azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
claudetools/clients/glaztech/GPO-Configuration-Guide.md

310 lines
9.3 KiB
Markdown
Raw Permalink Blame History

# Glaztech PDF Preview Fix - Group Policy Configuration
**Issue:** Windows 10/11 security updates (KB5066791, KB5066835) block PDF previews from network shares
**Solution:** Configure Group Policy to trust Glaztech network resources
**Client:** Glaztech Industries
**Domain:** glaztech.com
---
## Quick Start
**Option 1:** Run PowerShell script once on each computer (fastest for immediate fix)
**Option 2:** Configure GPO for permanent solution (recommended for long-term)
---
## GPO Configuration (Permanent Solution)
### Policy 1: Add Sites to Local Intranet Zone
**Purpose:** Trust Glaztech internal network resources
1. **Open Group Policy Management Console**
- Run: `gpmc.msc`
- Navigate to: `Forest > Domains > glaztech.com > Group Policy Objects`
2. **Create New GPO**
- Right-click "Group Policy Objects" → New
- Name: `Glaztech - PDF Preview Fix`
- Description: `Fix PDF preview issues from network shares (KB5066791/KB5066835)`
3. **Edit GPO**
- Right-click GPO → Edit
4. **Configure Intranet Zone Sites**
- Navigate to: `User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security`
- Double-click: **Security Zones and Content Ratings**
- Click: **Import the current security zones and privacy settings**
- Click: **Modify Settings**
5. **Add Sites to Local Intranet Zone**
- Click: **Local intranet****Sites****Advanced**
- Add these sites (one per line):
```
*.glaztech.com
https://*.glaztech.com
http://*.glaztech.com
file://*.glaztech.com
```
6. **Add IP Ranges** (if servers use IPs)
- For each Glaztech site (192.168.0.* through 192.168.9.*):
```
https://192.168.0.*
https://192.168.1.*
https://192.168.2.*
https://192.168.3.*
https://192.168.4.*
https://192.168.5.*
https://192.168.6.*
https://192.168.7.*
https://192.168.8.*
https://192.168.9.*
file://192.168.0.*
file://192.168.1.*
(etc. for all 10 sites)
```
### Policy 2: Disable SmartScreen for Intranet Zone
**Purpose:** Prevent SmartScreen from blocking trusted internal resources
1. **Navigate to:** `User Configuration > Administrative Templates > Windows Components > File Explorer`
2. **Configure:**
- **Configure Windows Defender SmartScreen** → **Disabled** (for Intranet zone only)
3. **Alternative Registry-Based Setting:**
- Navigate to: `User Configuration > Preferences > Windows Settings > Registry`
- Create new Registry Item:
- Action: **Update**
- Hive: **HKEY_CURRENT_USER**
- Key Path: `Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1`
- Value Name: `2702`
- Value Type: **REG_DWORD**
- Value Data: `0` (Disable SmartScreen for Intranet)
### Policy 3: Enable PDF Preview Handlers
**Purpose:** Ensure PDF preview is enabled in Windows Explorer
1. **Navigate to:** `User Configuration > Preferences > Windows Settings > Registry`
2. **Create Registry Item:**
- Action: **Update**
- Hive: **HKEY_CURRENT_USER**
- Key Path: `Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced`
- Value Name: `ShowPreviewHandlers`
- Value Type: **REG_DWORD**
- Value Data: `1`
### Policy 4: Unblock Network Shares (Advanced)
**Purpose:** Automatically remove Zone.Identifier from files on network shares
**Option A: Startup Script (runs at computer startup)**
1. **Navigate to:** `Computer Configuration > Policies > Windows Settings > Scripts > Startup`
2. **Add Script:**
- Click: **Add** → **Browse**
- Copy `Fix-PDFPreview-Glaztech.ps1` to: `\\glaztech.com\SYSVOL\glaztech.com\scripts\`
- Script Name: `Fix-PDFPreview-Glaztech.ps1`
- Script Parameters: Leave blank (uses defaults)
**Option B: Logon Script (runs at user logon)**
1. **Navigate to:** `User Configuration > Policies > Windows Settings > Scripts > Logon`
2. **Add Script:** (same as above)
**Option C: Scheduled Task via GPO**
1. **Navigate to:** `Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks`
2. **Create new Scheduled Task:**
- Action: **Create**
- Name: `Glaztech PDF Preview Maintenance`
- Run as: **NT AUTHORITY\SYSTEM** or **%LogonDomain%\%LogonUser%**
- Trigger: **At log on** (or daily)
- Action: Start a program
- Program: `powershell.exe`
- Arguments: `-ExecutionPolicy Bypass -File "\\glaztech.com\SYSVOL\glaztech.com\scripts\Fix-PDFPreview-Glaztech.ps1"`
---
## Link GPO to OUs
1. **In Group Policy Management:**
- Right-click appropriate OU (e.g., "Computers" or "Workstations")
- Select: **Link an Existing GPO**
- Choose: `Glaztech - PDF Preview Fix`
2. **Verify Link:**
- Ensure GPO is enabled (checkmark in "Link Enabled" column)
- Set appropriate link order (higher = applied later)
---
## Testing GPO
1. **Force GPO Update on Test Computer:**
```powershell
gpupdate /force
```
2. **Verify Applied Policies:**
```powershell
gpresult /H C:\Temp\gpresult.html
# Open C:\Temp\gpresult.html in browser to review applied policies
```
3. **Check Registry Values:**
```powershell
# Check Intranet Zone configuration
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1"
# Check if preview handlers are enabled
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name ShowPreviewHandlers
```
4. **Test PDF Preview:**
- Navigate to network share with PDFs
- Select a PDF file
- Check if preview appears in Preview Pane (View → Preview Pane)
---
## Troubleshooting
### PDF Preview Still Not Working
1. **Check if GPO applied:**
```powershell
gpresult /r /scope:user
```
2. **Restart Windows Explorer:**
```powershell
Stop-Process -Name explorer -Force
```
3. **Check for blocked files manually:**
```powershell
Get-ChildItem "\\server\share" -Filter "*.pdf" -Recurse |
ForEach-Object {
if (Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue) {
Unblock-File $_.FullName
}
}
```
### GPO Not Applying
1. **Check GPO replication:**
```powershell
dcdiag /test:replications
```
2. **Verify SYSVOL replication:**
```powershell
Get-SmbShare SYSVOL
```
3. **Check event logs:**
- Event Viewer → Windows Logs → Application
- Look for Group Policy errors
### SmartScreen Still Blocking
1. **Manually disable SmartScreen for Intranet (temporary):**
```powershell
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 0 -Type DWord
```
2. **Check Windows Defender settings:**
- Settings → Update & Security → Windows Security → App & browser control
- Ensure SmartScreen isn't overriding zone settings
---
## Rollback Plan
If issues occur after GPO deployment:
1. **Disable GPO:**
- GPMC → Right-click GPO → **Link Enabled** (uncheck)
2. **Delete GPO (if needed):**
- GPMC → Right-click GPO → **Delete**
3. **Force refresh on clients:**
```powershell
gpupdate /force
```
---
## Alternative: PowerShell Deployment (No GPO)
If GPO deployment is not feasible:
1. **Deploy via GuruRMM:**
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM dashboard
```
2. **Deploy via PowerShell Remoting:**
```powershell
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select-Object -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```
3. **Manual deployment:**
- Copy script to network share
- Email link to users
- Instruct users to right-click → "Run with PowerShell"
---
## When to Use Each Method
| Method | Use When | Pros | Cons |
|--------|----------|------|------|
| **GPO** | Large environment, permanent fix needed | Automatic, consistent, centrally managed | Requires AD infrastructure, slower rollout |
| **GuruRMM** | Quick deployment needed, mixed environment | Fast, flexible, good reporting | Requires GuruRMM access, manual execution |
| **PowerShell Remoting** | AD environment, immediate fix needed | Very fast, scriptable | Requires WinRM enabled, manual execution |
| **Manual** | Small number of computers, no remote access | Simple, no infrastructure needed | Time-consuming, inconsistent |
---
## Additional Server Names/IPs
**TODO:** Update this list when user provides Glaztech file server details
```powershell
# Add servers to script parameters:
$ServerNames = @(
# "fileserver01",
# "192.168.1.50",
# "glaztech-nas01",
# Add more as identified...
)
```
Update script on SYSVOL or re-run deployment after adding servers.
---
## References
- [Microsoft KB5066791](https://support.microsoft.com/kb/5066791) - Security update that changed file handling
- [Microsoft KB5066835](https://support.microsoft.com/kb/5066835) - Related security update
- [Mark of the Web (MOTW)](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/mark-of-the-web) - Zone.Identifier explanation
- [Internet Explorer Security Zones](https://docs.microsoft.com/en-us/troubleshoot/browsers/how-to-add-sites-to-the-local-intranet-zone)
---
**Last Updated:** 2026-01-27
**Contact:** AZ Computer Guru MSP
**Client:** Glaztech Industries (GuruRMM Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)
Reference in New Issue View Git Blame Copy Permalink