# Glaztech PDF Preview Fix - Group Policy Configuration

**Issue:** Windows 10/11 security updates (KB5066791, KB5066835) block PDF previews from network shares
**Solution:** Configure Group Policy to trust Glaztech network resources
**Client:** Glaztech Industries
**Domain:** glaztech.com

---

## Quick Start

**Option 1:** Run PowerShell script once on each computer (fastest for immediate fix)
**Option 2:** Configure GPO for permanent solution (recommended for long-term)

---

## GPO Configuration (Permanent Solution)

### Policy 1: Add Sites to Local Intranet Zone

**Purpose:** Trust Glaztech internal network resources

1. **Open Group Policy Management Console**
   - Run: `gpmc.msc`
   - Navigate to: `Forest > Domains > glaztech.com > Group Policy Objects`

2. **Create New GPO**
   - Right-click "Group Policy Objects" → New
   - Name: `Glaztech - PDF Preview Fix`
   - Description: `Fix PDF preview issues from network shares (KB5066791/KB5066835)`

3. **Edit GPO**
   - Right-click GPO → Edit

4. **Configure Intranet Zone Sites**
   - Navigate to: `User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security`
   - Double-click: **Security Zones and Content Ratings**
   - Click: **Import the current security zones and privacy settings**
   - Click: **Modify Settings**

5. **Add Sites to Local Intranet Zone**
   - Click: **Local intranet** → **Sites** → **Advanced**
   - Add these sites (one per line):
     ```
     *.glaztech.com
     https://*.glaztech.com
     http://*.glaztech.com
     file://*.glaztech.com
     ```

6. **Add IP Ranges** (if servers use IPs)
   - For each Glaztech site (192.168.0.* through 192.168.9.*):
     ```
     https://192.168.0.*
     https://192.168.1.*
     https://192.168.2.*
     https://192.168.3.*
     https://192.168.4.*
     https://192.168.5.*
     https://192.168.6.*
     https://192.168.7.*
     https://192.168.8.*
     https://192.168.9.*
     file://192.168.0.*
     file://192.168.1.*
     (etc. for all 10 sites)
     ```

### Policy 2: Disable SmartScreen for Intranet Zone

**Purpose:** Prevent SmartScreen from blocking trusted internal resources

1. **Navigate to:** `User Configuration > Administrative Templates > Windows Components > File Explorer`

2. **Configure:**
   - **Configure Windows Defender SmartScreen** → **Disabled** (for Intranet zone only)

3. **Alternative Registry-Based Setting:**
   - Navigate to: `User Configuration > Preferences > Windows Settings > Registry`
   - Create new Registry Item:
     - Action: **Update**
     - Hive: **HKEY_CURRENT_USER**
     - Key Path: `Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1`
     - Value Name: `2702`
     - Value Type: **REG_DWORD**
     - Value Data: `0` (Disable SmartScreen for Intranet)

### Policy 3: Enable PDF Preview Handlers

**Purpose:** Ensure PDF preview is enabled in Windows Explorer

1. **Navigate to:** `User Configuration > Preferences > Windows Settings > Registry`

2. **Create Registry Item:**
   - Action: **Update**
   - Hive: **HKEY_CURRENT_USER**
   - Key Path: `Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced`
   - Value Name: `ShowPreviewHandlers`
   - Value Type: **REG_DWORD**
   - Value Data: `1`

### Policy 4: Unblock Network Shares (Advanced)

**Purpose:** Automatically remove Zone.Identifier from files on network shares

**Option A: Startup Script (runs at computer startup)**

1. **Navigate to:** `Computer Configuration > Policies > Windows Settings > Scripts > Startup`
2. **Add Script:**
   - Click: **Add** → **Browse**
   - Copy `Fix-PDFPreview-Glaztech.ps1` to: `\\glaztech.com\SYSVOL\glaztech.com\scripts\`
   - Script Name: `Fix-PDFPreview-Glaztech.ps1`
   - Script Parameters: Leave blank (uses defaults)

**Option B: Logon Script (runs at user logon)**

1. **Navigate to:** `User Configuration > Policies > Windows Settings > Scripts > Logon`
2. **Add Script:** (same as above)

**Option C: Scheduled Task via GPO**

1. **Navigate to:** `Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks`
2. **Create new Scheduled Task:**
   - Action: **Create**
   - Name: `Glaztech PDF Preview Maintenance`
   - Run as: **NT AUTHORITY\SYSTEM** or **%LogonDomain%\%LogonUser%**
   - Trigger: **At log on** (or daily)
   - Action: Start a program
     - Program: `powershell.exe`
     - Arguments: `-ExecutionPolicy Bypass -File "\\glaztech.com\SYSVOL\glaztech.com\scripts\Fix-PDFPreview-Glaztech.ps1"`

---

## Link GPO to OUs

1. **In Group Policy Management:**
   - Right-click appropriate OU (e.g., "Computers" or "Workstations")
   - Select: **Link an Existing GPO**
   - Choose: `Glaztech - PDF Preview Fix`

2. **Verify Link:**
   - Ensure GPO is enabled (checkmark in "Link Enabled" column)
   - Set appropriate link order (higher = applied later)

---

## Testing GPO

1. **Force GPO Update on Test Computer:**
   ```powershell
   gpupdate /force
   ```

2. **Verify Applied Policies:**
   ```powershell
   gpresult /H C:\Temp\gpresult.html
   # Open C:\Temp\gpresult.html in browser to review applied policies
   ```

3. **Check Registry Values:**
   ```powershell
   # Check Intranet Zone configuration
   Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"

   # Check if preview handlers are enabled
   Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name ShowPreviewHandlers
   ```

4. **Test PDF Preview:**
   - Navigate to network share with PDFs
   - Select a PDF file
   - Check if preview appears in Preview Pane (View → Preview Pane)

---

## Troubleshooting

### PDF Preview Still Not Working

1. **Check if GPO applied:**
   ```powershell
   gpresult /r /scope:user
   ```

2. **Restart Windows Explorer:**
   ```powershell
   Stop-Process -Name explorer -Force
   ```

3. **Check for blocked files manually:**
   ```powershell
   Get-ChildItem "\\server\share" -Filter "*.pdf" -Recurse |
       ForEach-Object {
           if (Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue) {
               Unblock-File $_.FullName
           }
       }
   ```

### GPO Not Applying

1. **Check GPO replication:**
   ```powershell
   dcdiag /test:replications
   ```

2. **Verify SYSVOL replication:**
   ```powershell
   Get-SmbShare SYSVOL
   ```

3. **Check event logs:**
   - Event Viewer → Windows Logs → Application
   - Look for Group Policy errors

### SmartScreen Still Blocking

1. **Manually disable SmartScreen for Intranet (temporary):**
   ```powershell
   Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 0 -Type DWord
   ```

2. **Check Windows Defender settings:**
   - Settings → Update & Security → Windows Security → App & browser control
   - Ensure SmartScreen isn't overriding zone settings

---

## Rollback Plan

If issues occur after GPO deployment:

1. **Disable GPO:**
   - GPMC → Right-click GPO → **Link Enabled** (uncheck)

2. **Delete GPO (if needed):**
   - GPMC → Right-click GPO → **Delete**

3. **Force refresh on clients:**
   ```powershell
   gpupdate /force
   ```

---

## Alternative: PowerShell Deployment (No GPO)

If GPO deployment is not feasible:

1. **Deploy via GuruRMM:**
   ```powershell
   .\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
   # Upload generated script to GuruRMM dashboard
   ```

2. **Deploy via PowerShell Remoting:**
   ```powershell
   $Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select-Object -ExpandProperty Name
   .\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
   ```

3. **Manual deployment:**
   - Copy script to network share
   - Email link to users
   - Instruct users to right-click → "Run with PowerShell"

---

## When to Use Each Method

| Method | Use When | Pros | Cons |
|--------|----------|------|------|
| **GPO** | Large environment, permanent fix needed | Automatic, consistent, centrally managed | Requires AD infrastructure, slower rollout |
| **GuruRMM** | Quick deployment needed, mixed environment | Fast, flexible, good reporting | Requires GuruRMM access, manual execution |
| **PowerShell Remoting** | AD environment, immediate fix needed | Very fast, scriptable | Requires WinRM enabled, manual execution |
| **Manual** | Small number of computers, no remote access | Simple, no infrastructure needed | Time-consuming, inconsistent |

---

## Additional Server Names/IPs

**TODO:** Update this list when user provides Glaztech file server details

```powershell
# Add servers to script parameters:
$ServerNames = @(
    # "fileserver01",
    # "192.168.1.50",
    # "glaztech-nas01",
    # Add more as identified...
)
```

Update script on SYSVOL or re-run deployment after adding servers.

---

## References

- [Microsoft KB5066791](https://support.microsoft.com/kb/5066791) - Security update that changed file handling
- [Microsoft KB5066835](https://support.microsoft.com/kb/5066835) - Related security update
- [Mark of the Web (MOTW)](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/mark-of-the-web) - Zone.Identifier explanation
- [Internet Explorer Security Zones](https://docs.microsoft.com/en-us/troubleshoot/browsers/how-to-add-sites-to-the-local-intranet-zone)

---

**Last Updated:** 2026-01-27
**Contact:** AZ Computer Guru MSP
**Client:** Glaztech Industries (GuruRMM Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)