Enterprise Toolkit > Windows Registry Reference

Privileged (Protected Mode)

For application developers, sandboxing is a technique for creating a sandbox (confined execution environment) for running untrusted programs. In the context of Adobe Reader, the 'untrusted program' is any PDF and the processes it invokes. When Reader sandboxing is enabled, Reader assumes all PDFs are potentially malicious and confines any processing they invoke to the sandbox.

For more information, refer to the Application Security Guide. . Resources include the Application Security Guide, FAQ, and Protected Mode whitepaper.


This preference category contains the following subfeature(s):

Protected Mode

Protected Mode is one of the Adobe Reader's most advanced security features and should be enabled to protect user systems and data.

Summary table
bProtectedMode Enables Protected Mode and thereby sandboxes Reader processes.
bUseWhitelistConfigFile Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
tBrokerLogfilePath Specifies the path and log file name for the Protected Mode log.
tHostWhiteList Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled.
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 1
Version # 10.0 and later
Path Privileged
Lock Path HKLM\SOFTWARE\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Enables Protected Mode and thereby sandboxes Reader processes.
Details Protected Mode is one of the application's most advanced security features and should be enabled to protect user systems and data. Possible values include:
  • 0: Don't enable protected mode.
  • 1: Do enable protected mode.
GUI mapping Edit > Preferences > General > Enable Protected Mode at startup
Supported on WindowsSupported on MacSupported by Adobe Reader
Data type text: String value > REG_SZ
Default null
Version # 10.0 and later
Path Privileged
Summary Specifies the path and log file name for the Protected Mode log.
Details The value should be path + log filename. Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
  • Any valid path.
GUI mapping Edit > Preferences > General > Create Protected Mode log file
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 0
Version # 10.0 and later
Lock Path HKLM\SOFTWARE\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
Details This preference just toggles the ability of the application to read policy files. For more information, refer to the Application Security Guide.
Supported on WindowsSupported by Adobe Reader
Data type
Default
Version # 11.0.03 and later
Path Privileged
Lock Path HKLM\SOFTWARE\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled.
Details The security dialog is bypassed when launching an URL whose hostname present in tHostWhiteList when Reader Protected Mode is ON in these workflows: Acrobat.com Webview, authentication in Yahoo and Gmail webmail, and forms-based authentication for Office365 and SharePoint accounts. Possible values include:
  • A user-specified pipe-separated list of hosts such as adobe.com|acrobat.com|microsoft.com.