Privileged (Protected Mode)
Sandboxing is a technique for confining the execution environment of untrusted programs and processes. In the context of Adobe's PDF products, an 'untrusted program' is any PDF and the processes it invokes. With sandboxing enabled, Acrobat and Reader assume all PDFs are potentially malicious and confines any processing they invoke to the sandbox.
For additional security-related details, refer to the Application Security Guide.
This preference category contains the following subfeature(s):
Protected Mode
Protected Mode is a key Reader and Acrobat security feature and should be enabled to protect user systems and data. Note: While Reader has supported Protected Mode since 10.x, Protected Mode is gradually being extended via a phased rollout to Acrobat's DC/Continuous track beginning June, 2020. Classic track versions will likely see similar support later this year.
Summary table
|
|
| Data type |
boolean: DWORD value > REG_DWORD
|
| Default |
1 |
| Version # |
10.0+; Acrobat: June, 2020 |
| HKCU Path |
Privileged |
| HKLM Path |
HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockDown |
| Summary |
Enables Protected Mode which sandboxes Acrobat and Reader processes. |
| Details |
Protected Mode should be enabled to protect user systems and data. Possible values include:
- 0: Don't enable protected mode.
- 1: Do enable protected mode.
|
| GUI mapping |
Preferences > Security (Enhanced) > Sandbox Protections > Enable Protected Mode at startup |
|
|
| Data type |
text: String value > REG_SZ
|
| Default |
null |
| Version # |
10.0+ |
| HKCU Path |
Privileged |
| HKLM Path |
Not lockable |
| Summary |
Specifies the path and log file name for the Protected Mode log. |
| Details |
The value should be path + log filename. Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
|
| GUI mapping |
Preferences > Security (Enhanced) > Sandbox Protections > Create Protected Mode log file |
|
|
| Data type |
boolean: DWORD value > REG_DWORD
|
| Default |
0 |
| Version # |
10.0+ |
| HKLM Path |
HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockDown |
| Summary |
Allows the user of policy whitelist to allow behavior that Protected Mode would otherwise prevent. |
| Details |
This preference just toggles the ability of the application to read policy files.
For additional security-related details, refer to the Application Security Guide. |
|
|
| Data type |
text: String value > REG_SZ
|
| Default |
null |
| Version # |
11.0.03+ |
| HKCU Path |
Privileged |
| HKLM Path |
HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockDown |
| Summary |
Specifies whether to show an dialog asking whether to navigate to an URL when Protected Mode is enabled. |
| Details |
Windows only. Acrobat support started June, 2020. The security dialog is bypassed when launching an URL whose hostname present in tHostWhiteList when Reader Protected Mode is ON in these workflows: Acrobat.com Webview, authentication in Yahoo and Gmail webmail, and forms-based authentication for Office365 and SharePoint accounts. Possible values include:
- A user-specified pipe-separated list of hosts such as adobe.com|acrobat.com|microsoft.com.
Note that with the Feb. 2018 release, a dialog appears that asks users whether or not they want to trust a domain that requires a log in. Trusting a domain populates this preference with the host name.
|
AppContainer
The AppContainer requires that Protected Mode is enabled, and both features are designed to be transparent to end users. Together these provide multiple layers of protection from malicious attacks that might try to access your system and data. Like Protected Mode, AppContainer has an HKCU preference as well as an HKLM preference which you can lock.
Summary table
|
|
| Data type |
boolean: DWORD value > REG_DWORD
|
| Default |
0 |
| Version # |
Mar., 2018 |
| HKCU Path |
Privileged |
| HKLM Path |
HKLM\SOFTWARE\WOW6432Node\Policies\Adobe\(product name)\(version)\FeatureLockDown |
| Summary |
Specifies whether to enable the AppContainer sandbox. |
| Details |
Possible values include:
- 0: Disable Microsoft's AppContainer sandbox
- 1: Enable Microsoft's AppContainer sandbox
|
| GUI mapping |
Preferences > Security (Enhanced) > Sandbox Protections > Run in AppContainer |
File migration
This preference is only used during an upgrade from 11.x products to 12.x and later products. The preference is used once by the application to determine whether or not the recent files list has been migrated.
Summary table
