When defining the policy “Default Associations Configuration File” with an XML definition file, users are still able to use the “Open with…” command in the context menu and set their own file type association. This is by design. One solution to enforce the FTA at logon is to use the “SetUserFTA” software from Christoph Kolbicz’s Blog. Another way is to detect and remove user defined File Type Associations in the registry via a script. The registry key is locked down with a “Deny” access control set to everyone including the Administrators. The following script will remove the “Deny” access control, and then proceed to the deletion of the user defined file type association. This script runs at logon and at logoff and have been tested successfully.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# REMOVE HKCU File Type Association # in addition to OEMDefaultAssociation.xml Function RegACL-Reset { $hkey = 2147483649 $reg = [wmiclass]"root\default:StdRegProv" $ace = $reg.GetSecurityDescriptor($hkey,$hsubkey).Descriptor.DACL $reg.psbase.Scope.Options.EnablePrivileges = $true $sd = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance() $sd.ControlFlags = 0x0004 for($i=0;$i -lt $ace.length;$i++) { if($ace[$i].AceType -ne 1) { $SD.dacl += $ace[$i] } } $reg.SetSecurityDescriptor($hkey,$hsubkey,$sd) } # .XML - Remove user defined .XML file type association $testreg = Test-Path -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml if ($testreg -eq $true){ #$hsubkey = "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice" RegACL-Reset -hsubkey "Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\UserChoice" Remove-Item -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml" -Force -Recurse |