gpo internet explorer proxy settings not applying in windows 7
Thanks to: http://thommck.wordpress.com/
Internet Explorer 10 was released for Windows 7 and Windows Server 2008 R2 machines back in February 2013. Nine months later and we are going through it again with Internet Explorer 11. For SysAdmins and IT Pros managing software updates, these new versions led to quite a significant change in how we use Group Policy to manage them.
I only recently discovered that when Windows 8 (and along with it IE10) was released they finally got rid of the “Internet Explorer Maintenance” Section of the Group Policy Editor. This section always struck me as an odd place to configure IE settings and I’m still not sure why they couldn’t just use the normal Administrative Template section.
Below is an excerpt from the technet article Replacements for Internet Explorer Maintenance from the IE10 Deployment Guide
In earlier versions of the Windows operating system, Internet Explorer Maintenance (IEM) could be used to configure a subset of Internet Explorer settings in an environment using Group Policy. In Windows 8, the IEM settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 10 (IEAK 10).
Important – Any settings that you previously configured with IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on.
The page above also has a very useful table of what settings are deprecated or what alternative tool to use. You can also search all the most up to date group policy settings on Microsoft’s GPSearch web app
As with all group policy settings, you should always make changes from the newest OS available. For example, if you wanted to configure a Windows 8 PC you should use the RSAT tools to run the Group Policy Management Console (GPMC) from a Windows 8 host. That way, you can see all of the newest settings as well as backwards compatible ones.
Unfortunately, as IE 10/11 are part of Windows 8/8.1 Server 2008 R2 and below don’t understand they exist. So if you haven’t got any Win8 or Server 2012 machines around, how are you supposed to configure it?
Administrative Templates
You can import the latest settings to your existing template store on Server 2003 or above. The links below are for IE10 but it doesn’t seem like the IE11 ones are freely downloadable yet. However, you can copy the templates from a 2012 R2 member server onto your older template store.
- Administrative Templates (.adm) for Server 2003
- Administrative Templates (.admx) for Windows 8 and Windows Server 2012
Group Policy Preferences
Group Policy Preferences (GPPs) came out with Server 2008/Windows Vista to remove the need to use logon scripts. They contain all the settings necessary to map drives, add printers, change the registry and so on. They are now the official way to configure the Internet Settings of a machine (including Favorites). If you have never used the Internet Settings feature of GPP then I highly recommend you look at the following article on the Group Policy Blog, Red / Green: GP Preferences doesn’t work even though the policy applied. I don’t really need to lockdown are machines too much but the one critical thing I need to do is specify the proxy server and and exceptions. If you go to do this on an older GPMC client then you will notice the following problem
Back when IE9 came out, people started noticing that GPPs were not applying, even though the same settings should work from what was specified in IE8. You can read a technet blog article about whyhere http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx or download the hotfix to address it here Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment.
I tried that fix and it didn’t work on my Windows 7 Machines with IE11. Why you would even want different settings for different versions I’m not entirely sure. In fact, I find the whole GPP interface really ugly and clunky. I’m still not sure why these settings can’t be done via normal templates. Fortunately, there is another way to specify the proxy settings, and that is with registry keys. I’ve set that up and it’s working fine in our mixed environment. I used the Registry Wizard within GPP to capture the settings on a correctly configured PC and they are now there ready to be modified as needs be.
The following keys I added are as follows
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="10.1.1.12:8080"
"ProxyOverride"="http://*.internal.lan;https://*.internal.com;<local
The Bottom Line
If possible, use the most up-to-date OS to configure your group policy settings from, if not, deploy registry keys through group policy preferences
Comentarios
Publicar un comentario
Dime si la información de este blog te sirvio.