1

We are finding it nearly impossible to print to a network printer via Adobe Reader command line switches, with Adobe "protected mode" enabled. These troubles arise when attempting to use the command line arguments provided in the Adobe docs, to print to a printer that is not installed on the local machine (it is accessible via the network). When we turn "protected mode" off, we can print to any network printer using the command line, so we know this must be possible with correct policy configuration.

We are particularly confused about the log entry which says our printer information is "bad", because we provide the correct information in the command line, and with "protected mode" off it isnt required to provide the port or driver:

Bad Printer Info: Device: [unc_path_to_printer], Port: (empty), Driver: (empty), DataType: (empty)

The full log entries are as follows (where [unc_path_to_printer] is a UNC path to a real printer on our network and [username] is windows username):

[10:14/13:19:20] Adobe Reader Protected Mode Logging Initiated
[10:14/13:19:20] Found custom policy file: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProtectedModeWhitelistConfig.txt
[10:14/13:19:20] Adding custom policy: FILES_ALLOW_ANY = C:\*
[10:14/13:19:20] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\*
[10:14/13:19:20] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\Software\*
[10:14/13:19:21] Bad Printer Info: Device: [unc_path_to_printer] Port: (empty), Driver: (empty), DataType: (empty)
[10:14/13:19:21] Bad Printer Info: Device: [unc_path_to_printer], Port: (empty), Driver: (empty), DataType: (empty)
[10:14/13:19:21] Bad Printer Info: Device: [unc_path_to_printer], Port: (empty), Driver: (empty), DataType: RAW
[10:14/13:19:26] Invalid path: \Device\HarddiskVolume2\Users\[username]\AppData\Local\Adobe\Acrobat\DC\
[10:14/13:19:26] Invalid path: \Device\HarddiskVolume2\Users\[username]\AppData\Local\Adobe\Acrobat\DC\
[10:14/13:19:26] Invalid path: \Device\HarddiskVolume2\Users\[username]\AppData\Local\Adobe\Acrobat\DC\
[10:14/13:29:50] Bad Printer Info: Device: [unc_path_to_printer], Port: (empty), Driver: (empty), DataType: (empty)
[10:14/13:30:16] Exit Code:1

Command line: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /s /t "C:\temp\tmp_201510141141420.pdf" "[unc_path_to_printer]" "RICOH Aficio SP 4100N PCL 6" "[port_for_unc_printer]"

OS: Windows 7

Adobe Reader version: DC (same experience with 11)

We have followed the documentation online for configuring protected mode and have done the following:

  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Privileged "bProtectedMode" = 1, and we can confirm that protected mode is indeed enabled
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\Privileged “tBrokerLogfilePath” = C:\Users[user]\AppData\Local\Temp\AdbeReaderBroker.log, and we are able to view the log file

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown “bUseWhitelistConfigFile” = 1, and we can confirm via the logs that the whitelist file is being read from: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ProtectedModeWhitelistConfig.txt

  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\DC\TrustManager\cTrustsedSites\cSilentPrint "t1" = [unc_path_to_printer]

Our ProtectedModeWhitelistConfig.txt contains:

; Files Section
FILES_ALLOW_ANY = C:\*

; Registry
REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\*
REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\Software\*

Regarding the ProtectedModeWhitelistConfig.txt, we are allowing all files for now; once that is working we would constrain it further. We are allowing the reg entries for now to suppress the following log errors which we also do not fully understand:

[08:06/13:52:21] NtCreateKey: STATUS_ACCESS_DENIED
[08:06/13:52:21] real path: \REGISTRY\MACHINE\Software\Adobe
[08:06/13:52:21] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[08:06/13:52:21] NtCreateKey: STATUS_ACCESS_DENIED
[08:06/13:52:21] real path: \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Adobe
[08:06/13:52:21] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[08:06/13:52:28] NtCreateKey: STATUS_ACCESS_DENIED
[08:06/13:52:28] real path: \REGISTRY\USER\S-1-5-21-3056327225-4203895344-2874801580-19977\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles
[08:06/13:52:28] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[08:06/13:52:28] NtCreateKey: STATUS_ACCESS_DENIED
[08:06/13:52:28] real path: \REGISTRY\USER\S-1-5-21-3056327225-4203895344-2874801580-19977\Software\Adobe\Acrobat Reader\DC\AVGeneral\cRecentFiles
[08:06/13:52:28] Consider modifying policy using this policy rule: REG_ALLOW_ANY

Is what we are trying to do even possible? We would appreciate any feedback on our configuration, especially if it helps us complete our workflow (print to network printer with protected mode enabled).

Thank you!

harymitchell
  • 155
  • 7

1 Answers1

0

Adobe got back to me on their forums. What we are trying to do is not currently supported. See https://forums.adobe.com/thread/1979123?sr=inbox&ru=675113:

I'm afraid this doesn't appear to be something that'll work. Protected Mode Reader will not allow printing to a printer that's not already installed on the system. Your options are to either: 1. install the printer before launching Reader with that command-line (maybe install the printer via the same custom app that's trying to print the PDF), OR, 2. disable Protected Mode

harymitchell
  • 155
  • 7