Deploying Adobe Reader Via Group Policy

Posted on December 21, 2015 by Dan Brust — 2 Comments

Today we’re going to dive into something that admins have been doing for years: deploying Adobe Reader via Group Policy. You would be hard-pressed to find a company that doesn’t use PDFs, and while options for viewing and editing PDFs have greatly increased, the official Adobe Reader application remains the go-to PDF viewer for most companies.

Unfortunately, Adobe Reader is prone to high-risk security vulnerabilities. To help mitigate the risk of using Reader, one must be sure to keep the application up-to-date. Group Policy allows us to not only deploy the application, but also to push out new versions as they are released. Working out how, exactly, to accomplish that can take a bit of work, but this tutorial should help to clear things up.

The focus of this tutorial will mostly be on how to acquire and prepare Adobe Reader for distribution, and will assume you have some experience with using Group Policy Objects.

The steps I outline here will also work for distributing Reader via WSUS Package Publisher. I won’t go over that tool in this tutorial, but the files you end up with should work for that purpose.

Acquiring a Distributable Version of Reader

The first thing we need to do is apply for a license to distribute Adobe Reader. I’ll be deploying Adobe Reader DC on Windows machines, but these directions should be easily adaptable to other versions, whether older or newer.

• Head over to the Adobe Reader Volume Distribution page.
• Click the “Apply now” button under the “Apply for a desktop license” area.
• Login using your Adobe ID, or create an account if you don’t have one.
• Fill out the form appropriately, then submit it.
• You’ll soon receive an email with a link to the download site for Adobe Reader. Follow the link, fill out the form specifying the version you need, then download the .exe file.

Extracting an MSI File

The file we’ve downloaded won’t work for distribution via Group Policy, at least not straight out of the box. We first need to extract the MSI installer from the file.

• Setup a working directory. I recommend “C:\Adobe\”.
• Place the installer in that directory.
• Open a Command Prompt and type the command below. Be sure to use the appropriate file path and file name, as they are likely to be different, and wrap the path and name in quotes.
  “c:\adobe\AcroRdrDC1500920069_en_US.exe” -nos_ne
• This will start up the installer, run through the extraction of the files we need, then quit the installer before installing anything.
• Head to “C:\ProgramData\Adobe\Setup\” and you’ll see at least one folder. The files we need will be in the folder with the most recent modification date.
• Copy all of the files you see there to a subdirectory in your working directory; I’ll be using “C:\Adobe\extracted\”.
• You should end up with the files you see below. The version I’m working with for this tutorial included a patch file (the .msp file). You may or may not have such a file. Everything else should be the same.
  

Extracting the Raw Reader Files

We are going to break the AcroRead.msi file into its individual components, then patch it using the .msp file. If your .exe didn’t include a .msp, but you know there should be a later patch, don’t worry; I’ll go over where to download patches later.

• Open a Command Prompt and run the following command, making sure to update paths appropriately:
  msiexec /a “c:\adobe\extracted\acroread.msi”
• Click Next, then enter the path where you want to save your newly extracted files, and click Install. I recommend saving them in “C:\Adobe\raw\”.
• Go back to the “extracted” folder and copy the setup.exe and setup.ini file to this new “raw” directory.
• Open the setup.ini file and remove the “PATCH=” line, if it exists. This line won’t be necessary as we’ll be patching the files ourselves.
• Save this raw folder for future use. You can re-use this folder whenever you need to deploy a new patch, so keeping the raw folder intact will save you some time.

Patching the Raw Reader Files

We now need to patch the raw files, integrating the latest changes in with them so that we can deploy the most-recent version of Adobe Reader. If you’re working with the first release of a major version (say, 11.0, instead of 11.1), then you won’t need to complete these steps. You can jump directly to the Customizing section. If you DO need to deploy an updated version of a major release, then continue reading.

• Copy the raw folder and name it after the Reader version you’ll be deploying. In my case, it will be “2015.009.20069”.
• If your .exe came with a .msp file, then copy it from your “extracted” directory to your new version-based directory (created above).
• If you need to download a patch file, head here and download the latest patch file under the Updates section. I stick with the non-MUI versions of the files. Patches should be applied to the first release of a major version. For example, patch 11.7 should be applied to the raw files for 11.0.
• Open a Command Prompt and navigate to your version-based directory.
  For example: cd “c:\adobe\2015.009.20069”
• Type the following command to patch Reader with the .msp (as always, update file names as needed):
  msiexec /a acroread.msi /p AcroRdrDCUpd1500920069.msp
• You’ll see the same installer screens as when you extracted the raw files. This time, save the files in the version-based directory (c:\adobe\2015.009.20069). The patch files will be applied as needed.
• Your version-based directory now contains the fully patched installer files for the version you’re deploying.

Customizing the Adobe Reader Installation

Adobe provides a handy tool for customizing the installation of their Reader software. You can customize nearly every aspect of the software. The next steps will walk you through using the tool.

• We’ll first need to download and install the Adobe Customization Wizard. There is a different version for every major release of Reader (10, 11, DC, etc.), so you’ll need to find the version that matches the version of Reader you’re deploying. The easiest way to do so is to head to Google and search for “adobe customization wizard {versionnumber}”, replacing {versionnumber} appropriately.
• In the case of Adobe Reader DC, you’ll want to head here. Scroll down to the “Installation and setup” section and follow the link to download the installer.
• Once you’ve installed the Customization Wizard, go ahead and run it.
• Click File –> Open Package… –> Browse to and select the AcroRead.msi file in your version-based directory.
• Now to work on customizing our installation settings. I’ll show you what settings I typically use, but you’ll need to make your own decisions about what is best for your network. I won’t mention each option, but I recommend you step through each one so that you can decide what works for you.

Personalization Options

• Check the “Suppress display of End User License Agreement (EULA)” option. This will spare our users from having to view the EULA upon first opening the application.

Installation Options

• Leave the “Installer will decide which product will be the default” option chosen. This will let the installer decide whether Reader or the full version of Acrobat will be the default PDF viewer, in cases where both are installed.
• Leave “Remove all versions of Reader”, “Enable Optimization”, and “Enable Caching of installer files on local hard drive” checked. The “Remove all versions…” option is particularly important, as we don’t want to leave old, vulnerable versions of Reader on our users’ machines.
• Change the “Run Installation” option to “Silently (no interface)”. I try to make these sorts of installs as seamless as possible for my users, and this option helps with that.
• Change “If reboot required at the end of installation” option to “Suppress reboot”. Again, I don’t want to interrupt my users’ workflow.

Shortcuts

• I disable the Desktop shortcut, as I don’t like cluttering my users’ desktops. To do so, right-click that shortcut and choose “Remove”.

Security

• Set the “Protected View” option to “Files from potentially unsafe locations”. This is a particularly important setting. Choosing this option will force PDFs opened from emails, websites, and untrusted network locations to open in Protected View. This view prohibits scripts from running. Users can always “Enable all features” to view the document normally.
• Leave the Enhanced Security Settings options set to “Default”.
• Now you’ll want to add some “Privileged Locations”. Typically, you would add your various network storage paths, so that PDFs stored in those locations won’t open in Protected View. You want Protected View to only come up when a document really requires it (PDFs from emails and websites). Otherwise, your users will get used to constantly turning off Protected View and it will lose its power.
• In past versions of the Customization Wizard, you would have to specify whether each Folder you added should be recursively added. Now, that is the default option, and you are not able to specify otherwise.
• If you use mapped network drives, then you’ll want to add both the drive letter (D:\, etc.) and the UNC path (\\server\).

Online Services and Features

• Check the “Disable product updates” option. I prefer to control the version that my users receive via Group Policy distributions.
• Change the “Load trusted root certificates from Adobe” option to “Enable & Install silently”. Once again, I do this to make the experience as seamless as possible for my users.
• Check the “Disable Upsell” option. There’s no need to nag our users with offers to buy additional software and features.
• I typically leave the rest of the Services-related options alone.

Now we’ll create a Transform file. When you’re distributing Reader via Group Policy, you can specify a Transform file to use as part of the installation. Such a file will modify the installation. In this case, it will apply the various settings we just configured.

• Go to Transform –> Generate Transform –> Save the .mst file as settings.mst in your version-based directory.

If you’re planning to distribute Reader using WSUS Package Publisher, then you should save the modifications directly to the acroread.msi file. To do so, go to File –> Save Package. There’s no need to do this if you’re deploying via Group Policy. You should still save the Transforms to a file, as this will allow you to load these settings the next time you go to customize an installation.

Creating a Group Policy Object

I’m going to assume you already know how to create and work with Group Policy Objects, so I won’t dive into the finer details of Active Directory and Group Policy. Instead, I’ll just focus on the what you need to do to setup a policy that will distribute the files we’ve prepared.

• Copy the C:\Adobe\ (or wherever you’ve been working) folder to a central location where it can be accessed by all users (including unauthenticated users). Typically, this would be a shared folder on the network.
• Log on to a domain controller on your network and open Group Policy Management in the Administrative Tools area of the Control Panel.
• Create a new Group Policy Object. To do so, right-click on the Group Policy Objects folder under the domain you’re working with and choose “New”. Give it an appropriate name (“Adobe Reader”, for example) and click OK. If you already have a policy for distributing Adobe Reader, then Edit that policy, instead.
• Dig down to Policies –> Software Settings –> Software installation. This is where you go to define the software to install.
• Right-click on “Software installation” and choose “New” –> “Package…”
• Browse to the shared network location where you’ve saved the Reader files, and select the acroread.msi file in the version-based directory. Make sure to use a UNC path (\\server\), as computers will not have access to mapped drives during the installation.
• Select “Advanced” as the deployment method, then click OK.
• Now we’ll work our way through the various tabs. Much like with customizing Reader, all I can go over is the settings I use; you’ll have to make changes appropriate to your network.

General

• I always make sure to change the name shown. This affects how the application appears in Programs and Features, so having a descriptive name can make it easier to tell what version is installed. In my case, I’ll be using “Adobe Reader DC (2015.009.20069)”.

Deployment

• I typically leave the “Uninstall this application…” option unchecked. The majority of the computers on my network require Adobe Reader, so I don’t want it removed when I move them to a different group in Group Policy. If you DO check this option, then the application will be uninstalled whenever you move a computer into a group to which this policy doesn’t apply.
• Click the Advanced… button and make sure the “Make this 32-bit X86 application available to Win64 machines” option is checked. Without this option, the software will not install on 64-bit computers.

Upgrades

• If you are adding on to a pre-existing GPO, then you can choose which software packages this new version will upgrade or replace. Make sure that all packages you’ve previously distributed are listed here. If they’re not, click “Add…” and add them.
• When adding a package, you can choose to uninstall the previous package, or to simply upgrade the package. Since we set the Adobe installer to remove all previous versions before installing, the Upgrade option should work just fine. If you go the Uninstall route, then Windows will uninstall the previous versions before loading up the new installer.

Modifications

• Click Add…” and browse to the settings.mst file we previously created.

Close the settings window, and your new GPO should be all set. Now you just need to assign this GPO to the appropriate user groups.

• Find the user group you’d like to assign Adobe Reader to. Right-click and choose “Link an Existing GPO…”, then select your Adobe Reader GPO.

That’s That

Go ahead and reboot your computer, and make sure Adobe Reader is installed. If everything went right, you should find a new version of Reader installed on your computer.