Enforce File Type Associations
In a Windows 2016 published Desktop, Citrix users are able to use the "Open with..." command in the context menu and set their own file type association. This is by design. One solution to enforce the FTA at logon is to use the "SetUserFTA" software from Christoph Kolbicz's Blog or to use a GPO to assign a "Default Associations Configuration File" (thanks to McKnife) . Another way is to detect and remove user defined File Type Associations in the registry via a script. The registry key is locked down with a "Deny" access control set to everyone including the Administrators. The following script will remove the "Deny" access control, and then proceed to the deletion of the user defined file type association. This script runs at logon and at logoff and have been tested successfully.
In a Windows 2016 published Desktop, Citrix users are able to use the "Open with..." command in the context menu and set their own file type association. This is by design. One solution to enforce the FTA at logon is to use the "SetUserFTA" software from Christoph Kolbicz's Blog or to use a GPO to assign a "Default Associations Configuration File" (thanks to McKnife) . Another way is to detect and remove user defined File Type Associations in the registry via a script. The registry key is locked down with a "Deny" access control set to everyone including the Administrators. The following script will remove the "Deny" access control, and then proceed to the deletion of the user defined file type association. This script runs at logon and at logoff and have been tested successfully.
# REMOVE HKCU File Type Association
# in addition to OEMDefaultAssociation.xml
Function RegACL-Reset
{
$hkey = 2147483649
$reg = [wmiclass]"root\default:StdRegProv"
$ace = $reg.GetSecurityDescriptor($hkey,$hsubkey).Descriptor.DACL
$reg.psbase.Scope.Options.EnablePrivileges = $true
$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$sd.ControlFlags = 0x0004
for($i=0;$i -lt $ace.length;$i++)
{
if($ace[$i].AceType -ne 1)
{
$SD.dacl += $ace[$i]
}
}
$reg.SetSecurityDescriptor($hkey,$hsubkey,$sd)
}
# .XML - Remove user defined .XML file type association
$testreg = Test-Path -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml
if ($testreg -eq $true){
#$hsubkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
RegACL-Reset -hsubkey "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
Remove-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml" -Force -Recurse
16 Comments
Active today
Comment
Why need that script? The GPO resets the associations at each logon anyway, every time.
Unfortunately the GPO will not work for user defined FTA in Windows 10 / 2016 / 2019. The "UserChoice" value will override this and saved in the user profile. This script will remove the "UserChoice" and enforce the defined FTA wanted by the Administrator.
I've created this script based on this blog article: Per-user FTAs in Windows 10, Server 2012 R2 and Server 2016 – THE FINAL WORD and SetUserFTA: UserChoice Hash defeated – Set File Type Associations per User or Group on Windows 8/10 and 2012/2016/2019. I think that the SBS/VDI community will be happy to know that they do not need to use SetFTA.exe or a custom script to enforce FTAs. Thank you McKnife.
Active today
Comment
It could be that the community over there got a false sense of what to expect. The GPO way does not make these associations unchangeable, but (just as that script), it resets the association to what the admin set on each new logon.
Are you using the GPP? It was not working at the time I wrote my script. I still like the idea of having a script - just in case. I will need to try the GPP FTA again.
Active today
Comment
No, GPP for FTA does not work on Win10. We use that xml file solution ("Solution 2") as demonstrated here by Adobe: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html
This solution will not reset a user defined FTA by default on Windows 2016 and Windows 10, hence the script. But I could test it again on a newer release.
Maybe in the very latest release of Windows 10 which I have not tested.
Otherwise: It will not. It does not. We use it too. ok?
Otherwise: It will not. It does not. We use it too. ok?
Active today
Comment
I don't know why you insist. Don't you believe me when I say that it works? Don't you believe Adobe?
We used it since the first version of win10 that we deployed, which was 1511 and ever since in every build. Anyway, I am out.
We used it since the first version of win10 that we deployed, which was 1511 and ever since in every build. Anyway, I am out.
Active today
Comment
Guess what, I'm back :-)
We both forgot something and that is within the Adobe documentation but I just remembered it:
We both forgot something and that is within the Adobe documentation but I just remembered it:
LimitationsJust confirmed this to be true on Win10 1803 pro.
1 The end user machine needs to be domain-joined for this method to work.
I believe you but I am just sharing a PowerShell script if someone would like to use a PS method instead of a GPO method.
I will update my post to remove the statement saying that it otherwise doesn't work via GPO,
I will update my post to remove the statement saying that it otherwise doesn't work via GPO,
I have modified my post so there isn't any confusion.
This is just a PowerShell method if someone requires it for a specific scenario.
This is just a PowerShell method if someone requires it for a specific scenario.
Active today
Comment
Fine. And no hard feelings, I hope :-)
At least I learned that there are some policies which have no effect when not domain-joined - for whatever reason Microsoft enforces this...
At least I learned that there are some policies which have no effect when not domain-joined - for whatever reason Microsoft enforces this...
Recommended Posts
Exchange Server Roadmap Update.
MS have moved the release date for the next version of Exchange Server to the second half of 2025.
It requires Server and CAL licenses and will be accessible only to customers with Software Assurance,
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-roadmap-update/ba-p/3421389
MS have moved the release date for the next version of Exchange Server to the second half of 2025.
It requires Server and CAL licenses and will be accessible only to customers with Software Assurance,
https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-roadmap-update/ba-p/3421389
