claudetools/clients/glaztech/README.md

# Glaztech PDF Preview Fix

**Client:** Glaztech Industries
**Issue:** Windows 10/11 PDF preview failures after security updates
**Root Cause:** KB5066791 and KB5066835 security updates add Mark of the Web (MOTW) to files from network shares
**Impact:** Users cannot preview PDFs in Windows Explorer from network locations

---

## Problem Summary

Recent Windows security updates (KB5066791, KB5066835) changed how Windows handles files downloaded from network shares. These files now receive a "Zone.Identifier" alternate data stream (Mark of the Web) that blocks preview functionality as a security measure.

**Symptoms:**
- PDF files cannot be previewed in Windows Explorer Preview Pane
- Files may show "This file came from another computer and might be blocked"
- Right-click → Properties shows "Unblock" button
- Preview works after manually unblocking individual files

**Affected Systems:**
- Windows 10 (with KB5066791 or KB5066835)
- Windows 11 (with KB5066791 or KB5066835)
- Files accessed from network shares (UNC paths)

---

## Solution Overview

This solution provides **three deployment methods**:

1. **PowerShell Script** - Immediate fix, run on individual or bulk computers
2. **Group Policy (GPO)** - Permanent solution, automatic deployment
3. **GuruRMM** - MSP deployment via RMM platform

All methods configure:
- ✅ Unblock existing PDF files (remove Zone.Identifier)
- ✅ Add Glaztech networks to trusted Intranet zone
- ✅ Disable SmartScreen for internal resources
- ✅ Enable PDF preview handlers

---

## Quick Start

### For IT Administrators (Recommended)

**Option 1: Deploy via GuruRMM** (Fastest for multiple computers)
```powershell
cd D:\ClaudeTools\clients\glaztech
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM dashboard
# Target: Glaztech Industries (Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)
```

**Option 2: Configure Group Policy** (Best for permanent fix)
- See: `GPO-Configuration-Guide.md`
- Creates automatic fix for all current and future computers

**Option 3: PowerShell Remoting** (Good for AD environments)
```powershell
$Computers = @("PC001", "PC002", "PC003")
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers
```

### For End Users (Individual Computer)

1. Download: `Fix-PDFPreview-Glaztech.ps1`
2. Right-click → **Run with PowerShell**
3. Restart Windows Explorer when prompted

---

## Files Included

| File | Purpose |
|------|---------|
| `Fix-PDFPreview-Glaztech.ps1` | Main fix script - runs on individual computer |
| `Deploy-PDFFix-BulkRemote.ps1` | Bulk deployment script - runs on multiple computers remotely |
| `GPO-Configuration-Guide.md` | Group Policy configuration instructions |
| `README.md` | This file - overview and usage instructions |

---

## Detailed Usage

### Script 1: Fix-PDFPreview-Glaztech.ps1

**Purpose:** Fixes PDF preview on a single computer

**Basic Usage:**
```powershell
# Run with defaults (scans user folders, configures Glaztech network)
.\Fix-PDFPreview-Glaztech.ps1
```

**Advanced Usage:**
```powershell
# Specify additional file server paths
.\Fix-PDFPreview-Glaztech.ps1 -UnblockPaths "\\fileserver01\shared", "\\192.168.1.50\documents"

# Add specific file servers to trusted zone
.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "fileserver01", "192.168.1.50", "glaztech-nas"

# Test mode (see what would change without making changes)
.\Fix-PDFPreview-Glaztech.ps1 -WhatIf
```

**What It Does:**
1. Scans Desktop, Downloads, Documents for PDFs
2. Removes Zone.Identifier stream from all PDFs found
3. Adds `glaztech.com` and `*.glaztech.com` to Intranet zone
4. Adds IP ranges `192.168.0.*` through `192.168.9.*` to Intranet zone
5. Adds specified servers (if provided) to Intranet zone
6. Enables PDF preview handlers in Windows Explorer
7. Disables SmartScreen for Intranet zone
8. Creates log file at `C:\Temp\Glaztech-PDF-Fix.log`

**Requirements:**
- Windows 10 or Windows 11
- PowerShell 5.1 or higher
- Administrator privileges

---

### Script 2: Deploy-PDFFix-BulkRemote.ps1

**Purpose:** Deploy fix to multiple computers remotely

**Method A: PowerShell Remoting**
```powershell
# Deploy to specific computers
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames "PC001","PC002","PC003"

# Deploy to computers from file
$Computers = Get-Content "computers.txt"
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers

# Deploy to all computers in AD OU
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers

# With specific servers and paths
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers -ServerNames "fileserver01","192.168.1.50" -AdditionalPaths "\\fileserver01\shared"
```

**Method B: GuruRMM Deployment**
```powershell
# Generate GuruRMM script
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM

# Output: GuruRMM-Glaztech-PDF-Fix.ps1
# Upload to GuruRMM dashboard as PowerShell task
# Target: Glaztech Industries (Site: SLC - Salt Lake City)
```

**Requirements:**
- PowerShell remoting enabled on target computers
- Administrator credentials (or current user must be admin on targets)
- Network connectivity to target computers

**Output:**
- Console output showing progress
- CSV file: `deployment-results-YYYYMMDD-HHMMSS.csv`
- Individual log files on each computer: `C:\Temp\Glaztech-PDF-Fix.log`

---

## Configuration Details

### Networks Automatically Trusted

The script automatically adds these to the Intranet security zone:

**Domains:**
- `glaztech.com`
- `*.glaztech.com`

**IP Ranges (All 10 Glaztech Sites):**
- `192.168.0.*` (Site 1)
- `192.168.1.*` (Site 2)
- `192.168.2.*` (Site 3)
- `192.168.3.*` (Site 4)
- `192.168.4.*` (Site 5)
- `192.168.5.*` (Site 6)
- `192.168.6.*` (Site 7)
- `192.168.7.*` (Site 8)
- `192.168.8.*` (Site 9)
- `192.168.9.*` (Site 10)

### Additional Servers (To Be Added)

**TODO:** Update script parameters when file server details are available:

```powershell
# Example - add these parameters when deploying:
$ServerNames = @(
    "fileserver01",
    "192.168.1.50",
    "glaztech-nas01",
    "glaztech-sharepoint"
)

.\Fix-PDFPreview-Glaztech.ps1 -ServerNames $ServerNames
```

**Waiting on user to provide:**
- File server hostnames
- File server IP addresses
- SharePoint URLs (if applicable)
- NAS device names (if applicable)

---

## Deployment Strategy

### Phase 1: Pilot Testing (1-5 Computers)

1. **Select test computers** representing different sites/configurations
2. **Run script manually** on test computers:
   ```powershell
   .\Fix-PDFPreview-Glaztech.ps1 -WhatIf  # Preview changes
   .\Fix-PDFPreview-Glaztech.ps1          # Apply changes
   ```
3. **Verify PDF preview works** on network shares
4. **Check for side effects** (ensure other functionality not affected)
5. **Review logs:** `C:\Temp\Glaztech-PDF-Fix.log`

### Phase 2: Bulk Deployment (All Computers)

**Option A: GuruRMM (Recommended)**
```powershell
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload to GuruRMM
# Schedule during maintenance window
# Execute on all Glaztech computers
```

**Option B: PowerShell Remoting**
```powershell
# Get all computers from Active Directory
$AllComputers = Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*" -or OperatingSystem -like "*Windows 11*"} -SearchBase "DC=glaztech,DC=com" | Select -ExpandProperty Name

# Deploy to all
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $AllComputers

# Or deploy by site
$Site1Computers = Get-ADComputer -Filter * -SearchBase "OU=Site1,OU=Computers,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Site1Computers
```

### Phase 3: Group Policy (Long-Term Solution)

1. **Follow:** `GPO-Configuration-Guide.md`
2. **Create GPO:** "Glaztech - PDF Preview Fix"
3. **Link to OUs:** All computer OUs
4. **Test on pilot group first**
5. **Roll out to all OUs**

**Benefits of GPO:**
- Automatic deployment to new computers
- Consistent configuration across all systems
- Centrally managed and auditable
- Persists across Windows updates

---

## Verification

After deployment, verify the fix on affected computers:

1. **Check log file:**
   ```powershell
   Get-Content C:\Temp\Glaztech-PDF-Fix.log
   ```

2. **Test PDF preview:**
   - Open File Explorer
   - Navigate to network share with PDFs (e.g., `\\fileserver\documents`)
   - Select a PDF file
   - Enable Preview Pane (View → Preview Pane)
   - PDF should display in preview

3. **Verify zone configuration:**
   ```powershell
   # Check if glaztech.com is in Intranet zone
   Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech"

   # Check SmartScreen disabled for Intranet
   Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702"
   # Should return 0 (disabled)
   ```

4. **Check for Zone.Identifier on PDFs:**
   ```powershell
   # Pick a PDF file
   $PDFFile = "C:\Users\username\Desktop\test.pdf"

   # Check for Zone.Identifier
   Get-Item $PDFFile -Stream Zone.Identifier -ErrorAction SilentlyContinue
   # Should return nothing (file is unblocked)
   ```

---

## Troubleshooting

### Problem: Script execution blocked

**Error:** "Running scripts is disabled on this system"

**Solution:**
```powershell
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
```

### Problem: PDF preview still not working

**Possible Causes:**
1. Windows Explorer needs restart
   ```powershell
   Stop-Process -Name explorer -Force
   ```

2. File server not in trusted zone
   - Add server explicitly: `.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "servername"`

3. PDF files still blocked
   - Run script again to unblock new files
   - Or manually unblock: `Unblock-File "\\server\share\file.pdf"`

4. PDF preview handler disabled
   - Settings → Apps → Default apps → Choose default apps by file type
   - Set `.pdf` to Adobe Acrobat or Microsoft Edge

### Problem: PowerShell remoting fails

**Error:** "WinRM cannot process the request"

**Solution:**
```powershell
# On target computer (or via GPO):
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
```

### Problem: GuruRMM deployment fails

**Possible Causes:**
1. Script blocked by execution policy
   - Ensure GuruRMM task uses: `-ExecutionPolicy Bypass`

2. Insufficient permissions
   - GuruRMM should run as SYSTEM or local administrator

3. Network timeout
   - Increase GuruRMM task timeout setting

---

## Rollback

If issues occur after applying the fix:

1. **Remove Intranet zone sites manually:**
   ```powershell
   Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech" -Recurse -Force
   ```

2. **Re-enable SmartScreen for Intranet:**
   ```powershell
   Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 1
   ```

3. **Remove GPO (if deployed):**
   - GPMC → Unlink or delete "Glaztech - PDF Preview Fix" GPO
   - Force update: `gpupdate /force`

---

## Security Considerations

**What This Script Does:**
- ✅ Adds Glaztech internal networks to trusted zone (safe for internal resources)
- ✅ Disables SmartScreen for internal sites only (not Internet sites)
- ✅ Removes Zone.Identifier from files on trusted shares
- ✅ Does NOT disable Windows Defender or other security features
- ✅ Does NOT affect Internet security settings

**What Remains Protected:**
- Internet downloads still blocked by SmartScreen
- External sites not affected
- Windows Defender continues scanning files
- UAC prompts remain active
- Firewall rules unchanged

**Best Practices:**
- Only add trusted internal servers to Intranet zone
- Do NOT add external/Internet sites
- Review server list before deployment
- Monitor for unusual network activity
- Keep Windows Defender and antivirus enabled

---

## Support Information

**Client:** Glaztech Industries
**MSP:** AZ Computer Guru
**GuruRMM Client ID:** d857708c-5713-4ee5-a314-679f86d2f9f9
**GuruRMM Site:** SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de)
**GuruRMM API Key:** grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI

**Domain:** glaztech.com
**Network Ranges:** 192.168.0.0/24 through 192.168.9.0/24 (10 sites)

**Script Location:** `D:\ClaudeTools\clients\glaztech\`
**Created:** 2026-01-27

**Contact:**
- For urgent issues: Check GuruRMM ticket system
- For questions: AZ Computer Guru support

---

## Next Steps

1. ✅ **Pilot test** - Deploy to 1-5 test computers
2. ⏳ **Get server details** - Request file server names/IPs from local IT
3. ⏳ **Update script** - Add servers to script parameters
4. ⏳ **Bulk deploy** - Use GuruRMM or PowerShell remoting
5. ⏳ **Configure GPO** - Set up permanent solution
6. ⏳ **Document** - Record which computers are fixed

**Waiting on:**
- File server hostnames/IPs from Glaztech IT
- SharePoint URLs (if applicable)
- NAS device names (if applicable)
- Specific folder paths where PDFs are commonly accessed

---

## References

- [KB5066791 - Windows Security Update](https://support.microsoft.com/kb/5066791)
- [KB5066835 - Windows Security Update](https://support.microsoft.com/kb/5066835)
- [Mark of the Web (MOTW) - Microsoft Docs](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/mark-of-the-web)
- [Security Zones - Microsoft Docs](https://docs.microsoft.com/en-us/troubleshoot/browsers/how-to-add-sites-to-the-local-intranet-zone)

---

**Last Updated:** 2026-01-27