Enterprise Toolkit | Windows Registry Reference

Privileged (Protected Mode)

Sandboxing is a technique for creating a sandbox (confined execution environment) for running untrusted programs. In the context of Adobe Reader, the 'untrusted program' is any PDF and the processes it invokes. When Reader sandboxing is enabled, Reader assumes all PDFs are potentially malicious and confines any processing they invoke to the sandbox.

For additional security-related details, refer to the Application Security Guide.


This preference category contains the following subfeature(s):

Protected Mode

Protected Mode is one of the Adobe Reader's advanced security features and should be enabled to protect user systems and data.

Summary table
bProtectedMode Enableds Protected Mode and thereby sandboxes Reader processes.
bUseWhitelistConfigFile Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
tBrokerLogfilePath Specifies the path and log file name for the Protected Mode log.
tHostWhiteList Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled.
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 1
Version # 10.0+
HKCU Path Privileged
HKLM Path HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Enableds Protected Mode and thereby sandboxes Reader processes.
Details Protected Mode should be enabled to protect user systems and data. Possible values include:
  • 0: Don't enable protected mode.
  • 1: Do enable protected mode.
GUI mapping Preferences > Security (Enhanced) > Sandbox Protections > Enable Protected Mode at startup
Supported on WindowsSupported on MacSupported by Adobe Reader
Data type text: String value > REG_SZ
Default null
Version # 10.0+
HKCU Path Privileged
HKLM Path Not lockable
Summary Specifies the path and log file name for the Protected Mode log.
Details The value should be path + log filename. Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
  • Any valid path.
GUI mapping Preferences > Security (Enhanced) > Sandbox Protections > Create Protected Mode log file
Security hardeningSupported on WindowsSupported on MacSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 0
Version # 10.0+
HKLM Path HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent.
Details This preference just toggles the ability of the application to read policy files. For additional security-related details, refer to the Application Security Guide.
Supported on WindowsSupported by Adobe Reader
Data type text: String value > REG_SZ
Default null
Version # 11.0.03+
HKCU Path Privileged
HKLM Path HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled.
Details For Reader on Windows only. The security dialog is bypassed when launching an URL whose hostname present in tHostWhiteList when Reader Protected Mode is ON in these workflows: Acrobat.com Webview, authentication in Yahoo and Gmail webmail, and forms-based authentication for Office365 and SharePoint accounts. Possible values include:
  • A user-specified pipe-separated list of hosts such as adobe.com|acrobat.com|microsoft.com.
Note that with the Feb. 2018 release, a dialog appears that asks users whether or not they want to trust a domain that requires a log in. Trusting a domain populates this preference with the host name.

AppContainer

Support for AppContainer is a beta Reader on Windows only feature for DC 2017 Continuous and Classic tracks. It is being rolled out over the spring of 2018. The AppContainer requires that Reader's Protected Mode is enabled, and both are designed to be transparent to end users. Together these provide multiple layers of protection from malicious attacks that might try to access your system and data. Like Protected Mode, AppContainer has an HKCU preference as well as an HKLM preference which you can lock.

Summary table
bEnableProtectedModeAppContainer Specifies whether to enable the AppContainer sandbox.
Security hardeningSupported on WindowsSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 0
Version # Mar., 2018
HKCU Path Privileged
HKLM Path HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockdown
Summary Specifies whether to enable the AppContainer sandbox.
Details Possible values include:
  • 0: Disable Microsoft's AppContainer sandbox
  • 1: Enable Microsoft's AppContainer sandbox
GUI mapping Preferences > Security (Enhanced) > Sandbox Protections > Run in AppContainer

File migration

This preference is only used during an upgrade from 11.x products to DC products. The preference is used once by the application to determine whether or not the recent files list has been migrated.

Summary table
bOldRecentFilesMigrated Indicates whether the recent files list has been migrated.
Not modifiableSecurity hardeningSupported on WindowsSupported on MacSupported by AcrobatSupported by Adobe Reader
Data type boolean: DWORD value > REG_DWORD
Default 0
Version # DC
HKCU Path Privileged
HKLM Path Not lockable
Summary Indicates whether the recent files list has been migrated.
Details Admins should not change the preference value.