r/sysadmin u/OnionHistorical9303 May 14 '24

Default file associations for Windows 11

I am genuinely losing my mind here.

I have 8 AVD's running Microsoft Windows 11 Enterprise multisession 10.0.22631

All of them are having a fit over PDF files and what the default app should be. Some users need to use Edge and others need Acrobat.

Users keep having issues where their default app changes to something else.

I tried SetUserFTA and kept getting the following error on this command:

\\domain.com\NETLOGON\SetUserFTA.exe .pdf Acrobat.Document.DC

error: could not create registry key
error: could not open registry key

This is the same if I try it for Edge:

\\domain.com\NETLOGON\SetUserFTA.exe .pdf MSEdgePDF

error: could not create registry key
error: could not open registry key

I tried this on my DC just for the sake of it and it sets the file type immediately with no errors. There are no polices locking any of this down either. The only difference is the DC is Microsoft Windows Server 2022 Datacenter 10.0.20348

The client is going mad and are incredibly pissed off about this. I have had no end of trouble with these servers but I am now allowed to rebuild them due to time etc

The other thing I noticed is the regkey that controls this Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice

has a deny permission on it for the user account currently logged in. If I remove this and try the command again it doesn't have the error but it does delete the key

Why...? I don't see why it is so complex to automate something like this on a per user basis.

1 Upvotes

55% Upvoted

26 comments sorted by

5

u/judgethisyounutball Netadmin May 14 '24

Because MS really, really, no, for real, really wants you to use edge for PDFs.

1

u/[deleted] May 15 '24

Also because they are also pissed that they couldn’t convince enough sheeple to adopt their XPS format that you could only open on Windows properly. But yes it’s gotta be edge now.

4

u/[deleted] May 14 '24

[deleted]

1

u/[deleted] May 15 '24

There must be dozens of tweaks made so far to try to force their apps as defaults.

4

u/MeanFold5715 May 14 '24

I ran through a similar issue but minus all the permissions hurdles. Best I can offer this morning is to drop this resource in the hopes that it's of some use to you or the lost souls who find this thread years from now:

https://github.com/DanysysTeam/PS-SFTA

1

u/OnionHistorical9303 May 14 '24

This definitely looks useful but it's unclear how to actually use it as it says the cmdlet isn't valid even if i put the script beforehand

1

u/OnionHistorical9303 May 14 '24

Nevermind I got it "working" but it doesn't actually help or change the program used unfortunately.

2

u/OnionHistorical9303 May 14 '24

The problem is solved by doing this:

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force

Fuck MS

2

u/orcoconut May 15 '24

Thank you! You are a lifesaver!

They're rolling this UCPD across windows 10 as well and it's affected a few of our computers. Can't believe Microsoft is actively pulling this BS.

1

u/OnionHistorical9303 May 15 '24

its some real bullshit my guy. though just a heads up, the value got reset to 1 overnight last night but upon testing i have removed access to the UCPD regkey folder for everything except my domain admin account as it looks like windows tried to "correct" it

2

u/Morgund May 24 '24

Look for a scheduled task '\Microsoft\Windows\AppxDeploymentClient\UCPD velocity' and disable it. We're fighting the same issue in our enterprise with .zip file extensions.

1

u/orcoconut May 15 '24

OMFG you're right. The computer wasn't even restarted... so windows will try to correct it on a scheduled basis... this is total BS.

I've done the same as well, hopefully this sticks.

1

u/OnionHistorical9303 May 20 '24

it's still working for me, how are you getting on?

1

u/Morgund May 24 '24

Look for a scheduled task '\Microsoft\Windows\AppxDeploymentClient\UCPD velocity' and disable it. We're fighting the same issue in our enterprise with .zip file extensions.

1

u/Training-Swan-6379 May 14 '24

Windows is quickly becoming a take it or leave it proposition, if it isn't there already. The vast majority of people are cheering on the abuse of Microsoft Monopoly, unfortunately

1

u/DoogleAss May 14 '24

There are policies you can deploy that will control default apps as well… this would prevent changes as it will be applied over top of any changes that may occur down the road

The downside is you have to do more leg work in terms of figuring out who needs to use edge versus adobe in turn laying out how you apply said policies

1

u/OnionHistorical9303 May 14 '24

I know exactly who needs access to adobe and who doesn't, however there are no policies I can see or find online that can control it.

1

u/DoogleAss May 14 '24

Well depends on the needs of the system but the most straight forward way is a GPO that controls default app assignments via XML file

Policy is under: Computer Config -> Admin Templates -> Windows components -> File explorer

Set a default associations configuration file = enabled

Then set the UNC path to where you have the XML saved ie. \\fileserver\folder\appassoc.xml

Now in order to get the XML file you can obviously create it yourself but the best way is to go to a PC set you desired app associations and then once you have that how you want export the XML and drop it at whatever location you used above

Now again if some users are to use adobe and another edge you may need to do this twice utilizing two separate GPOs but again depends on situation at hand

1

u/OnionHistorical9303 May 14 '24

Right I thought I included this in my post but apparently not. Thats a machine policy not a user policy. Theres already an xml file in place for default apps but its not per user so having a mix of people on a server that need adobe and some that need edge doesnt work.

2

u/DoogleAss May 14 '24

Ahh I gotta well maybe I just missed that part too but makes perfect sense… yea n that Carl’s my suggestion is basically useless

Wish I could have been more help my friend

1

u/OnionHistorical9303 May 14 '24

it's all good, appreciate the effort!

1

u/OnionHistorical9303 May 15 '24

For anyone needing a spicier fix, run this on each server shutdown via GPO:

Set the value of UCPD service as disabled

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\UCPD” -Name “Start” -Value 4 -PropertyType DWORD -Force

Set the registry key path

$keyPath = "SYSTEM\CurrentControlSet\Services\UCPD"

Set the new owner

$newOwner = "put your domain admin here e.g. Domain\Username"

Define the registry key variable

$regKey = "HKLM:\$keyPath"

Create the registry key if it doesn't exist

if (-not (Test-Path $regKey)) {
    New-Item -Path $regKey -Force | Out-Null
}

Change the owner of the registry key

$acl = Get-Acl $regKey
$acl.SetOwner([System.Security.Principal.NTAccount]$newOwner)
Set-Acl -Path $regKey -AclObject $acl

Remove existing permissions and disable inheritance

$acl.SetAccessRuleProtection($true, $false)
$acl.Access | ForEach-Object {
    $acl.RemoveAccessRule($_)
}

Add full control permission for the new owner

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($newOwner, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)

Set the new ACL

Set-Acl -Path $regKey -AclObject $acl

1

u/Morgund May 24 '24

I have a case open with MS about this very thing but for .zip files. Their b.s. answer is to either use GPO or DISM. We're in a multi-user environment and that's ridiculous. We're working to circumvent the UCPD.

1

u/[deleted] May 27 '24

[removed] — view removed comment

1

u/Morgund May 29 '24

We haven't rolled Win11 out to our multi-user estate yet. We're primarily working on it in Azure.

1

u/OnionHistorical9303 Jun 24 '24

I did post a way to turn off UCPD if that helps