "C:\Temp\Glaztech-PDF-Fix.log"
}

323
clients/glaztech/Fix-PDFPreview-Glaztech.ps1 Normal file
View File

@@ -0,0 +1,323 @@
#requires -RunAsAdministrator
<#
.SYNOPSIS
Fix PDF preview issues in Windows Explorer for Glaztech Industries
.DESCRIPTION
Resolves PDF preview failures caused by Windows security updates (KB5066791/KB5066835)
by unblocking PDF files and configuring trusted zones for Glaztech network resources.
.PARAMETER UnblockPaths
Array of paths where PDFs should be unblocked. Supports UNC paths and local paths.
Default: User Desktop, Downloads, Documents, and common network paths
.PARAMETER ServerNames
Array of server hostnames/IPs to add to trusted Intranet zone
Add Glaztech file servers here when identified
.PARAMETER WhatIf
Shows what changes would be made without actually making them
.EXAMPLE
.\Fix-PDFPreview-Glaztech.ps1
Run with defaults, unblock PDFs and configure zones
.EXAMPLE
.\Fix-PDFPreview-Glaztech.ps1 -UnblockPaths "\\fileserver\shared","C:\Data" -ServerNames "fileserver01","192.168.1.10"
Specify custom paths and servers
.NOTES
Company: Glaztech Industries
Domain: glaztech.com
Network: 192.168.0.0/24 through 192.168.9.0/24 (10 sites)
Issue: Windows 10/11 security updates block PDF preview from network shares
Deployment: GPO or remote PowerShell
Version: 1.0
Date: 2026-01-27
#>
[CmdletBinding(SupportsShouldProcess)]
param(
[string[]]$UnblockPaths = @(),
[string[]]$ServerNames = @(
# TODO: Add Glaztech file server names/IPs here when identified
# Example: "fileserver01", "192.168.1.50", "\\glaztech-fs01"
)
)
$ErrorActionPreference = "Continue"
$Script:ChangesMade = 0
# Logging function
function Write-Log {
param([string]$Message, [string]$Level = "INFO")
$Timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
$Color = switch ($Level) {
"ERROR" { "Red" }
"WARNING" { "Yellow" }
"SUCCESS" { "Green" }
default { "White" }
}
$LogMessage = "[$Timestamp] [$Level] $Message"
Write-Host $LogMessage -ForegroundColor $Color
# Log to file
$LogPath = "C:\Temp\Glaztech-PDF-Fix.log"
if (-not (Test-Path "C:\Temp")) { New-Item -ItemType Directory -Path "C:\Temp" -Force | Out-Null }
Add-Content -Path $LogPath -Value $LogMessage
}
Write-Log "========================================"
Write-Log "Glaztech PDF Preview Fix Script"
Write-Log "Computer: $env:COMPUTERNAME"
Write-Log "User: $env:USERNAME"
Write-Log "========================================"
# Function to unblock files
function Remove-ZoneIdentifier {
param([string]$Path, [string]$Filter = "*.pdf")
if (-not (Test-Path $Path)) {
Write-Log "Path not found: $Path" "WARNING"
return 0
}
Write-Log "Scanning for PDFs in: $Path"
try {
$Files = Get-ChildItem -Path $Path -Filter $Filter -Recurse -File -ErrorAction SilentlyContinue
$UnblockedCount = 0
foreach ($File in $Files) {
try {
# Check if file has Zone.Identifier
$ZoneId = Get-Item -Path $File.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue
if ($ZoneId) {
if ($PSCmdlet.ShouldProcess($File.FullName, "Unblock file")) {
Unblock-File -Path $File.FullName -ErrorAction Stop
$UnblockedCount++
Write-Log " Unblocked: $($File.FullName)" "SUCCESS"
}
}
} catch {
Write-Log " Failed to unblock: $($File.FullName) - $($_.Exception.Message)" "WARNING"
}
}
Write-Log "Unblocked $UnblockedCount PDF files in $Path"
return $UnblockedCount
} catch {
Write-Log "Error scanning path: $Path - $($_.Exception.Message)" "ERROR"
return 0
}
}
# Function to add sites to Intranet Zone
function Add-ToIntranetZone {
param([string]$Site)
$ZonePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
try {
# Parse site for registry path creation
if ($Site -match "^(\d+\.){3}\d+$") {
# IP address - add to ESC Domains
$EscPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\$Site"
if (-not (Test-Path $EscPath)) {
if ($PSCmdlet.ShouldProcess($Site, "Add IP to Intranet Zone")) {
New-Item -Path $EscPath -Force | Out-Null
Set-ItemProperty -Path $EscPath -Name "*" -Value 1 -Type DWord
Write-Log " Added IP to Intranet Zone: $Site" "SUCCESS"
$Script:ChangesMade++
}
} else {
Write-Log " IP already in Intranet Zone: $Site"
}
} elseif ($Site -match "^\\\\(.+)$") {
# UNC path - extract hostname
$Hostname = $Matches[1] -replace "\\.*", ""
Add-ToIntranetZone -Site $Hostname
} else {
# Hostname/domain
$Parts = $Site -split "\."
$BasePath = $ZonePath
# Build registry path (reverse domain order)
for ($i = $Parts.Count - 1; $i -ge 0; $i--) {
$BasePath = Join-Path $BasePath $Parts[$i]
}
if (-not (Test-Path $BasePath)) {
if ($PSCmdlet.ShouldProcess($Site, "Add domain to Intranet Zone")) {
New-Item -Path $BasePath -Force | Out-Null
Set-ItemProperty -Path $BasePath -Name "*" -Value 1 -Type DWord
Write-Log " Added domain to Intranet Zone: $Site" "SUCCESS"
$Script:ChangesMade++
}
} else {
Write-Log " Domain already in Intranet Zone: $Site"
}
}
} catch {
Write-Log " Failed to add $Site to Intranet Zone: $($_.Exception.Message)" "ERROR"
}
}
# Function to configure PDF preview handler
function Enable-PDFPreview {
$PreviewHandlerPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers"
$PDFPreviewCLSID = "{DC6EFB56-9CFA-464D-8880-44885D7DC193}"
try {
if ($PSCmdlet.ShouldProcess("PDF Preview Handler", "Enable")) {
# Ensure preview handler is registered
$HandlerExists = Get-ItemProperty -Path $PreviewHandlerPath -Name $PDFPreviewCLSID -ErrorAction SilentlyContinue
if (-not $HandlerExists) {
Write-Log "PDF Preview Handler not found in registry" "WARNING"
} else {
Write-Log "PDF Preview Handler is registered"
}
# Enable previews in Explorer
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name "ShowPreviewHandlers" -Value 1 -Type DWord -ErrorAction Stop
Write-Log "Enabled preview handlers in Windows Explorer" "SUCCESS"
$Script:ChangesMade++
}
} catch {
Write-Log "Failed to enable PDF preview: $($_.Exception.Message)" "ERROR"
}
}
# MAIN EXECUTION
Write-Log "========================================"
Write-Log "STEP 1: Unblocking PDF Files"
Write-Log "========================================"
# Default paths to check
$DefaultPaths = @(
"$env:USERPROFILE\Desktop",
"$env:USERPROFILE\Downloads",
"$env:USERPROFILE\Documents"
)
# Combine default and custom paths
$AllPaths = $DefaultPaths + $UnblockPaths | Select-Object -Unique
$TotalUnblocked = 0
foreach ($Path in $AllPaths) {
$TotalUnblocked += Remove-ZoneIdentifier -Path $Path
}
Write-Log "Total PDFs unblocked: $TotalUnblocked" "SUCCESS"
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 2: Configuring Trusted Zones"
Write-Log "========================================"
# Add Glaztech domain
Write-Log "Adding Glaztech domain to Intranet Zone..."
Add-ToIntranetZone -Site "glaztech.com"
Add-ToIntranetZone -Site "*.glaztech.com"
# Add all 10 Glaztech site IP ranges (192.168.0.0/24 through 192.168.9.0/24)
Write-Log "Adding Glaztech site IP ranges to Intranet Zone..."
for ($i = 0; $i -le 9; $i++) {
$Network = "192.168.$i.*"
Add-ToIntranetZone -Site $Network
}
# Add specific servers if provided
if ($ServerNames.Count -gt 0) {
Write-Log "Adding specified servers to Intranet Zone..."
foreach ($Server in $ServerNames) {
Add-ToIntranetZone -Site $Server
}
} else {
Write-Log "No specific servers provided - add them with -ServerNames parameter" "WARNING"
}
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 3: Enabling PDF Preview"
Write-Log "========================================"
Enable-PDFPreview
Write-Log ""
Write-Log "========================================"
Write-Log "STEP 4: Configuring Security Policies"
Write-Log "========================================"
# Disable SmartScreen for Intranet Zone
try {
if ($PSCmdlet.ShouldProcess("Intranet Zone", "Disable SmartScreen")) {
$IntranetZonePath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
if (-not (Test-Path $IntranetZonePath)) {
New-Item -Path $IntranetZonePath -Force | Out-Null
}
# Zone 1 = Local Intranet
# 2702 = Use SmartScreen Filter (0 = Disable, 1 = Enable)
Set-ItemProperty -Path $IntranetZonePath -Name "2702" -Value 0 -Type DWord -ErrorAction Stop
Write-Log "Disabled SmartScreen for Intranet Zone" "SUCCESS"
$Script:ChangesMade++
}
} catch {
Write-Log "Failed to configure SmartScreen: $($_.Exception.Message)" "ERROR"
}
Write-Log ""
Write-Log "========================================"
Write-Log "SUMMARY"
Write-Log "========================================"
Write-Log "PDFs Unblocked: $TotalUnblocked"
Write-Log "Configuration Changes: $Script:ChangesMade"
Write-Log ""
if ($Script:ChangesMade -gt 0 -or $TotalUnblocked -gt 0) {
Write-Log "Changes applied - restarting Windows Explorer..." "WARNING"
try {
# Stop Explorer
Stop-Process -Name explorer -Force -ErrorAction Stop
Write-Log "Windows Explorer stopped" "SUCCESS"
# Wait a moment for processes to clean up
Start-Sleep -Seconds 2
# Explorer will auto-restart, but we can force it if needed
$ExplorerRunning = Get-Process -Name explorer -ErrorAction SilentlyContinue
if (-not $ExplorerRunning) {
Start-Process explorer.exe
Write-Log "Windows Explorer restarted" "SUCCESS"
}
} catch {
Write-Log "Could not restart Explorer automatically: $($_.Exception.Message)" "WARNING"
Write-Log "Please restart Explorer manually: Stop-Process -Name explorer -Force" "WARNING"
}
Write-Log ""
Write-Log "COMPLETED SUCCESSFULLY" "SUCCESS"
} else {
Write-Log "No changes needed - system already configured" "SUCCESS"
}
Write-Log "Log file: C:\Temp\Glaztech-PDF-Fix.log"
Write-Log "========================================"
# Return summary object
[PSCustomObject]@{
ComputerName = $env:COMPUTERNAME
PDFsUnblocked = $TotalUnblocked
ConfigChanges = $Script:ChangesMade
Success = ($TotalUnblocked -gt 0 -or $Script:ChangesMade -gt 0)
LogPath = "C:\Temp\Glaztech-PDF-Fix.log"
}

309
clients/glaztech/GPO-Configuration-Guide.md Normal file
View File

@@ -0,0 +1,309 @@
# Glaztech PDF Preview Fix - Group Policy Configuration
**Issue:** Windows 10/11 security updates (KB5066791, KB5066835) block PDF previews from network shares
**Solution:** Configure Group Policy to trust Glaztech network resources
**Client:** Glaztech Industries
**Domain:** glaztech.com
---
## Quick Start
**Option 1:** Run PowerShell script once on each computer (fastest for immediate fix)
**Option 2:** Configure GPO for permanent solution (recommended for long-term)
---
## GPO Configuration (Permanent Solution)
### Policy 1: Add Sites to Local Intranet Zone
**Purpose:** Trust Glaztech internal network resources
1. **Open Group Policy Management Console**
- Run: `gpmc.msc`
- Navigate to: `Forest > Domains > glaztech.com > Group Policy Objects`
2. **Create New GPO**
- Right-click "Group Policy Objects" → New
- Name: `Glaztech - PDF Preview Fix`
- Description: `Fix PDF preview issues from network shares (KB5066791/KB5066835)`
3. **Edit GPO**
- Right-click GPO → Edit
4. **Configure Intranet Zone Sites**
- Navigate to: `User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security`
- Double-click: **Security Zones and Content Ratings**
- Click: **Import the current security zones and privacy settings**
- Click: **Modify Settings**
5. **Add Sites to Local Intranet Zone**
- Click: **Local intranet****Sites****Advanced**
- Add these sites (one per line):
```
*.glaztech.com
https://*.glaztech.com
http://*.glaztech.com
file://*.glaztech.com
```
6. **Add IP Ranges** (if servers use IPs)
- For each Glaztech site (192.168.0.* through 192.168.9.*):
```
https://192.168.0.*
https://192.168.1.*
https://192.168.2.*
https://192.168.3.*
https://192.168.4.*
https://192.168.5.*
https://192.168.6.*
https://192.168.7.*
https://192.168.8.*
https://192.168.9.*
file://192.168.0.*
file://192.168.1.*
(etc. for all 10 sites)
```
### Policy 2: Disable SmartScreen for Intranet Zone
**Purpose:** Prevent SmartScreen from blocking trusted internal resources
1. **Navigate to:** `User Configuration > Administrative Templates > Windows Components > File Explorer`
2. **Configure:**
- **Configure Windows Defender SmartScreen** → **Disabled** (for Intranet zone only)
3. **Alternative Registry-Based Setting:**
- Navigate to: `User Configuration > Preferences > Windows Settings > Registry`
- Create new Registry Item:
- Action: **Update**
- Hive: **HKEY_CURRENT_USER**
- Key Path: `Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1`
- Value Name: `2702`
- Value Type: **REG_DWORD**
- Value Data: `0` (Disable SmartScreen for Intranet)
### Policy 3: Enable PDF Preview Handlers
**Purpose:** Ensure PDF preview is enabled in Windows Explorer
1. **Navigate to:** `User Configuration > Preferences > Windows Settings > Registry`
2. **Create Registry Item:**
- Action: **Update**
- Hive: **HKEY_CURRENT_USER**
- Key Path: `Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced`
- Value Name: `ShowPreviewHandlers`
- Value Type: **REG_DWORD**
- Value Data: `1`
### Policy 4: Unblock Network Shares (Advanced)
**Purpose:** Automatically remove Zone.Identifier from files on network shares
**Option A: Startup Script (runs at computer startup)**
1. **Navigate to:** `Computer Configuration > Policies > Windows Settings > Scripts > Startup`
2. **Add Script:**
- Click: **Add** → **Browse**
- Copy `Fix-PDFPreview-Glaztech.ps1` to: `\\glaztech.com\SYSVOL\glaztech.com\scripts\`
- Script Name: `Fix-PDFPreview-Glaztech.ps1`
- Script Parameters: Leave blank (uses defaults)
**Option B: Logon Script (runs at user logon)**
1. **Navigate to:** `User Configuration > Policies > Windows Settings > Scripts > Logon`
2. **Add Script:** (same as above)
**Option C: Scheduled Task via GPO**
1. **Navigate to:** `Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks`
2. **Create new Scheduled Task:**
- Action: **Create**
- Name: `Glaztech PDF Preview Maintenance`
- Run as: **NT AUTHORITY\SYSTEM** or **%LogonDomain%\%LogonUser%**
- Trigger: **At log on** (or daily)
- Action: Start a program
- Program: `powershell.exe`
- Arguments: `-ExecutionPolicy Bypass -File "\\glaztech.com\SYSVOL\glaztech.com\scripts\Fix-PDFPreview-Glaztech.ps1"`
---
## Link GPO to OUs
1. **In Group Policy Management:**
- Right-click appropriate OU (e.g., "Computers" or "Workstations")
- Select: **Link an Existing GPO**
- Choose: `Glaztech - PDF Preview Fix`
2. **Verify Link:**
- Ensure GPO is enabled (checkmark in "Link Enabled" column)
- Set appropriate link order (higher = applied later)
---
## Testing GPO
1. **Force GPO Update on Test Computer:**
```powershell
gpupdate /force
```
2. **Verify Applied Policies:**
```powershell
gpresult /H C:\Temp\gpresult.html
# Open C:\Temp\gpresult.html in browser to review applied policies
```
3. **Check Registry Values:**
```powershell
# Check Intranet Zone configuration
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
# Check if preview handlers are enabled
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name ShowPreviewHandlers
```
4. **Test PDF Preview:**
- Navigate to network share with PDFs
- Select a PDF file
- Check if preview appears in Preview Pane (View → Preview Pane)
---
## Troubleshooting
### PDF Preview Still Not Working
1. **Check if GPO applied:**
```powershell
gpresult /r /scope:user
```
2. **Restart Windows Explorer:**
```powershell
Stop-Process -Name explorer -Force
```
3. **Check for blocked files manually:**
```powershell
Get-ChildItem "\\server\share" -Filter "*.pdf" -Recurse |
ForEach-Object {
if (Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue) {
Unblock-File $_.FullName
}
}
```
### GPO Not Applying
1. **Check GPO replication:**
```powershell
dcdiag /test:replications
```
2. **Verify SYSVOL replication:**
```powershell
Get-SmbShare SYSVOL
```
3. **Check event logs:**
- Event Viewer → Windows Logs → Application
- Look for Group Policy errors
### SmartScreen Still Blocking
1. **Manually disable SmartScreen for Intranet (temporary):**
```powershell
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 0 -Type DWord
```
2. **Check Windows Defender settings:**
- Settings → Update & Security → Windows Security → App & browser control
- Ensure SmartScreen isn't overriding zone settings
---
## Rollback Plan
If issues occur after GPO deployment:
1. **Disable GPO:**
- GPMC → Right-click GPO → **Link Enabled** (uncheck)
2. **Delete GPO (if needed):**
- GPMC → Right-click GPO → **Delete**
3. **Force refresh on clients:**
```powershell
gpupdate /force
```
---
## Alternative: PowerShell Deployment (No GPO)
If GPO deployment is not feasible:
1. **Deploy via GuruRMM:**
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM dashboard
```
2. **Deploy via PowerShell Remoting:**
```powershell
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select-Object -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```
3. **Manual deployment:**
- Copy script to network share
- Email link to users
- Instruct users to right-click → "Run with PowerShell"
---
## When to Use Each Method
| Method | Use When | Pros | Cons |
|--------|----------|------|------|
| **GPO** | Large environment, permanent fix needed | Automatic, consistent, centrally managed | Requires AD infrastructure, slower rollout |
| **GuruRMM** | Quick deployment needed, mixed environment | Fast, flexible, good reporting | Requires GuruRMM access, manual execution |
| **PowerShell Remoting** | AD environment, immediate fix needed | Very fast, scriptable | Requires WinRM enabled, manual execution |
| **Manual** | Small number of computers, no remote access | Simple, no infrastructure needed | Time-consuming, inconsistent |
---
## Additional Server Names/IPs
**TODO:** Update this list when user provides Glaztech file server details
```powershell
# Add servers to script parameters:
$ServerNames = @(
# "fileserver01",
# "192.168.1.50",
# "glaztech-nas01",
# Add more as identified...
)
```
Update script on SYSVOL or re-run deployment after adding servers.
---
## References
- [Microsoft KB5066791](https://support.microsoft.com/kb/5066791) - Security update that changed file handling
- [Microsoft KB5066835](https://support.microsoft.com/kb/5066835) - Related security update
- [Mark of the Web (MOTW)](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/mark-of-the-web) - Zone.Identifier explanation
- [Internet Explorer Security Zones](https://docs.microsoft.com/en-us/troubleshoot/browsers/how-to-add-sites-to-the-local-intranet-zone)
---
**Last Updated:** 2026-01-27
**Contact:** AZ Computer Guru MSP
**Client:** Glaztech Industries (GuruRMM Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)

BIN
clients/glaztech/PDF-FIX.zip Normal file
View File

Binary file not shown.

185
clients/glaztech/QUICK-REFERENCE.md Normal file
View File

@@ -0,0 +1,185 @@
# Glaztech PDF Fix - Quick Reference Card
## Common Commands
### Run on Single Computer (Local)
```powershell
.\Fix-PDFPreview-Glaztech.ps1
```
### Deploy to Multiple Computers (Remote)
```powershell
# From list
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames "PC001","PC002","PC003"
# From file
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames (Get-Content computers.txt)
# All AD computers
$Computers = Get-ADComputer -Filter * | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```
### Generate GuruRMM Script
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Output: GuruRMM-Glaztech-PDF-Fix.ps1
```
### Add File Servers
```powershell
.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "fileserver01","192.168.1.50"
# Bulk deployment with servers
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers -ServerNames "fileserver01","192.168.1.50"
```
### Add Custom Paths
```powershell
.\Fix-PDFPreview-Glaztech.ps1 -UnblockPaths "\\fileserver\shared","C:\Data"
```
---
## Verification Commands
### Check Log
```powershell
Get-Content C:\Temp\Glaztech-PDF-Fix.log
```
### Verify Zone Configuration
```powershell
# Check Intranet zone
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
# Check SmartScreen (should be 0 = disabled for Intranet)
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702"
```
### Check if File is Blocked
```powershell
$File = "\\server\share\document.pdf"
Get-Item $File -Stream Zone.Identifier -ErrorAction SilentlyContinue
# No output = file is unblocked
```
### Test PDF Preview
```powershell
# Open Explorer to network share
explorer "\\fileserver\documents"
# Enable Preview Pane: View → Preview Pane
# Select a PDF - should preview
```
---
## Troubleshooting Commands
### Restart Explorer
```powershell
Stop-Process -Name explorer -Force
```
### Manually Unblock Single File
```powershell
Unblock-File "\\server\share\file.pdf"
```
### Manually Unblock All PDFs in Folder
```powershell
Get-ChildItem "\\server\share" -Filter "*.pdf" -Recurse | Unblock-File
```
### Enable PowerShell Remoting
```powershell
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
```
### Force GPO Update
```powershell
gpupdate /force
gpresult /H C:\Temp\gpresult.html
```
---
## GuruRMM Deployment
1. Generate script:
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
```
2. Upload to GuruRMM:
- Task Type: PowerShell
- Target: Glaztech Industries (d857708c-5713-4ee5-a314-679f86d2f9f9)
- Run As: SYSTEM
- Timeout: 5 minutes
3. Execute and monitor results
---
## GPO Deployment
See: `GPO-Configuration-Guide.md`
**Quick Steps:**
1. Create GPO: "Glaztech - PDF Preview Fix"
2. Add sites to Intranet Zone:
- `*.glaztech.com`
- `192.168.0.*` through `192.168.9.*`
3. Disable SmartScreen for Intranet (Zone 1, value 2702 = 0)
4. Link GPO to computer OUs
5. Force update: `gpupdate /force`
---
## Files
| File | Purpose |
|------|---------|
| `Fix-PDFPreview-Glaztech.ps1` | Main script (run on individual computer) |
| `Deploy-PDFFix-BulkRemote.ps1` | Bulk deployment (run from admin workstation) |
| `GPO-Configuration-Guide.md` | Group Policy setup instructions |
| `README.md` | Complete documentation |
| `QUICK-REFERENCE.md` | This file (cheat sheet) |
---
## Default Behavior
Without parameters, the script:
- ✅ Scans Desktop, Downloads, Documents
- ✅ Unblocks all PDF files found
- ✅ Adds `glaztech.com` to Intranet zone
- ✅ Adds `192.168.0.*` - `192.168.9.*` to Intranet zone
- ✅ Disables SmartScreen for Intranet zone
- ✅ Enables PDF preview handlers
- ✅ Creates log: `C:\Temp\Glaztech-PDF-Fix.log`
---
## Support
**GuruRMM Client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
**Domain:** glaztech.com
**Networks:** 192.168.0-9.0/24
**Script Location:** `D:\ClaudeTools\clients\glaztech\`
---
## Status Checklist
- [x] Scripts created
- [x] GPO guide created
- [x] GuruRMM deployment option available
- [ ] File server names/IPs pending (waiting on user)
- [ ] Pilot testing (1-5 computers)
- [ ] Bulk deployment
- [ ] GPO configuration
- [ ] Verification complete
**Next:** Get file server details from Glaztech IT, then update script parameters.

451
clients/glaztech/README.md Normal file
View File

@@ -0,0 +1,451 @@
# Glaztech PDF Preview Fix
**Client:** Glaztech Industries
**Issue:** Windows 10/11 PDF preview failures after security updates
**Root Cause:** KB5066791 and KB5066835 security updates add Mark of the Web (MOTW) to files from network shares
**Impact:** Users cannot preview PDFs in Windows Explorer from network locations
---
## Problem Summary
Recent Windows security updates (KB5066791, KB5066835) changed how Windows handles files downloaded from network shares. These files now receive a "Zone.Identifier" alternate data stream (Mark of the Web) that blocks preview functionality as a security measure.
**Symptoms:**
- PDF files cannot be previewed in Windows Explorer Preview Pane
- Files may show "This file came from another computer and might be blocked"
- Right-click → Properties shows "Unblock" button
- Preview works after manually unblocking individual files
**Affected Systems:**
- Windows 10 (with KB5066791 or KB5066835)
- Windows 11 (with KB5066791 or KB5066835)
- Files accessed from network shares (UNC paths)
---
## Solution Overview
This solution provides **three deployment methods**:
1. **PowerShell Script** - Immediate fix, run on individual or bulk computers
2. **Group Policy (GPO)** - Permanent solution, automatic deployment
3. **GuruRMM** - MSP deployment via RMM platform
All methods configure:
- ✅ Unblock existing PDF files (remove Zone.Identifier)
- ✅ Add Glaztech networks to trusted Intranet zone
- ✅ Disable SmartScreen for internal resources
- ✅ Enable PDF preview handlers
---
## Quick Start
### For IT Administrators (Recommended)
**Option 1: Deploy via GuruRMM** (Fastest for multiple computers)
```powershell
cd D:\ClaudeTools\clients\glaztech
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM dashboard
# Target: Glaztech Industries (Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)
```
**Option 2: Configure Group Policy** (Best for permanent fix)
- See: `GPO-Configuration-Guide.md`
- Creates automatic fix for all current and future computers
**Option 3: PowerShell Remoting** (Good for AD environments)
```powershell
$Computers = @("PC001", "PC002", "PC003")
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```
### For End Users (Individual Computer)
1. Download: `Fix-PDFPreview-Glaztech.ps1`
2. Right-click → **Run with PowerShell**
3. Restart Windows Explorer when prompted
---
## Files Included
| File | Purpose |
|------|---------|
| `Fix-PDFPreview-Glaztech.ps1` | Main fix script - runs on individual computer |
| `Deploy-PDFFix-BulkRemote.ps1` | Bulk deployment script - runs on multiple computers remotely |
| `GPO-Configuration-Guide.md` | Group Policy configuration instructions |
| `README.md` | This file - overview and usage instructions |
---
## Detailed Usage
### Script 1: Fix-PDFPreview-Glaztech.ps1
**Purpose:** Fixes PDF preview on a single computer
**Basic Usage:**
```powershell
# Run with defaults (scans user folders, configures Glaztech network)
.\Fix-PDFPreview-Glaztech.ps1
```
**Advanced Usage:**
```powershell
# Specify additional file server paths
.\Fix-PDFPreview-Glaztech.ps1 -UnblockPaths "\\fileserver01\shared", "\\192.168.1.50\documents"
# Add specific file servers to trusted zone
.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "fileserver01", "192.168.1.50", "glaztech-nas"
# Test mode (see what would change without making changes)
.\Fix-PDFPreview-Glaztech.ps1 -WhatIf
```
**What It Does:**
1. Scans Desktop, Downloads, Documents for PDFs
2. Removes Zone.Identifier stream from all PDFs found
3. Adds `glaztech.com` and `*.glaztech.com` to Intranet zone
4. Adds IP ranges `192.168.0.*` through `192.168.9.*` to Intranet zone
5. Adds specified servers (if provided) to Intranet zone
6. Enables PDF preview handlers in Windows Explorer
7. Disables SmartScreen for Intranet zone
8. Creates log file at `C:\Temp\Glaztech-PDF-Fix.log`
**Requirements:**
- Windows 10 or Windows 11
- PowerShell 5.1 or higher
- Administrator privileges
---
### Script 2: Deploy-PDFFix-BulkRemote.ps1
**Purpose:** Deploy fix to multiple computers remotely
**Method A: PowerShell Remoting**
```powershell
# Deploy to specific computers
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames "PC001","PC002","PC003"
# Deploy to computers from file
$Computers = Get-Content "computers.txt"
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
# Deploy to all computers in AD OU
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
# With specific servers and paths
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers -ServerNames "fileserver01","192.168.1.50" -AdditionalPaths "\\fileserver01\shared"
```
**Method B: GuruRMM Deployment**
```powershell
# Generate GuruRMM script
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Output: GuruRMM-Glaztech-PDF-Fix.ps1
# Upload to GuruRMM dashboard as PowerShell task
# Target: Glaztech Industries (Site: SLC - Salt Lake City)
```
**Requirements:**
- PowerShell remoting enabled on target computers
- Administrator credentials (or current user must be admin on targets)
- Network connectivity to target computers
**Output:**
- Console output showing progress
- CSV file: `deployment-results-YYYYMMDD-HHMMSS.csv`
- Individual log files on each computer: `C:\Temp\Glaztech-PDF-Fix.log`
---
## Configuration Details
### Networks Automatically Trusted
The script automatically adds these to the Intranet security zone:
**Domains:**
- `glaztech.com`
- `*.glaztech.com`
**IP Ranges (All 10 Glaztech Sites):**
- `192.168.0.*` (Site 1)
- `192.168.1.*` (Site 2)
- `192.168.2.*` (Site 3)
- `192.168.3.*` (Site 4)
- `192.168.4.*` (Site 5)
- `192.168.5.*` (Site 6)
- `192.168.6.*` (Site 7)
- `192.168.7.*` (Site 8)
- `192.168.8.*` (Site 9)
- `192.168.9.*` (Site 10)
### Additional Servers (To Be Added)
**TODO:** Update script parameters when file server details are available:
```powershell
# Example - add these parameters when deploying:
$ServerNames = @(
"fileserver01",
"192.168.1.50",
"glaztech-nas01",
"glaztech-sharepoint"
)
.\Fix-PDFPreview-Glaztech.ps1 -ServerNames $ServerNames
```
**Waiting on user to provide:**
- File server hostnames
- File server IP addresses
- SharePoint URLs (if applicable)
- NAS device names (if applicable)
---
## Deployment Strategy
### Phase 1: Pilot Testing (1-5 Computers)
1. **Select test computers** representing different sites/configurations
2. **Run script manually** on test computers:
```powershell
.\Fix-PDFPreview-Glaztech.ps1 -WhatIf # Preview changes
.\Fix-PDFPreview-Glaztech.ps1 # Apply changes
```
3. **Verify PDF preview works** on network shares
4. **Check for side effects** (ensure other functionality not affected)
5. **Review logs:** `C:\Temp\Glaztech-PDF-Fix.log`
### Phase 2: Bulk Deployment (All Computers)
**Option A: GuruRMM (Recommended)**
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload to GuruRMM
# Schedule during maintenance window
# Execute on all Glaztech computers
```
**Option B: PowerShell Remoting**
```powershell
# Get all computers from Active Directory
$AllComputers = Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*" -or OperatingSystem -like "*Windows 11*"} -SearchBase "DC=glaztech,DC=com" | Select -ExpandProperty Name
# Deploy to all
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $AllComputers
# Or deploy by site
$Site1Computers = Get-ADComputer -Filter * -SearchBase "OU=Site1,OU=Computers,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Site1Computers
```
### Phase 3: Group Policy (Long-Term Solution)
1. **Follow:** `GPO-Configuration-Guide.md`
2. **Create GPO:** "Glaztech - PDF Preview Fix"
3. **Link to OUs:** All computer OUs
4. **Test on pilot group first**
5. **Roll out to all OUs**
**Benefits of GPO:**
- Automatic deployment to new computers
- Consistent configuration across all systems
- Centrally managed and auditable
- Persists across Windows updates
---
## Verification
After deployment, verify the fix on affected computers:
1. **Check log file:**
```powershell
Get-Content C:\Temp\Glaztech-PDF-Fix.log
```
2. **Test PDF preview:**
- Open File Explorer
- Navigate to network share with PDFs (e.g., `\\fileserver\documents`)
- Select a PDF file
- Enable Preview Pane (View → Preview Pane)
- PDF should display in preview
3. **Verify zone configuration:**
```powershell
# Check if glaztech.com is in Intranet zone
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech"
# Check SmartScreen disabled for Intranet
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702"
# Should return 0 (disabled)
```
4. **Check for Zone.Identifier on PDFs:**
```powershell
# Pick a PDF file
$PDFFile = "C:\Users\username\Desktop\test.pdf"
# Check for Zone.Identifier
Get-Item $PDFFile -Stream Zone.Identifier -ErrorAction SilentlyContinue
# Should return nothing (file is unblocked)
```
---
## Troubleshooting
### Problem: Script execution blocked
**Error:** "Running scripts is disabled on this system"
**Solution:**
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
```
### Problem: PDF preview still not working
**Possible Causes:**
1. Windows Explorer needs restart
```powershell
Stop-Process -Name explorer -Force
```
2. File server not in trusted zone
- Add server explicitly: `.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "servername"`
3. PDF files still blocked
- Run script again to unblock new files
- Or manually unblock: `Unblock-File "\\server\share\file.pdf"`
4. PDF preview handler disabled
- Settings → Apps → Default apps → Choose default apps by file type
- Set `.pdf` to Adobe Acrobat or Microsoft Edge
### Problem: PowerShell remoting fails
**Error:** "WinRM cannot process the request"
**Solution:**
```powershell
# On target computer (or via GPO):
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
```
### Problem: GuruRMM deployment fails
**Possible Causes:**
1. Script blocked by execution policy
- Ensure GuruRMM task uses: `-ExecutionPolicy Bypass`
2. Insufficient permissions
- GuruRMM should run as SYSTEM or local administrator
3. Network timeout
- Increase GuruRMM task timeout setting
---
## Rollback
If issues occur after applying the fix:
1. **Remove Intranet zone sites manually:**
```powershell
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech" -Recurse -Force
```
2. **Re-enable SmartScreen for Intranet:**
```powershell
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 1
```
3. **Remove GPO (if deployed):**
- GPMC → Unlink or delete "Glaztech - PDF Preview Fix" GPO
- Force update: `gpupdate /force`
---
## Security Considerations
**What This Script Does:**
- ✅ Adds Glaztech internal networks to trusted zone (safe for internal resources)
- ✅ Disables SmartScreen for internal sites only (not Internet sites)
- ✅ Removes Zone.Identifier from files on trusted shares
- ✅ Does NOT disable Windows Defender or other security features
- ✅ Does NOT affect Internet security settings
**What Remains Protected:**
- Internet downloads still blocked by SmartScreen
- External sites not affected
- Windows Defender continues scanning files
- UAC prompts remain active
- Firewall rules unchanged
**Best Practices:**
- Only add trusted internal servers to Intranet zone
- Do NOT add external/Internet sites
- Review server list before deployment
- Monitor for unusual network activity
- Keep Windows Defender and antivirus enabled
---
## Support Information
**Client:** Glaztech Industries
**MSP:** AZ Computer Guru
**GuruRMM Client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
**GuruRMM Site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)
**GuruRMM API Key:** grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI
**Domain:** glaztech.com
**Network Ranges:** 192.168.0.0/24 through 192.168.9.0/24 (10 sites)
**Script Location:** `D:\ClaudeTools\clients\glaztech\`
**Created:** 2026-01-27
**Contact:**
- For urgent issues: Check GuruRMM ticket system
- For questions: AZ Computer Guru support
---
## Next Steps
1.**Pilot test** - Deploy to 1-5 test computers
2.**Get server details** - Request file server names/IPs from local IT
3.**Update script** - Add servers to script parameters
4.**Bulk deploy** - Use GuruRMM or PowerShell remoting
5.**Configure GPO** - Set up permanent solution
6.**Document** - Record which computers are fixed
**Waiting on:**
- File server hostnames/IPs from Glaztech IT
- SharePoint URLs (if applicable)
- NAS device names (if applicable)
- Specific folder paths where PDFs are commonly accessed
---
## References
- [KB5066791 - Windows Security Update](https://support.microsoft.com/kb/5066791)
- [KB5066835 - Windows Security Update](https://support.microsoft.com/kb/5066835)
- [Mark of the Web (MOTW) - Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/mark-of-the-web)
- [Security Zones - Microsoft Docs](https://docs.microsoft.com/en-us/troubleshoot/browsers/how-to-add-sites-to-the-local-intranet-zone)
---
**Last Updated:** 2026-01-27

14
clients/glaztech/computers-example.txt Normal file
View File

@@ -0,0 +1,14 @@
# Glaztech Computers - Example List
# Add one computer name per line
# Lines starting with # are ignored
# Site 1 - Example computers
GLAZ-PC001
GLAZ-PC002
GLAZ-PC003
# Site 2 - Example computers
GLAZ-PC101
GLAZ-PC102
# Add more computers below...