Internet Explorer 10 was released for Windows 7 and Windows Server 2008 R2 machines back in February 2013. Nine months later and we are going through it again with Internet Explorer 11. For SysAdmins and IT Pros managing software updates, these new versions led to quite a significant change in how we use Group Policy to manage them.
I only recently discovered that when Windows 8 (and along with it IE10) was released they finally got rid of the “Internet Explorer Maintenance” Section of the Group Policy Editor. This section always struck me as an odd place to configure IE settings and I’m still not sure why they couldn’t just use the normal Administrative Template section.
Below is an excerpt from the technet article Replacements for Internet Explorer Maintenance from the IE10 Deployment Guide
In earlier versions of the Windows operating system, Internet Explorer Maintenance (IEM) could be used to configure a subset of Internet Explorer settings in an environment using Group Policy. In Windows 8, the IEM settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 10 (IEAK 10).
Important – Any settings that you previously configured with IEM will no longer work on computers where Internet Explorer 10 or newer is installed, regardless of the Windows version it’s been installed on.
The page above also has a very useful table of what settings are deprecated or what alternative tool to use. You can also search all the most up to date group policy settings on Microsoft’s GPSearch web app
As with all group policy settings, you should always make changes from the newest OS available. For example, if you wanted to configure a Windows 8 PC you should use the RSAT tools to run the Group Policy Management Console (GPMC) from a Windows 8 host. That way, you can see all of the newest settings as well as backwards compatible ones.
Unfortunately, as IE 10/11 are part of Windows 8/8.1 Server 2008 R2 and below don’t understand they exist. So if you haven’t got any Win8 or Server 2012 machines around, how are you supposed to configure it?
Administrative Templates
You can import the latest settings to your existing template store on Server 2003 or above. The links below are for IE10 but it doesn’t seem like the IE11 ones are freely downloadable yet. However, you can copy the templates from a 2012 R2 member server onto your older template store.
- Administrative Templates (.adm) for Server 2003
- Administrative Templates (.admx) for Windows 8 and Windows Server 2012
Group Policy Preferences
Group Policy Preferences (GPPs) came out with Server 2008/Windows Vista to remove the need to use logon scripts. They contain all the settings necessary to map drives, add printers, change the registry and so on. They are now the official way to configure the Internet Settings of a machine (including Favorites). If you have never used the Internet Settings feature of GPP then I highly recommend you look at the following article on the Group Policy Blog, Red / Green: GP Preferences doesn’t work even though the policy applied. I don’t really need to lockdown are machines too much but the one critical thing I need to do is specify the proxy server and and exceptions. If you go to do this on an older GPMC client then you will notice the following problem
Back when IE9 came out, people started noticing that GPPs were not applying, even though the same settings should work from what was specified in IE8. You can read a technet blog article about why here http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx or download the hotfix to address it here Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment.
I tried that fix and it didn’t work on my Windows 7 Machines with IE11. Why you would even want different settings for different versions I’m not entirely sure. In fact, I find the whole GPP interface really ugly and clunky. I’m still not sure why these settings can’t be done via normal templates. Fortunately, there is another way to specify the proxy settings, and that is with registry keys. I’ve set that up and it’s working fine in our mixed environment. I used the Registry Wizard within GPP to capture the settings on a correctly configured PC and they are now there ready to be modified as needs be.
The following keys I added are as follows
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
-
"ProxyEnable"=dword:00000001
-
"ProxyServer"="10.1.1.12:8080"
-
"ProxyOverride"="http://*.internal.lan;https://*.internal.com;<local>
-
The Bottom Line
If possible, use the most up-to-date OS to configure your group policy settings from, if not, deploy registry keys through group policy preferences
P.S. I got a lot of useful pointers from the Spiceworks Community, especially this article and this one
P.P.S. If you want to send out Favourites via Group Policy you can check out my “How To” article Using Group Policy Preferences to deploy Favorites to Internet Explorer
Thank you very much for this guide, I have been struggling with this issue for more than a week, looks like I have it sorted now thanks to your guide.
LikeLike
That’s great news. GLad it helped
LikeLike
I’ve been Googling all day, and can’t find one place where M$ says “you can’t do it the easy way anymore, this is the one official way to do it now that we’ll be supporting”. They say, either use this IEAK bulls***, or use these GPP things. Nothing beyond that. I’m sure that when they do release their official tool (once there’s enough industry backlash that they’re forced to) that they’ll make sure all these hokey registry hacks will still work.
LikeLike
What do you mean “when they do release their official tool”? AFAIK there isn’t going to be one.
Group Policy Preferences is the official tool.
It’s really annoying Microsoft haven’t clearly communicated this. I too get frustrated with all the talk of IEAK. That’s completely sending people down the wrong path
LikeLike
The secret is the F5 key. If you use the F5 key when creating the GPO then it will save.
LikeLike
Thanks for this, this was a massive help especially the reg keys as the proxy server details were not being applied by the group policy preference, once we add the new reg key to the preferences it worked. Thanks again!
LikeLike
You are a genius!!! Thanks.
LikeLike
:blush: 😉
LikeLike
What is the ProxyOverride setting? Obviously the ProxyServer setting is the IP address of your proxy. Are those entries for ProxyOverride standard for all installations?
LikeLike
The Proxy Override settings are where you tell internet explorer to not use the Proxy Server. This is useful if you have an internal website/intranet that IE can find without going to the proxy server first.
If you don’t have any then you can leave that setting absent
LikeLike
what is the type of the “ProxyServer” and “ProxyOveride” settings
LikeLike
They are Strings (Reg_SZ)
LikeLike
Thanks for the info thommck, would you happen to know what the hack is to enable ‘bypass proxy server for local addresses’ ? for some reason even if i add the IP address for my local term server, it still gets blocked by the proxy until i check the ‘bypass’ box. appreciate it and thanks so much.
LikeLike
The setting needs have at the end for it to work
“ProxyOverride”=”http://*.internal.lan;https://*.internal.com;
LikeLike
adding “ProxyOverride”=”http://*.internal.lan;https://*.internal.com; did the trick..thanks thomm…you’re awesome 🙂
LikeLike
Thank you!
LikeLike
Thank you, It´s great
LikeLike
Thanks you. Followed your instructions and it worked in our mixed environment too. You are a life saver.
LikeLike
You’re welcome. Glad it helped 🙂
LikeLike
Thanks Thom, your solution works for me. Was dealing with this issue since Mickeysoft came with IE11. The default IE proxy GPO’s didn’t apply to IE11 anymore and until now I didn’t find an easy solution. Thanks!
LikeLike
Hmmm. No wonder they GPP interface is clunky. I suspect the naming was deliberate. Somebody at Microsoft is probably a Hitchhiker’s Guide fan.
LikeLike
I have a small domain(several for different customers actually) and some users connect to spearate networks using SSL SPN connections generated by websites. These VPN’s are not accessible by the proxy server(part of the internet gateway), so any address within that VPN must bypass the proxy. The domain was upgraded to server 2012 last May, but only last week dropped the IEM settings so this is my first taste of GPP.
The registry capture seems like a good workaround, the best I can hope for I suppose considering the basic broken-ness of the tool in the first place. But if it is another year before I need to look at this again, and if I don’t remember this workaround then I may just have to drop group policy altogether and configure each user manually.
When investigation into making a process more efficient takes longer than doing it the hard way in the first place, then you are really counter-intuitively working harder not smarter.
LikeLike
One more thing I just found. “User the same proxy..protocols” automatically checks itself if all specified protocols use the same port. In my case, I cannot know the ports used in the various SSL VPN connections, so I cannot specify them. I guess I just need to specify a dummy port for socks, just to have something different.
LikeLike
Hi there, The ProxyEnable setting is not ticking the box setting the proxy on. The box is greyed out however.
Any ideas?
IE11 on windows 7 and 8.1.
LikeLike
If the box is greyed out then it looks like the setting is coming across.
On the computer, open regedit and check that the Proxy Enable key is set to 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
You may want to run “gpresult /r” to confirm that the policy did actually apply
LikeLike
Hey! Here is hotfix for that! http://support.microsoft.com/kb/2928422
LikeLike
HI thanks for the info worked like a charm, just the proxyoverride it is inserting the information but not enabling ProxyOverride. any help would be appreciated
LikeLike
@Louis, do you mean the “Bypass Proxy..” box isn’t checked but the URLs are listed in the advanced bit?
Make sure you have as one of the entries in the ProxyOverride registry value, as in my example in the article
LikeLike
That is correct all the info is there in the advanced tab but the bypass proxy is not selected, I have check the regedit rule and all looks okay, have recreated the ProxyOverride rule and copied the above, still no joy
sorry I don’t know how to get the span shot here so you can see.
Thanks tommck
LikeLike
You can export the registry settings from a PC it works on (I.e. That you’ve set manually through internet options) and compare that to your GPO. Paste them here to if you like, don’t worry about the format
LikeLike
I manage a small local gov’t office network and have been searching for a way to limit access in our public records room to just the local intranet site. I couldn’t believe there was no easy way in group policy to block all sites by default and then whitelist the one site.
Finally I found a suggestion of setting the proxy server to localhost, and adding the local site to the bypass list. But finding where the heck to set this in GP was driving me nuts until I found your blog post here. Worked like a charm! 5 minutes and a reboot to apply the settings later, everything is nicely locked down to the local site.
A huge thanks for posting this!!!
LikeLike
That’s a nice little trick, glad I could help 🙂
LikeLike
I had same Problems with an existing ie policy. Registry keys were there after gpupdate, but ie 11 wasn’t configured.
The reason was the Proxy Setting for Gopher. There is no Gopher Proxy entry within ie 11.
After i removed the Gopher proxy entires from the policy all was fine.
LikeLike
Hi Thom,
I tried to follow you guide and did everything and still I can’t get the Proxy details to work.
I’m changing the registry from the GPO but they don’t show on the machines (Other GPO rules does apply and work as it should).
Any thoughts?
Thank.
LikeLike
If you use gpresult on a client does it say the policy has applied? Any errors should show up in the local event viewer.
Also, try deploying a unique word in a reg string in the same location and then you can search for it with regedit to check it is going to the correct path
LikeLike
Thank you for your fast reply. you’re awesome! 🙂
The policy dose apply and no errors in events.
Already tried your segregation about the unique value and it doesn’t show.
I tried setting the proxy manually and the search for in the registry, I found the it and then after a restart, when the GPO policy should apply, the value at that registry disappeared but my GPO value won’t show…. just an empty field.
Any more ideas?
Dori.
LikeLike
Update:
Was able to change to registry by changing the specific path value, something like this one:
S-1-2-34-123456789-123456789-123456789-1234\Software\Microsoft\Windows\CurrentVersion\Internet Settings
(I changed the numbers on the path)
but I’m guessing this numbers are unique so it won’t work on other users or computers (I can’t check this as I’m doing this in a demo environment).
Any ideas?
Dori.
LikeLike
One last thing, The hive location is HKEY_USERS.
Thanks,
Dori
LikeLike
Sometimes the best thing to try is deleting the policy and starting again from scratch.
Did you manually create the keys or did you import them from another machine? If you import them from a working PC (that you set locally through regedit) then that should remove the possibility of a syntax error.
Also try changing the method of each GPP entry to ‘replace’ rather than ‘update’
LikeLike
You need to put it in the HKCU hive for it to work. Try attaching a screenshot of your settings like mine above from GPMC so I can see if there are any obvious mistakes
LikeLike
Thanks you. Followed your instructions and it worked in our mixed environment too. nice and easy.
LikeLike
The Automatically detect settings checkbox is checked in all pc, how disable them?
LikeLike
It looks like this is set in the following key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
but it’s not a simple 0/1 value.
You’d be best importing the DefaultConnectionSettings value from a configured PC but you can read more about the hex values it stores here
http://bit.ly/1r3wGqg
LikeLike
this was available under current machine and not user…now i have the connection tab.
LikeLike
thanks for your reply. I have tested this variant discussed in the article you suggested me:
” I would like to share what I have discovered in RegMon since last year and tested working. Just shared this in the Internet, sorry for the delay. =)
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoDetect = 1 (DWord value)
– enables “Automatically detect….”
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoDetect = 0 (DWord)
-disables “Automatically detect….”
The solution is pretty straight forward. I could not see any MS post/blog advising this setting.
Note: This is a “volatile” registry item which disappears after applying changes, bottom line, it should work.
You could simply implement this setting in GP Preferences. Please vote and feedback if it works!
Tested in IE8/IE10/Windows 7 and 8
Proposed as answer by Mon Laq Friday, January 03, 2014 3:00 AM “”
work fine in this momment but now not only does not work, all the connection data are deleted and if I check the registry the data exist. I do not understand why this happens?
LikeLike
Hi please help. I also have this issues and create the registry key solution and also included AutoConfigURL and DefaultConnectingSettings to wipe any settings that may have been there already.
Now this works, but each time the Group Policy refreshes, it looses the settings, it seems that every consecutive does not work. I cant find a single article. and already tried the slow gpo settings.. this is so annoying, i have wasted so much time on such a simple. thing. i am about to blast our microsoft ea manager..
LikeLike
Hi, this was really helpful – thank you! I managed to create a GPO with Loopback and Proxy settings. But somehow +#+*$” IE didn’t pick up the Proxy Server itself within the policy. I had all set, startpage etc. but not the Proxy server. I just said *#@& it, and prepared a reg file with the HKEY USER settings. This is set via GPO script at logon c:\Windows\regedit.exe /S myfile.reg. We need just to copy it across in the correct sysvol folder. puuh, what a hassle. cheers from Frankfurt
LikeLike
That’s strange. If the reg settings work as a logon command they should work as a GP Preference.
Can I ask why you enabled loopback? That’s always caused lots of problems for me with GP
LikeLike
Thommck, yes exactly, I don’t get it. All set, but only the proxy server entry NOT. It’s greyed out, because I don’t want the users to change them. I even see in IE 10 port 80, so like the proxy server setting is not configured. When the reg file is processed all works like a charm. I’ll probably give it a try and make the proxy settings changeable for all users. So I can test with that in our lab. Anyway, it works with this reg setting:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“ProxyServer”=”http=proxy.domain.com:port;https=proxy.domain.com;ftp=proxy.domain.com;socks=socks.domain.com”
I had to enable loopback, because we’re working in an remote desktop environment. We just need this proxy for connecting with a big IT provider and send data via VPN. We’re connecting to them with an extra router. In our local environment we’re directly connected to the Internet, no need to set a proxy. So I need seperate IE settings only for the RDP servers. Our RDP are in a seperate OU and loopback is the only option, because otherwise I would set the proxy for all users. That is what we don’t want.
LikeLike
Hi thommck,
do you have any issue on the client if you changes the Registry key ?
may i know what kind of OS have you tried?
cause i have an issue for all OS(Win7, Win8, Win8.1) who is using IE 10 above.
i really hope your advice solve my issue.
Thanks
LikeLike
I’m using Windows 7 and we have no issues
LikeLike
No luck here, i have Windows 8.1 and EI 11, Ei is not taking the proxy settings defined exactly as you have it here, any ideas??
LikeLike
I have some users still on IE9 and it seems the IEM settings for proxy are also applied to the system account.
Is it possible to make them apply to only real users and not the system account as well.
We can see that it adds ProxyEnable and ProxyServer to the HKU\.Default ….. Internet Settings subtree in the registry.
I really need the system account to have no proxy settings applied !
LikeLike
Hi,
Please help me to enable the proxy sever and bypass proxy server in internet explorer-11, i have tried the above steps but still same.
Kindly help me to resolve the issue.
Regards,
Ganesh
LikeLike
This site helped me a treat:
http://www.blackforce.co.uk/2013/12/04/configure-internet-explorer-ie-11-home-page-proxy-settings-in-group-policy-preferences
Turns out the problem is that its not a bug with the GPO Preferences, you need to press F6!
Hope it helps folks out 🙂
LikeLike
Yes, that’s a common mistake for GPP newbies. It’s always based to disable all of the preferences with F8 then only enable the one you are changing with F6.
This helps avoid conflicts with any GPPs higher up in the chain
LikeLike
Thanks for this article.
The issue I am having is that I have added AutoConfigURL registry key to have IE 10 PAC server point “Use Automatic Configuration Script” field to our PAC server URL. I have registery key but no URL showin in IE LAN settings.
Look forward to you help
LikeLike
I just want to say this. After all this running around solving this issue regarding IE9 and above to click with group policy proxy setting in WS 2012 yet there is never an end it.
WHY THE HELL MICROSOFT FIXED SOMETHING THAT WAS NEVER BROKEN?????
I work in a medium sized domain and since installing Server 2012, the problems started.
So, Microsoft, why were you stupid enough to change something so simple?
LikeLike
Also, I’m fed up with this farce. Thanks Microsoft, you have really goofed up.
LikeLike
Extracted registry settings from win 8.1 PC, applies to the clients but did not update on the servers server 2008 and 2012. Can please advise. Thanks.
LikeLike
Can someone tell me how to remove these settings once applied; I have an administrator account that I font want these proxy settings to apply too? If I set to proxy diasbled or remove the policy it still gets applied?
Thanks
LikeLike
Did you follow the red/green article I linked to?
LikeLike
Hi, Thanks for reply. Yes checked the red/green, but not relevant I believe.
I have the registry settings in preferences to add the registry proxy settings; works fine. I want to remove them now, but they still apply?
Any ideas? Thanks!
LikeLike
First of all, thanks for the solution. It worked pretty slick. I was wondering if anyone has had success using escapes in the registry. For example: http://www.google.com\\news\\store123\\somethingmore. I tried that, but it almost uses it as a wildcard and allows everything. I also wondered if anyone has figured out how to do a loopback policy to allow administrators full browsing. I tried using GP filters, but it prevents the policy from applying. Any ideas?
LikeLike
Hi,
It about Proxy Override option.
In my case PoxyOverride worked with Value= ;
If I update Intranet sites e.g. https:\\*.mydomain.com , it wont work, so better I used to by pass it.
May be you have to update end statement in you about mentioned step >; is missing and it creates confusion.
LikeLike
This also work in the HKLM portion of the registry, you just have to select a GPO setting to Make proxy setting system wide, and then import this into your registry substituting registry insertion points with from HKCU to HKLM.
LikeLike
Hi thanks so much for this, been really helpful. Is there a regkey for forcing the tick box “Automatically Detect Settings” to be unticked and/or “Use The Same Proxy Server For All Protocols” to be ticked?
Thanks!
Richard
LikeLike
The override settings are not working at all. Setting:
https://site.domain.com;https://site.domain.net;;
does absolutely nothing. The proxy still blocks the whitelisted site. Does anyone have an example of a known-working exception list?
Thanks
LikeLike
any script powershell for configure proxy settings?
LikeLike
thanks for this
when running the registry changes, can you also Disable the Connections Tab or remove access ?
LikeLike