Client: Glaztech Industries Issue: Windows 10/11 PDF preview failures after security updates Root Cause: KB5066791 and KB5066835 security updates add Mark of the Web (MOTW) to files from network shares Impact: Users cannot preview PDFs in Windows Explorer from network locations

Problem Summary

Recent Windows security updates (KB5066791, KB5066835) changed how Windows handles files downloaded from network shares. These files now receive a "Zone.Identifier" alternate data stream (Mark of the Web) that blocks preview functionality as a security measure.

Symptoms:

PDF files cannot be previewed in Windows Explorer Preview Pane
Files may show "This file came from another computer and might be blocked"
Right-click → Properties shows "Unblock" button
Preview works after manually unblocking individual files

Affected Systems:

Windows 10 (with KB5066791 or KB5066835)
Windows 11 (with KB5066791 or KB5066835)
Files accessed from network shares (UNC paths)

Solution Overview

This solution provides three deployment methods:

PowerShell Script - Immediate fix, run on individual or bulk computers
Group Policy (GPO) - Permanent solution, automatic deployment
GuruRMM - MSP deployment via RMM platform

All methods configure:

✅ Unblock existing PDF files (remove Zone.Identifier)
✅ Add Glaztech networks to trusted Intranet zone
✅ Disable SmartScreen for internal resources
✅ Enable PDF preview handlers

Quick Start

For IT Administrators (Recommended)

Option 1: Deploy via GuruRMM (Fastest for multiple computers)

cd D:\ClaudeTools\clients\glaztech
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload generated script to GuruRMM dashboard
# Target: Glaztech Industries (Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9)

Option 2: Configure Group Policy (Best for permanent fix)

See: GPO-Configuration-Guide.md
Creates automatic fix for all current and future computers

Option 3: PowerShell Remoting (Good for AD environments)

$Computers = @("PC001", "PC002", "PC003")
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers

For End Users (Individual Computer)

Download: Fix-PDFPreview-Glaztech.ps1
Right-click → Run with PowerShell
Restart Windows Explorer when prompted

Files Included

File	Purpose
`Fix-PDFPreview-Glaztech.ps1`	Main fix script - runs on individual computer
`Deploy-PDFFix-BulkRemote.ps1`	Bulk deployment script - runs on multiple computers remotely
`GPO-Configuration-Guide.md`	Group Policy configuration instructions
`README.md`	This file - overview and usage instructions

Detailed Usage

Script 1: Fix-PDFPreview-Glaztech.ps1

Purpose: Fixes PDF preview on a single computer

Basic Usage:

# Run with defaults (scans user folders, configures Glaztech network)
.\Fix-PDFPreview-Glaztech.ps1

Advanced Usage:

# Specify additional file server paths
.\Fix-PDFPreview-Glaztech.ps1 -UnblockPaths "\\fileserver01\shared", "\\192.168.1.50\documents"

# Add specific file servers to trusted zone
.\Fix-PDFPreview-Glaztech.ps1 -ServerNames "fileserver01", "192.168.1.50", "glaztech-nas"

# Test mode (see what would change without making changes)
.\Fix-PDFPreview-Glaztech.ps1 -WhatIf

What It Does:

Scans Desktop, Downloads, Documents for PDFs
Removes Zone.Identifier stream from all PDFs found
Adds glaztech.com and *.glaztech.com to Intranet zone
Adds IP ranges 192.168.0.* through 192.168.9.* to Intranet zone
Adds specified servers (if provided) to Intranet zone
Enables PDF preview handlers in Windows Explorer
Disables SmartScreen for Intranet zone
Creates log file at C:\Temp\Glaztech-PDF-Fix.log

Requirements:

Windows 10 or Windows 11
PowerShell 5.1 or higher
Administrator privileges

Script 2: Deploy-PDFFix-BulkRemote.ps1

Purpose: Deploy fix to multiple computers remotely

Method A: PowerShell Remoting

# Deploy to specific computers
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames "PC001","PC002","PC003"

# Deploy to computers from file
$Computers = Get-Content "computers.txt"
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers

# Deploy to all computers in AD OU
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers

# With specific servers and paths
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Computers -ServerNames "fileserver01","192.168.1.50" -AdditionalPaths "\\fileserver01\shared"

Method B: GuruRMM Deployment

# Generate GuruRMM script
.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM

# Output: GuruRMM-Glaztech-PDF-Fix.ps1
# Upload to GuruRMM dashboard as PowerShell task
# Target: Glaztech Industries (Site: SLC - Salt Lake City)

Requirements:

PowerShell remoting enabled on target computers
Administrator credentials (or current user must be admin on targets)
Network connectivity to target computers

Output:

Console output showing progress
CSV file: deployment-results-YYYYMMDD-HHMMSS.csv
Individual log files on each computer: C:\Temp\Glaztech-PDF-Fix.log

Configuration Details

Networks Automatically Trusted

The script automatically adds these to the Intranet security zone:

Domains:

glaztech.com
*.glaztech.com

IP Ranges (All 10 Glaztech Sites):

192.168.0.* (Site 1)
192.168.1.* (Site 2)
192.168.2.* (Site 3)
192.168.3.* (Site 4)
192.168.4.* (Site 5)
192.168.5.* (Site 6)
192.168.6.* (Site 7)
192.168.7.* (Site 8)
192.168.8.* (Site 9)
192.168.9.* (Site 10)

Additional Servers (To Be Added)

TODO: Update script parameters when file server details are available:

# Example - add these parameters when deploying:
$ServerNames = @(
    "fileserver01",
    "192.168.1.50",
    "glaztech-nas01",
    "glaztech-sharepoint"
)

.\Fix-PDFPreview-Glaztech.ps1 -ServerNames $ServerNames

Waiting on user to provide:

File server hostnames
File server IP addresses
SharePoint URLs (if applicable)
NAS device names (if applicable)

Deployment Strategy

Phase 1: Pilot Testing (1-5 Computers)

Select test computers representing different sites/configurations

Run script manually on test computers:

.\Fix-PDFPreview-Glaztech.ps1 -WhatIf  # Preview changes
.\Fix-PDFPreview-Glaztech.ps1          # Apply changes

Verify PDF preview works on network shares
Check for side effects (ensure other functionality not affected)
Review logs: C:\Temp\Glaztech-PDF-Fix.log

Phase 2: Bulk Deployment (All Computers)

Option A: GuruRMM (Recommended)

.\Deploy-PDFFix-BulkRemote.ps1 -UseGuruRMM
# Upload to GuruRMM
# Schedule during maintenance window
# Execute on all Glaztech computers

Option B: PowerShell Remoting

# Get all computers from Active Directory
$AllComputers = Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*" -or OperatingSystem -like "*Windows 11*"} -SearchBase "DC=glaztech,DC=com" | Select -ExpandProperty Name

# Deploy to all
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $AllComputers

# Or deploy by site
$Site1Computers = Get-ADComputer -Filter * -SearchBase "OU=Site1,OU=Computers,DC=glaztech,DC=com" | Select -ExpandProperty Name
.\Deploy-PDFFix-BulkRemote.ps1 -ComputerNames $Site1Computers

Phase 3: Group Policy (Long-Term Solution)

Follow: GPO-Configuration-Guide.md
Create GPO: "Glaztech - PDF Preview Fix"
Link to OUs: All computer OUs
Test on pilot group first
Roll out to all OUs

Benefits of GPO:

Automatic deployment to new computers
Consistent configuration across all systems
Centrally managed and auditable
Persists across Windows updates

Verification

After deployment, verify the fix on affected computers:

Check log file:

Get-Content C:\Temp\Glaztech-PDF-Fix.log

Test PDF preview:
- Open File Explorer
- Navigate to network share with PDFs (e.g., \\fileserver\documents)
- Select a PDF file
- Enable Preview Pane (View → Preview Pane)
- PDF should display in preview

Verify zone configuration:

# Check if glaztech.com is in Intranet zone
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech"

# Check SmartScreen disabled for Intranet
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702"
# Should return 0 (disabled)

Check for Zone.Identifier on PDFs:

# Pick a PDF file
$PDFFile = "C:\Users\username\Desktop\test.pdf"

# Check for Zone.Identifier
Get-Item $PDFFile -Stream Zone.Identifier -ErrorAction SilentlyContinue
# Should return nothing (file is unblocked)

Troubleshooting

Problem: Script execution blocked

Error: "Running scripts is disabled on this system"

Solution:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Problem: PDF preview still not working

Possible Causes:

Windows Explorer needs restart
```
Stop-Process -Name explorer -Force
```
File server not in trusted zone
- Add server explicitly: .\Fix-PDFPreview-Glaztech.ps1 -ServerNames "servername"
PDF files still blocked
- Run script again to unblock new files
- Or manually unblock: Unblock-File "\\server\share\file.pdf"
PDF preview handler disabled
- Settings → Apps → Default apps → Choose default apps by file type
- Set .pdf to Adobe Acrobat or Microsoft Edge

Problem: PowerShell remoting fails

Error: "WinRM cannot process the request"

Solution:

# On target computer (or via GPO):
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

Problem: GuruRMM deployment fails

Possible Causes:

Script blocked by execution policy
- Ensure GuruRMM task uses: -ExecutionPolicy Bypass
Insufficient permissions
- GuruRMM should run as SYSTEM or local administrator
Network timeout
- Increase GuruRMM task timeout setting

Rollback

If issues occur after applying the fix:

Remove Intranet zone sites manually:

Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\com\glaztech" -Recurse -Force

Re-enable SmartScreen for Intranet:

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Name "2702" -Value 1

Remove GPO (if deployed):
- GPMC → Unlink or delete "Glaztech - PDF Preview Fix" GPO
- Force update: gpupdate /force

Security Considerations

What This Script Does:

✅ Adds Glaztech internal networks to trusted zone (safe for internal resources)
✅ Disables SmartScreen for internal sites only (not Internet sites)
✅ Removes Zone.Identifier from files on trusted shares
✅ Does NOT disable Windows Defender or other security features
✅ Does NOT affect Internet security settings

What Remains Protected:

Internet downloads still blocked by SmartScreen
External sites not affected
Windows Defender continues scanning files
UAC prompts remain active
Firewall rules unchanged

Best Practices:

Only add trusted internal servers to Intranet zone
Do NOT add external/Internet sites
Review server list before deployment
Monitor for unusual network activity
Keep Windows Defender and antivirus enabled

Support Information

Client: Glaztech Industries MSP: AZ Computer Guru GuruRMM Client ID: d857708c-5713-4ee5-a314-679f86d2f9f9 GuruRMM Site: SLC - Salt Lake City (Site ID: 290bd2ea-4af5-49c6-8863-c6d58c5a55de) GuruRMM API Key: grmm_Qw64eawPBjnMdwN5UmDGWoPlqwvjM7lI

Domain: glaztech.com Network Ranges: 192.168.0.0/24 through 192.168.9.0/24 (10 sites)

Script Location: D:\ClaudeTools\clients\glaztech\ Created: 2026-01-27

Contact:

For urgent issues: Check GuruRMM ticket system
For questions: AZ Computer Guru support

Next Steps

✅ Pilot test - Deploy to 1-5 test computers
⏳ Get server details - Request file server names/IPs from local IT
⏳ Update script - Add servers to script parameters
⏳ Bulk deploy - Use GuruRMM or PowerShell remoting
⏳ Configure GPO - Set up permanent solution
⏳ Document - Record which computers are fixed

Waiting on:

File server hostnames/IPs from Glaztech IT
SharePoint URLs (if applicable)
NAS device names (if applicable)
Specific folder paths where PDFs are commonly accessed

References

Last Updated: 2026-01-27