Enforce File Type Associations

In a Windows 2016 published Desktop, Citrix users are able to use the "Open with..." command in the context menu and set their own file type association. This is by design. One solution to enforce the FTA at logon is to use the "SetUserFTA" software from Christoph Kolbicz's Blog or to use a GPO to assign a "Default Associations Configuration File" (thanks to McKnife) . Another way is to detect and remove user defined File Type Associations in the registry via a script. The registry key is locked down with a "Deny" access control set to everyone including the Administrators. The following script will remove the "Deny" access control, and then proceed to the deletion of the user defined file type association. This script runs at logon and at logoff and have been tested successfully.

# REMOVE HKCU File Type Association
# in addition to OEMDefaultAssociation.xml
Function RegACL-Reset
{
$hkey = 2147483649 
$reg = [wmiclass]"root\default:StdRegProv"
$ace = $reg.GetSecurityDescriptor($hkey,$hsubkey).Descriptor.DACL
$reg.psbase.Scope.Options.EnablePrivileges = $true
$sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$sd.ControlFlags = 0x0004
for($i=0;$i -lt $ace.length;$i++)
{
 if($ace[$i].AceType -ne 1)
 {
  $SD.dacl += $ace[$i] 
 }
}
$reg.SetSecurityDescriptor($hkey,$hsubkey,$sd)
}

# .XML - Remove user defined .XML file type association
$testreg = Test-Path -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml
if ($testreg -eq $true){
#$hsubkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
RegACL-Reset -hsubkey "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice"
Remove-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml" -Force -Recurse

Open in new window

1
LVL 65

Expert Comment

by:McKnife
Why need that script? The GPO resets the associations at each logon anyway, every time.
0
LVL 5

Author Comment

by:Olivier MARCHETTA
Unfortunately the GPO will not work for user defined FTA in Windows 10 / 2016 / 2019. The "UserChoice" value will override this and saved in the user profile. This script will remove the "UserChoice" and enforce the defined FTA wanted by the Administrator.
0
LVL 65

Expert Comment

by:McKnife
That's funny, because here, it works on Win10 1803.
0
LVL 5

Author Comment

by:Olivier MARCHETTA
I've created this script based on this blog article: Per-user FTAs in Windows 10, Server 2012 R2 and Server 2016 – THE FINAL WORD and SetUserFTA: UserChoice Hash defeated – Set File Type Associations per User or Group on Windows 8/10 and 2012/2016/2019. I think that the SBS/VDI community will be happy to know that they do not need to use SetFTA.exe or a custom script to enforce FTAs. Thank you McKnife.
0
LVL 65

Expert Comment

by:McKnife
It could be that the community over there got a false sense of what to expect. The GPO way does not make these associations unchangeable, but (just as that script), it resets the association to what the admin set on each new logon.
0
LVL 5

Author Comment

by:Olivier MARCHETTA
Are you using the GPP? It was not working at the time I wrote my script. I still like the idea of having a script - just in case. I will need to try the GPP FTA again.
0
LVL 65

Expert Comment

by:McKnife
No, GPP for FTA does not work on Win10. We use that xml file solution ("Solution 2") as demonstrated here by Adobe: https://www.adobe.com/devnet-docs/acrobatetk/tools/AdminGuide/pdfviewer.html
0
LVL 5

Author Comment

by:Olivier MARCHETTA
This solution will not reset a user defined FTA by default on Windows 2016 and Windows 10, hence the script. But I could test it again on a newer release.
0
LVL 65

Expert Comment

by:McKnife
It will. It does. We use it, ok?
0
LVL 5

Author Comment

by:Olivier MARCHETTA
Maybe in the very latest release of Windows 10 which I have not tested.
Otherwise: It will not. It does not. We use it too. ok?
0
LVL 65

Expert Comment

by:McKnife
I don't know why you insist. Don't you believe me when I say that it works? Don't you believe Adobe?
We used it since the first version of win10 that we deployed, which was 1511 and ever since in every build. Anyway, I am out.
0
LVL 65

Expert Comment

by:McKnife
Guess what, I'm back :-)

We both forgot something and that is within the Adobe documentation but I just remembered it:
Limitations

1 The end user machine needs to be domain-joined for this method to work.
Just confirmed this to be true on Win10 1803 pro.
0
LVL 5

Author Comment

by:Olivier MARCHETTA
I believe you but I am just sharing a PowerShell script if someone would like to use a PS method instead of a GPO method.
I will update my post to remove the statement saying that it otherwise doesn't work via GPO,
0
LVL 5

Author Comment

by:Olivier MARCHETTA
I have modified my post so there isn't any confusion.
This is just a PowerShell method if someone requires it for a specific scenario.
0
LVL 65

Expert Comment

by:McKnife
Fine. And no hard feelings, I hope :-)
At least I learned that there are some policies which have no effect when not domain-joined - for whatever reason Microsoft enforces this...
0
LVL 5

Author Comment

by:Olivier MARCHETTA
No worries :-).
0

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month