9.3 KiB
Glaztech PDF Preview Fix - Group Policy Configuration
Issue: Windows 10/11 security updates (KB5066791, KB5066835) block PDF previews from network shares Solution: Configure Group Policy to trust Glaztech network resources Client: Glaztech Industries Domain: glaztech.com
Quick Start
Option 1: Run PowerShell script once on each computer (fastest for immediate fix) Option 2: Configure GPO for permanent solution (recommended for long-term)
GPO Configuration (Permanent Solution)
Policy 1: Add Sites to Local Intranet Zone
Purpose: Trust Glaztech internal network resources
-
Open Group Policy Management Console
- Run:
gpmc.msc - Navigate to:
Forest > Domains > glaztech.com > Group Policy Objects
- Run:
-
Create New GPO
- Right-click "Group Policy Objects" → New
- Name:
Glaztech - PDF Preview Fix - Description:
Fix PDF preview issues from network shares (KB5066791/KB5066835)
-
Edit GPO
- Right-click GPO → Edit
-
Configure Intranet Zone Sites
- Navigate to:
User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security - Double-click: Security Zones and Content Ratings
- Click: Import the current security zones and privacy settings
- Click: Modify Settings
- Navigate to:
-
Add Sites to Local Intranet Zone
- Click: Local intranet → Sites → Advanced
- Add these sites (one per line):
*.glaztech.com https://*.glaztech.com http://*.glaztech.com file://*.glaztech.com
-
Add IP Ranges (if servers use IPs)
- For each Glaztech site (192.168.0.* through 192.168.9.*):
https://192.168.0.* https://192.168.1.* https://192.168.2.* https://192.168.3.* https://192.168.4.* https://192.168.5.* https://192.168.6.* https://192.168.7.* https://192.168.8.* https://192.168.9.* file://192.168.0.* file://192.168.1.* (etc. for all 10 sites)
- For each Glaztech site (192.168.0.* through 192.168.9.*):
Policy 2: Disable SmartScreen for Intranet Zone
Purpose: Prevent SmartScreen from blocking trusted internal resources
-
Navigate to:
User Configuration > Administrative Templates > Windows Components > File Explorer -
Configure:
- Configure Windows Defender SmartScreen → Disabled (for Intranet zone only)
-
Alternative Registry-Based Setting:
- Navigate to:
User Configuration > Preferences > Windows Settings > Registry - Create new Registry Item:
- Action: Update
- Hive: HKEY_CURRENT_USER
- Key Path:
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 - Value Name:
2702 - Value Type: REG_DWORD
- Value Data:
0(Disable SmartScreen for Intranet)
- Navigate to:
Policy 3: Enable PDF Preview Handlers
Purpose: Ensure PDF preview is enabled in Windows Explorer
-
Navigate to:
User Configuration > Preferences > Windows Settings > Registry -
Create Registry Item:
- Action: Update
- Hive: HKEY_CURRENT_USER
- Key Path:
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced - Value Name:
ShowPreviewHandlers - Value Type: REG_DWORD
- Value Data:
1
Policy 4: Unblock Network Shares (Advanced)
Purpose: Automatically remove Zone.Identifier from files on network shares
Option A: Startup Script (runs at computer startup)
- Navigate to:
Computer Configuration > Policies > Windows Settings > Scripts > Startup - Add Script:
- Click: Add → Browse
- Copy
Fix-PDFPreview-Glaztech.ps1to:\\glaztech.com\SYSVOL\glaztech.com\scripts\ - Script Name:
Fix-PDFPreview-Glaztech.ps1 - Script Parameters: Leave blank (uses defaults)
Option B: Logon Script (runs at user logon)
- Navigate to:
User Configuration > Policies > Windows Settings > Scripts > Logon - Add Script: (same as above)
Option C: Scheduled Task via GPO
- Navigate to:
Computer Configuration > Preferences > Control Panel Settings > Scheduled Tasks - Create new Scheduled Task:
- Action: Create
- Name:
Glaztech PDF Preview Maintenance - Run as: NT AUTHORITY\SYSTEM or %LogonDomain%%LogonUser%
- Trigger: At log on (or daily)
- Action: Start a program
- Program:
powershell.exe - Arguments:
-ExecutionPolicy Bypass -File "\\glaztech.com\SYSVOL\glaztech.com\scripts\Fix-PDFPreview-Glaztech.ps1"
- Program:
Link GPO to OUs
-
In Group Policy Management:
- Right-click appropriate OU (e.g., "Computers" or "Workstations")
- Select: Link an Existing GPO
- Choose:
Glaztech - PDF Preview Fix
-
Verify Link:
- Ensure GPO is enabled (checkmark in "Link Enabled" column)
- Set appropriate link order (higher = applied later)
Testing GPO
-
Force GPO Update on Test Computer:
gpupdate /force -
Verify Applied Policies:
gpresult /H C:\Temp\gpresult.html # Open C:\Temp\gpresult.html in browser to review applied policies -
Check Registry Values:
# Check Intranet Zone configuration Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" # Check if preview handlers are enabled Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name ShowPreviewHandlers -
Test PDF Preview:
- Navigate to network share with PDFs
- Select a PDF file
- Check if preview appears in Preview Pane (View → Preview Pane)
Troubleshooting
PDF Preview Still Not Working
-
Check if GPO applied:
gpresult /r /scope:user -
Restart Windows Explorer:
Stop-Process -Name explorer -Force -
Check for blocked files manually:
Get-ChildItem "\\server\share" -Filter "*.pdf" -Recurse | ForEach-Object { if (Get-Item $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue) { Unblock-File $_.FullName } }
GPO Not Applying
-
Check GPO replication:
dcdiag /test:replications -
Verify SYSVOL replication:
Get-SmbShare SYSVOL -
Check event logs:
- Event Viewer → Windows Logs → Application
- Look for Group Policy errors
SmartScreen Still Blocking
-
Manually disable SmartScreen for Intranet (temporary):
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 0 -Type DWord -
Check Windows Defender settings:
- Settings → Update & Security → Windows Security → App & browser control
- Ensure SmartScreen isn't overriding zone settings
Rollback Plan
If issues occur after GPO deployment:
-
Disable GPO:
- GPMC → Right-click GPO → Link Enabled (uncheck)
-
Delete GPO (if needed):
- GPMC → Right-click GPO → Delete
-
Force refresh on clients:
gpupdate /force
Alternative: PowerShell Deployment (No GPO)
If GPO deployment is not feasible:
-
Deploy via GuruRMM:
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM # Upload generated script to GuruRMM dashboard -
Deploy via PowerShell Remoting:
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select-Object -ExpandProperty Name .\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers -
Manual deployment:
- Copy script to network share
- Email link to users
- Instruct users to right-click → "Run with PowerShell"
When to Use Each Method
| Method | Use When | Pros | Cons |
|---|---|---|---|
| GPO | Large environment, permanent fix needed | Automatic, consistent, centrally managed | Requires AD infrastructure, slower rollout |
| GuruRMM | Quick deployment needed, mixed environment | Fast, flexible, good reporting | Requires GuruRMM access, manual execution |
| PowerShell Remoting | AD environment, immediate fix needed | Very fast, scriptable | Requires WinRM enabled, manual execution |
| Manual | Small number of computers, no remote access | Simple, no infrastructure needed | Time-consuming, inconsistent |
Additional Server Names/IPs
TODO: Update this list when user provides Glaztech file server details
# Add servers to script parameters:
$ServerNames = @(
# "fileserver01",
# "192.168.1.50",
# "glaztech-nas01",
# Add more as identified...
)
Update script on SYSVOL or re-run deployment after adding servers.
References
- Microsoft KB5066791 - Security update that changed file handling
- Microsoft KB5066835 - Related security update
- Mark of the Web (MOTW) - Zone.Identifier explanation
- Internet Explorer Security Zones
Last Updated: 2026-01-27 Contact: AZ Computer Guru MSP Client: Glaztech Industries (GuruRMM Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)