Hey Folks!
The RC1 build of IEAK 8 can be found Here.
Please download and test this version of the IEAK and report any issues, or potential bugs. We aren’t getting a ton of feedback on the IEAK and it’s unlikely that we will catch every issue that crops up, internally. Command line switches and little used options within the IEAK would be a great start.
Thank you all in advance for your time and effort!
Regards,
The IE Support Team
The brndlog.txt file shows how Internet Explorer was branded during user logon. The Brndlog.txt is the log file generated by the IE client-side extension iedkcs32.dll. This file contains branding information from IE Maintenance Policies and will be the most important item to gather during troubleshooting IE Maintenance Policies.
IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More...
The location for the logfile varies depending the OS:
| WinXP and Server 2003 | Vista, and beyond: |
| %USERPROFILE%\Local Settings\Application Data\Microsoft\Internet Explorer | %USERPROFILE%\AppData\Local\Microsoft\Internet Explorer |
When the branding itself is applied, information about the branding is stored in the logfile brndlog.txt, and the logfile for the previous branding has been renamed to brndlog.bak
When branding has been applied the last brndlog.txt is remaned to brndlog.bak, and the new one is named brndlog.txt.
As multiple branding can be applied you can also set the following regkey so the brndlog.txt is not overwritten - which is especially useful when analyzing new profiles, or GPOs, where multiple processes are spawned:
For IE8:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\8.0]
(DWORD)"DebugAppendBrndLog"=1
For IE9:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\9.0]
(DWORD)"DebugAppendBrndLog"=1
The Brndlog.txt file contains Internet Explorer maintenance policy branding information. It may also contain branding information from IEAK packages and manually created Install.ins files (usually used with Auto-configuration). The first step in reviewing a Brndlog.txt file is to confirm that the settings are coming from Group Policy.
Determine the method of Branding by looking for the /mode section after the Command Line.
Branding Internet Explorer...
Command line is "/mode:corp /peruser".
Global branding settings are:
Context is (0x01A00002) "Corporations, running from per-user stub";
Settings file is "C:\Program Files\Internet Explorer\Custom\install.ins";
Target folder path is "C:\Program Files\Internet Explorer\Custom".
Done.
Branding Internet Explorer...
Command line is "BrandInternetExplorer /mode:gp /ins:"C:\Documents and Settings\test3\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS" /flags:eriu=1,favo=1,qlo=1,swu=1,sbs=1".
/mode:gp - indicates branding is coming from Group Policies.
/mode:corp /peruser - Indicates an IEAK brand is taking place.
Global branding settings are:
Context is (0x02800200) "Group Policy, preference settings";
Target folder path is "C:\Documents and Settings\test3\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0
Global branding settings are:
Context is (0x00800200) "Group Policy";
Settings file is "C:\Documents and Settings\test3\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\INSTALL.INS";
NOTE: Remember that Preference Mode settings are only applied ONCE - even if you execute gpupdate /force.
Favorite is not created
05/11/2007 17:52:14 Preprocessing "Title31" title key...
05/11/2007 17:52:14 Preprocessing "URL31" URL key...
05/11/2007 17:52:14 Failed with E_NOTIMPL.
See the following KB
967728 You cannot deploy favorites with URLs that contain the % character: http://support.microsoft.com/default.aspx?scid=kb;EN-US;967728
IE-Branding needs 20 seconds to be executed
10/25/2007 10:36:37 Refreshing browser settings...
10/25/2007 10:36:37 Broadcasting "Windows settings change" to all top level windows...
10/25/2007 10:36:57 Done.
You will see the gap of 20 seconds between the line Broadcasting … and Done
Typically the issue is solved after installing the following KB + settings its FeatureControl-key
There is also one exception, in which this issue can occur, but the fix is not solving the issue:
In case that IEM including a security-import (seczones-processing) was enabled for the user, but has been removed, the delay occurs for one time when the seczones are reset to default. In this case, brndlog.txt will contain the following lines:
12/14/2010 11:05:53 Processing reset of zones settings...
12/14/2010 11:05:53 "RegInstall" on "IEAKReg.HKCU" in "urlmon.dll" returned S_OK.
12/14/2010 11:05:53 Done.
12/14/2010 11:05:53 Done.
12/14/2010 11:05:53 Refreshing browser settings...
12/14/2010 11:05:53 Broadcasting "Windows settings change" to all top level windows...
12/14/2010 11:06:13 Done.
The information, that previously secimport has been done is indicated by the following regkey:
[HKCU\Software\Microsoft\Ieak\BrandedFeatures]
(DWORD)"Zones.Hkcu"
Therefore it is a good idea to remove the key [HKCU\Software\Microsoft\Ieak\BrandedFeatures] from a mandatory profile in order to prevent the delay with every logon, when you removed Securityzones import in IEM.
03/10/2010 15:30:50 Processing local machine policies and restrictions...
03/10/2010 15:30:50 ! processExtRegInfSectionHelper for section"ExtRegInf.Hklm".
03/10/2010 15:30:50 ! Key is "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".
03/10/2010 15:30:50 Not Delaying executing C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\seczones.inf.
03/10/2010 15:30:50 ! Execution of section [IeakInstall.Hklm] in "seczones.inf" failed with E_ACCESSDENIED.
03/10/2010 15:30:50 ! Key is "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".
03/10/2010 15:30:50 Machine is not hardened
03/10/2010 15:30:50 Done.
03/10/2010 15:30:50 Processing current user policies and restrictions...
03/10/2010 15:30:50 ! processExtRegInfSectionHelper for section"ExtRegInf.Hkcu".
03/10/2010 15:30:50 ! Key is "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".
03/10/2010 15:30:50 Not Delaying executing C:\Documents and Settings\test\Local Settings\Application Data\Microsoft\Internet Explorer\Custom Settings\Custom0\seczones.inf.
03/10/2010 15:30:50 ! Execution of section [IeakInstall.Hkcu] in "seczones.inf" failed with E_ACCESSDENIED.
03/10/2010 15:30:50 ! Key is "SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}".
03/10/2010 15:30:50 Machine is not hardened
03/10/2010 15:30:50 Done.
In this sample, the policy Security Zones: Use only machine settings was enabled, but a normal user logged on. The normal user has no permissions to write into [HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings] and therefore the GPO cannot be applied and fails.
For these types of scenarios, we encorage customers to change from IEM to the policy-templates ( e.g. the Internet Zone Template and Site to Zone Assignment List ), because the machine-based settings would also change if different users with different settings log on to the server.
05/20/2010 14:32:06 FCK not set to allow autoconfig branding, or Automatically Detect Settings is checked under LAN Settings
973529 Automatic configuration does not work in Internet Explorer 8 : http://support.microsoft.com/default.aspx?scid=kb;EN-US;973529
[ You need to set the FCK FEATURE_AUTOCONFIG_BRANDING ]
Besides of the FCK mentioned above, you may receive this lines in brndlog.txt:
05/20/2010 14:44:00 Branding Internet Explorer...
05/20/2010 14:44:00 Command line is "/mode:autoconfig /ins:"C:\Documents and Settings\test\Temporary Internet Files\Content.IE5\EPM0UQFI\install[1].ins"".
05/20/2010 14:44:00 ! NoExternalBranding restriction is set. Branding will not be applied.
05/20/2010 14:44:00 Done.
This occurs, if the policy Disable external branding of Internet Explorer has been enabled.
In case that you do not want to remove IE Maintenance from a policy, you need use the context menu on"Internet Explorer Maintenance" within the "Group PolicyEditor" and choose "Reset browser settings". This will remove
the current settings to apply anymore, but the client side extension will still be applied, e.g. in order to reset security settings when they were configured in the policy as mentioned above.
When you want to remove the extension from the policy at all, please follow the steps outlined in the following KB:
2722241 Policy reporting tools indicate empty Internet Explorer Maintenance policy as winning: http://support.microsoft.com/kb/2722241/EN-US
If you are wondering how your local system account is getting proxy settings even though you have applied proxy settings only for users, this post will help you.
Here you will see the proxy settings set in Local system account:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
The applications which run in system context might stop working if the Local system account contains proxy settings or any undesired settings which are not set by system administrator.
Here is how the user base settings can get written to Local system account registry key.
When you use Internet Explorer Maintenance Group Policy to set user based connections settings, it provides you with two options:
| IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More... |
If you choose Connection Settings options to set connection settings for the user, it causes this behavior.
To test it yourself, try setting this GPO in your local computer using Local group policy editor.
Expected Results:
"Proxy Server" settings of connection should not apply to HKEY_USERS\.DEFAULT. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
Actual Result:
“Proxy Server" settings of connection gets added here: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
What we recommend:
The respective proxy settings part of IEMaintenance should be used. User Configuration - WindowsSettings - Internet Explorer Maintenance- Connection-Proxy Settings
NOTE: If you have configured connection settings and then try to click on proxy settings, you are presented with following warning by the policy editor:
It tells you that proxy settings will overwrite the imported connection settings.
This warning applies to the user scope only.
It is of no use to profiles that are not in scope to receive user-based Internet Explorer policy settings (such as the SYSTEM registry profile). So remember that the system base settings added by connection settings will still exist and user based proxy settings will be overridden.
Once you click on OK, you are presented with the following dialog box:
You can then use following articles to configure proxy settings.
If this is proxy settings for a specific dial-up connection:
If it needs to have the same proxy settings as LAN, then DialUpUseLanSettings is the best approach as mentioned in http://support.microsoft.com/kb/839571
Connection Manager Administration Kit
You can also use PowerShell and GPO.
I hope this helps and solve the mysterious question of why your local system account gets user based proxy settings.
In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.
By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.
Other scenarios, the user cannot see the items in the trusted site zone settings.
Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.
Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.
Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.
Scenarios:
Screenshot:
NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!
Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.
Examples
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
ECHO OFF
REM IEHarden Removal For Users
REM HasVersionInfo: Yes
REM Author: Axelr
REM Productname: Remove IE Enhanced Security for users
REM Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991
:: Deletes the IE Harden for users
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
REG DELETE “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
REG DELETE “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
HOW DO I KNOW THE GPO IS WORKING?
In this example, we are using Computer Configuration GPO to target the Internet Explorer TabShutdownDelay registry setting. However, you can perform the same steps at the User Configuration setting from the GPMC console!
OBJECTIVE: To change the TabShutdownDelay registry key for the computer Group Policy Preferences Registry configuration.
REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.
STEPS 1
Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / Windows Settings and Right Click on the Registry object and select New > Collection Item
NOTE: The Collection Item will allow you to better organize the Registry Item Configuration!
STEP 2
Rename the Collection Item to: TabShutdownDelay. Right click and select rename!
STEP 3
Right Click on the newly renamed item and select New > Registry Item
STEP 4
From the New Registry Properties Dialog, mirror the following settings:
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN
Value Name: TabShutdownDelay
Value type: REG_DWORD
Value data: 0
IMPORTANT: Please note that on 64-Bit Operating Systems, Internet Explorer also uses x86-processes. Therefore you should also include the Wow6432Node registry-key!
Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN
Value Name: TabShutdownDelay
Value type: REG_DWORD
Value data: 0
SCREENSHOT:
Apply and OK to configure the policy!
NEXT: Test your GPO
The best way to test the GPO is to go to the client and run the GPUpdate /Force Command and check the Registry key location for changes.[YOU MAY HAVE TO RUN THIS COMMAND USING AN ELEVATED COMMAND PROMPT!]
You should expect to see the following registry entry:
REGISTRY: HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main
NAME: TabShutdownDelay
VALUE: 0 (DECIMAL)
This blog has been provided to you by the IE Support team!
In this blog, I will share one scenario where we the IE11 installation failed with Error 9c59 error.
SCENARIO:
NOTE: This error are more often seeing out of Managed Windows Client machines (Windows client machines built out of a master image used in VDI or desktop imaged environments) were prerequisites and or language packs for IE11 do not exist or corrupt exist.
NOTE: If the steps above did not help resolved your scenario, you should consider the related article below for other possible steps you could take.
RELATED ARTICLE:
Today we release a new article on How to create an all-inclusive deployment package for Internet Explore 11, including the all the prerequisite updates, language packs, and spelling dictionaries plus the latest cumulative security updates in a single restart. This is a great help for business that are looking for guidance on implementing such solution and move to IE11 considering that only the most recent version of Internet Explorer available for supported OS will receive technical support and security updates after January 12, 2016. see the Microsoft Support Lifecycle site for more details regarding support timelines on Windows and Windows Embedded systems.
Kudos to the Microsoft Support Engineers that collaborated in producing the article and share it with everybody!
NOTE:
One issue we saw before with the SCCM deployment had to do with the Package path for x64 OS [%systemroot%\SysNative\] which someone had written a batch file for it and included below:
x64 Batch:
@ECHO OFF
REM ECHO Installing IE 11 prerequisite: KB2834140
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2834140-v2-x64.cab /quiet /norestart
REM ECHO Installing IE 11 prerequisite: KB2670838
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2670838-x64.cab /quiet /norestart
REM ECHO Installing IE 11 prerequisite: KB2533623
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2533623-x64.cab /quiet /norestart
REM ECHO Installing IE 11 prerequisite: KB2731771
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2731771-x64.cab /quiet /norestart
REM ECHO Installing IE 11 prerequisite: KB2729094
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2729094-v2-x64.cab /quiet /norestart
REM ECHO Installing IE 11 prerequisite: KB2786081
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2786081-x64.cab /quiet /norestart
REM ECHO Installing IE 11 Main Application
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE-Win7.cab /quiet /norestart
REM ECHO Installing IE cumulative security update
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE11-Windows6.1-KB3093983-x64.cab /quiet /norestart
exit
Hi everybody!, in this blog we are covering most if not all of the available options you have today to manage your Proxy configuration settings using Group Policies. We hope this blog be helpful for your Internet Explorer 11 migration!.
As you know, the IE Maintenance used to configure proxy and other IE Settings was first deprecated in IE10 in favor of Administrative Templates and Group Policy Preferences. Any machine with IE10 and higher will NOT be able to use the IEM policies. IEM is still available for IE9 and lower.
NOTE: Please read the article [http://technet.microsoft.com/en-us/library/jj890998.aspx] for more detailed information about the changes and other policies!
We are presenting different case scenarios to provided clarity on the options you have today, once you upgrade to IE11!
Goal: How to configure proxy settings for IE10 and higher.
We have 2 ways we can achieve the desired outcome:
In order to reach what do we require, we need one of the following machines added in the Domain:
After installing the Group Policy Management Feature, ensure the following updates are installed:
A) Considering you have chosen any of the above machines, just open the Group Policy Management Console (required Administrator rights to edit policies)
From START/RUN window, Type GPMC.MSC to open the console.
B) Then you need to choose the group policy item in which you create settings and go to the following path:
User Configuration / Preferences / Control Panel Settings / Internet Settings / New / choose Internet Explorer 10 (Right-Click or Double-click to open the settings)
Note: You need to select the option of Internet Explorer 10 in Group Policy Preference (GPP) to apply the settings for Internet Explorer 11 as the same settings apply to Internet Explorer 11.
REF: How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2 – https://support.microsoft.com/en-us/kb/2898604
NEXT: From the properties, click on the Connections Tab / LAN Settings 
C) Reaching the LAN Settings, we notice that is similar to the Internet Control Panel.
We have the same options to create a proxy configuration:
D) The first thing we notice is that we have red underline settings:
Settings which are underlined in red are not configured at the target machine, while settings underlined in green are configured at the target machine.
In order to change the underlining, use the following function keys:
F5 – Enable all settings on the current tab
F6 – Enable the currently selected setting
F7 – Disable the currently selected setting
F8 – Disable all settings on the current tab
Article reference: http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
E) Configuring each setting in particular.
I would encourage pressing a F8 to disable all before configuring anything as the recommended scenario is to configure only the settings you want to apply.
Automatically detect settings, with the option checked:
Use an Automatic Configuration Script (AutoConfigURL) example [Remember to use F6 to enable this entry!]
Static Proxy Server configuration example [Remember to use F6 to enable this entry!]
Key path / location for the registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Registry key: “AutoDetect”
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable
The key AutoDetect is only visible before you start IE10 (or IE11) on the machine, as IE will interpret it immediately and then delete the key right after. By that, the option will have its preference nature.
Registry Key: “AutoConfigURL”
Value Type: REG_SZ
Value Data: “http://<servername|host>/my_proxy.pac”
To configure this, you may need up to 3 registry keys:
“ProxyEnable” checkbox for “Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connection)”
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable
“ProxyServer”
Value Type: REG_SZ
Value Data: “ProxyServerName:Port”
“ProxyOverride”
Value Type: REG_SZ
Value Data: “list_of_exclusion”
Value Data: “list_of_exclusion;<local>”
<local> value represents the check: “Bypass proxy server for local addresses”
The value is added automatically when enabling the check box in the GPP User Interface (UI).
When deploying through the registry key is required.
You have different ways you can deploy the registry keys. The only important aspect is to deploy correctly the registry keys provided above.
But in this article I will present how it can be done via GPP Registry Item:
Location of the policy: User Configuration / Preferences / Windows Settings / Registry / Right Click + New + Registry Item
| REGISTRY AND SETTING CONFIGURATIONS |
| “Automatically detect settings”
Action: Replace Hive: HKEY_CURRENT_USER Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: “AutoDetect” Value Type: “REG_DWORD” Value Data: “0” or “1” 0 = Disable 1 = Enable
|
| “Use automatic configuration script”
Action: Replace Hive: HKEY_CURRENT_USER Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: “AutoConfigURL” Value Type: “REG_SZ” Value Data: “http://<servername>/my_proxy.pac”
|
| “Use a proxy server for your LAN (These settings will not apply to dial-up for VPN connections)”
Action : Replace Hive: HKEY_CURRENT_USER Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: “ProxyEnable” Value Type: “REG_DWORD” Value Data: “0” or “1” 0 = Disable 1 = Enable
|
| Proxy Server : “ ProxyServerName:Port”
Action: Replace Hive: HKEY_CURRENT_USER Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: “ProxyServer” Value Type: REG_SZ Value Data: “ProxyServerName:Port”
|
| “ProxyOverride”
Action: Replace Hive: HKEY_CURRENT_USER Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings Value Name: “ProxyOverride“ Value Type: “REG_SZ” Value Data: “192.168.1.*;*.domain.com;<local>”
|
| “Bypass proxy Server for local addresses”
The option is represented by the entry “<local”> added in ProxyOverride setting value data.
|
RELATED ARTICLES:
How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP) ?
How to use GPP Registry to uncheck automatically detect settings?
HOW TO CONFIGURE A PROXY SERVER URL AND PORT USING GPP REGISTRY ?
Tips for making sure your “Top sites” display your frequently visited sites over time:
We are seeing an increase interest in updating to Internet Explorer 11 due to the upcoming changes in support outlined in the blog below:
Stay up-to-date with Internet Explorer – http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx
“After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site.”
In this quick blog post, we are including a link to a TechNet article “Internet Explorer 11 – FAQ for IT Pros” where in one of the Q/A, we outline the requirements for IE11.
What operating system does IE11 run on?
Windows 10
Windows 8.1
Windows Server 2012 R2
Windows 7 with Service Pack 1 (SP1)
Windows Server 2008 R2 with Service Pack 1 (SP1)
Creating an all-inclusive deployment package for Internet Explorer 11
Tool to Scan your site for out of date libraries, layout issues and accessibility:
In this quick post, we are sharing a scenario you may encounter and how you could fix it.
When installing Internet Explorer 11 on the Windows 2008 R2 Master image build that is normally used for their Citrix Farm, the installation rolls-back after a reboot.
The same behavior was observed when the prerequisite KB2670838 was installed. After a reboot, this was also triggering the roll-back behavior.
The CBS.LOG gave us more information about the failure which indicated an access denied was occurring during the update.
The error code: 0xc0000022 can easily be identify in the below cbs [%windir%\logs\cbs\cbs.log] log sample; Suggesting several attempts by the SPP Installer service[sppsvc ] failing with the access denied:
2015-10-14 14:58:30, Info CSI 00000072 Begin executing advanced installer phase 38 (0x00000026) index 234 (0x00000000000000ea) (sequence 273) Old component: [l:0]””
New component: [ml:308{154},l:306{153}]”Microsoft-Windows-MSMPEG2VDEC, Culture=neutral, Version=7.1.7601.16492, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS”
Install mode: install Installer ID: {1b265fd2-721c-4e59-ad55-9d102a5d1d7f}
Installer name: [12]”SppInstaller”2015-10-14 14:58:30, Info CSI 0000000f@2015/10/14:18:58:30.153 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 0) completed with hr=0xc0000022“
2015-10-14 14:58:30, Info CBS Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 72.
2015-10-14 14:58:31, Info CSI 00000010@2015/10/14:18:58:31.245 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 1) completed with hr=0xc0000022“
2015-10-14 14:58:32, Info CSI 00000011@2015/10/14:18:58:32.322 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 2) completed with hr=0xc0000022“
2015-10-14 14:58:33, Info CSI 00000012@2015/10/14:18:58:33.414 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 3) completed with hr=0xc0000022“
2015-10-14 14:58:34, Info CSI 00000013@2015/10/14:18:58:34.490 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 4) completed with hr=0xc0000022“
2015-10-14 14:58:35, Info CSI 00000014@2015/10/14:18:58:35.567 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 5) completed with hr=0xc0000022“
2015-10-14 14:58:36, Info CSI 00000015@2015/10/14:18:58:36.643 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 6) completed with hr=0xc0000022“
2015-10-14 14:58:37, Info CSI 00000016@2015/10/14:18:58:37.719 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 7) completed with hr=0xc0000022“
2015-10-14 14:58:38, Info CSI 00000017@2015/10/14:18:58:38.796 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 8) completed with hr=0xc0000022“
2015-10-14 14:58:39, Info CSI 00000018@2015/10/14:18:58:39.872 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 9) completed with hr=0xc0000022“
2015-10-14 14:58:40, Info CSI 00000019@2015/10/14:18:58:40.886 [155]”SPP Installer: ProcessInstallOrUninstall (amd64_Microsoft-Windows-MSMPEG2VDEC_31bf3856ad364e35_7.1.7601.16492_neutral_b36d391) completed with hr=0xc0000022“
2015-10-14 14:58:40, Error CSI 0000001a@2015/10/14:18:58:40.886 (F) CMIADAPTER: Inner Error Message from AI HRESULT = c0000022 [Error,Facility=(0000),Code=34 (0x0022)] [(null)][gle=0x80004005]
2015-10-14 14:58:40, Error CSI 0000001b@2015/10/14:18:58:40.886 (F) CMIADAPTER: AI failed. HRESULT = c0000022 [Error,Facility=(0000),Code=34 (0x0022)] Element: [163]”<sppInstaller xmlns=”urn:schemas-microsoft-com:spp:installer” xmlns:manv3=”urn:schemas-microsoft-com:asm.v3″
Here we see the rollback:
2015-10-14
14:58:40, Error [0x01803c] CSI 00000076 (F) Failed execution of queue item Installer: SppInstaller({1b265fd2-721c-4e59-ad55-9d102a5d1d7f}) with HRESULT c0000022 [Error,Facility=(0000),Code=34 (0x0022)]. Failure will
not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable (2)[gle=0x80004005]
2015-10-14
14:58:40, Info CSI 00000077 End executing advanced installer (sequence 273)Completion status: HRESULT_FROM_WIN32(ERROR_ADVANCED_INSTALLER_FAILED)
2015-10-14 14:58:43, Error CBS Startup: Failed to process advanced operation queue, startupPhase: 0. A rollback transaction will be created. [HRESULT = 0x80004005 – E_FAIL]
Default permissions: SYSTEM:F,Admnistrators:F and Users: (read and execute)
Attributes: No read only” (uncheck read-only)
Here are some quick steps you can take to implement the Feature Control Key mentioned in the recently release article 3123303 “The new “End of Life” upgrade notification for Internet Explorer” which is designed to alert users of the End of life for legacy Internet Explorer versions (IE10 and below).
In this example, we are using Computer Configuration GPO to target the Internet Explorer registry setting.
OBJECTIVE: To implement the FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION registry key for the computer Group Policy Preferences Registry configuration.
REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.
Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path:SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION
Value name: iexplore.exe
Value type: REG_DWORD
Value data: 1
ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will add the keys ad value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::x86
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f
::x64
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f
ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will removed the value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::Delete the entries
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f
In this blog post we explain the Event id 1085 seeing when the Internet Explorer Site To Zone Assignment List GPO is used.
This scenario applies to All Internet Explorer versions and Windows Operating Systems(Windows 7, Windows 2008 R2, Windows 8.1, Windows 2012 R2, Windows 10 IE11).
When you examine the System-Eventlog, you may find the following event:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Event ID: 1085
Level: Warning
Description: Windows failed to apply the Internet Explorer Zonemapping settings. Internet Explorer Zonemapping settings might have its own log file. Please click on the “More information” link.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”Microsoft-Windows-GroupPolicy” Guid=”{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}” />
<EventID>1085</EventID>
<Level>3</Level>
</System>
<EventData>
<Data Name=”ErrorCode”>87</Data>
<Data Name=”ErrorDescription”>The parameter is incorrect. </Data>
<Data Name=”ExtensionName”>Internet Explorer Zonemapping</Data>
<Data Name=”ExtensionId”>{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}</Data>
</EventData>
</Event>
This event can occur in case you have entered an invalid entry within the “Site To Zone Assignment List” – policy below
[Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page]
Or
[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page]
The format of the Site To Zone Assignment List has been described within the policy itself:
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.
Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)
If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:
Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter http://www.contoso.com as the valuename, other protocols are not affected. If you enter just www.contoso.com, then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.
Value – A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.
When entering data in the Group Policy Editor, there is no syntax nor logical error-checking available. This is then performed on the client itself, when the “Internet Explorer Zonemapping” Group Policy Extension will convert the registry into the format which Internet Explorer uses itself. During that conversion the same methods are implemented which are used which Internet Explorer uses when adding a site manually to a specific security zone. In case an entry would be rejected when adding manually, the conversion would fail too in case the Group Policy is used and the event 1085 would be issued. Wildcard-entries to Top-Level-Domains (TLD) One scenario, which is rejected when adding sites is the addition of a wildcard to a TLD (like *.com, or *.co.uk). Now, the question is, which entries are treated as TLD; the following schemes were by default treated as TLD in Internet Explorer:
Starting with Internet Explorer 8, an own internally used list had been introduced (ietldlist.xml) in which several domains have been added to behave like a TLD, while others were named to behave like a domain although they had a two letter format (like .ch.ch). The following blog-post includes a granular explanation concerning domains:
With Windows 10, Internet Explorer (and Microsoft Edge) use no more the ietldlist.xml, but the TLD list from https://www.publicsuffix.org/list/public_suffix_list.dat , which had been compiled into the internal resources so no active Internet connection is needed to obtain the list. This feature-change was announced in the following blog-post: http://blogs.msdn.com/b/ie/archive/2014/10/01/internet-explorer-and-the-windows-10-technical-preview.aspx
This updated list is also honored while configuring sites to any security-zone, regardless if this is done manually through the Internet Options, or through the Site To Zone Assignment List policy
In this blog, we will cover the steps taken to configure a site to open in IE using Microsoft Edge and Internet Explorer 11 Enterprise Mode GPOs.
OBJECTIVE: To implement Microsoft Edge and Internet Explorer 11 Group Policy using SiteList Manager rule to open a site url in IE11
REQUIREMENTS: Be familiar with Group Policies using GPEDIT.MSC or GPMC.MSC console.
APPLICABLE OS: Windows 10
SCENARIO: In this example, we will have www.bing.com to open in IE 11 instead of default MS Edge browser out of your Windows 10 client machine. We are publishing the site list xml file on a web server, but this can also be retrieved using the file protocol, as long as the users have access to the location.
STEP 1:
If not already, download the Windows 10 Site list Manager tool and install it on your system. We will create the sitelist xml file with this tool to be used in the Group policy. To get familiar with the tool, see this article: KB2942883 Enterprise Mode Site List Manager tool is available for Windows – https://support.microsoft.com/en-us/kb/2942883
STEP 2:
Run the Site List Manager tool from your desktop and add www.bing.com with the following configuration:
Enterprise Mode Site List Manager tool
Save the file as bing.xml or any name you like.
STEP 3
Copy the Sitelist to your Web server. In this case, I am dropping the file in the wwwroot folder: C:\inetpub\wwwroot\bing.xml
Confirm you are able to load the bing.xml from your test machine. Example:
STEP 4
Configure the following GPOs with the link to the site list xml file: http://axelrmsft/bing.xml
Computer Configuration/Windows Components/Internet Explorer/Use the Enterprise Mode IE website list
Computer Configuration/Windows Components/Microsoft Edge/Configure the Enterprise Mode IE website list
STEP 5
Verify the GPO is taking effect by opening the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode
both key should be pointing to the GPO defined URL, in this example should be the: http://axelrmsft/bing.xml
STEP 6:
Test the site: http://www.bing.com
The site should be redirected to IE11 and should load in EMIE 8 mode, which is identified with an EMIE icon next to the URL
Here is a screenshot:
MICROSOFT EDGE EMIE GPO WORKING
TROUBLESHOOT
If you are not seeing the GPO take effect, here are a few tips you could use to make sure, everything is lined up correctly.
Open Regedit.exe and navigate to the following keys and confirmed it looks correctly, if it does not look right, delete it. A GPupdate /force or a restart of your machine should bring this back!
MS EDGE EMIE NeedIE Registry location
Make sure, there is NO IExplore.exe or MSEdge process running
Run the GPupdate /force or restart your machine and then test again.
This blog has been provided to you by the IE Support team!
In this blog, we will go over the options we have to configure a Homepage URL using GPO for IE10 and IE11.
Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.
Administrative Template
The widely used option also helps prevent the user from editing this Internet Explorer Setting by graying out the homepage Internet setting.
REF: http://gpsearch.azurewebsites.net/#652
Use Group Policy Preferences (GPP)
The advantage of using Group Policy Preferences is that it allows you to specify a default home page but still allow users to change it if they want.
Windows 2012 R2 Demo:
F5 – Enable all settings on the current tab
F6 – Enable the currently selected setting
F7 – Disable the currently selected setting
F8 – Disable all settings on the current tab
Article reference: http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
I would encourage pressing a F8 to disable all before configuring anything as the recommended scenario is to configure only the settings you want to apply.
DEFAULT, WITH RED UNDERLINED INDICATING IS NOT ACTIVE
EDIT MODE, AFTER DEPRESSING F6 TO ACTIVATE AND EDIT THE SETTING. NOTICED THE GREEN UNDERLINE!
Related Blog:
In this blog, we will cover the following scenario:
We are lucky to have multiple options and the most common one is the build-in F12 Developer tool. In this example, we have configured the Use the Enterprise Mode IE website List GPO with a SiteList.xml file that is including www.bing.com to load in IE8 Enterprise mode.
Screenshot:
In this example, we are setting www.bing.com to load in EMIE 8 (Enterprise Mode using SiteList GPO).
Screenshot:
As you can see, we have easy to use tools to help you find out the document mode. I would like to add that any networking tools that allows to trace http traffic should help you find out what the document mode is by looking at the User-Agent entry, but the easiest to use and install are the one outlined in this blog above!
This could be one of the easiest way to find out what document mode is the site loading with. If you type about:compat in IE11 address bar, you will get a nice User Interface that displays compatibility features that have been applied to the sites.
Screenshot:
By default, Internet Explorer will provide users with the ability to Turn on or off suggestions while typing in the address bar. In this quick blog, I will show how you can implement a Group Policy to manage this particular feature from IE11.
Requirements: Be familiar with GPMC.MSC / GPEDIT.MSC console. You also need to have local or domain administrative rights on the Operating System.
Applies to: Windows 7, Windows 8, Windows 8.1, Windows 2008 R2, Windows 2012 R2, Windows 10
To clarify what we are talking about in this blog, here is a screenshot to better illustrate the setting.
You can manage this setting by using the Computer or User Configuration Group Policy.
MACHINE CONFIGURATION:
Detailed values:
Detailed values:
SCREENSHOT:
Here we can see the Suggested Sites (Stop sending keystrokes to Bing) is not showing in the Address bar.
In this blog, we share how you can use Group Policy Preferences / Registry to change your Default Search provider used in Internet Explorer 11.
What we will cover in this document:
REQUIREMENTS: To be familiar with Group Policy Console and Group Policy Preferences / Registry. To have your Clients configured with at least 2 Search Providers.
Make sure you have the Latest Windows Roll-up updates to address any known issues.
By Default, the SearchScopes registry key contains the default search provider information. This is the location in the registry that will help you identify, which GUID is being used to defined the default search provider.
Here is the location:
If more than one Search provided is defined by the user, you will first find a DEFAULTSCOPE string name with the REG_SZ GUID identifying the Search provider.
In this example, we have two providers: Google and Bing.
Here are the steps I took to configure Bing as the default provider.
The Client machines, where we want to change the settings to Big(example), may look like this:
Now, that we have the IE settings on the host machine, we can configure our GPP Registry.
Example:
In the Screen below, we can see the FavIconPath goes to a profile directory. DO NOT SELECT THIS OPTION!!
Also, note that this warning may not show for a brand new users.
An unknown program would like to change your default search provider to ‘Google’ (www.google.com)
SCREENSHOT:
NOTE: All you need to check is the top User Preference key. No need to select the sub names in the bottom pane! We will be deleting this with the GPO, so no real use to check these out .
We will now, label the GPO settings and make small adjustments that any admin will appreciate when all done.
As you may have noticed, when using the Wizard, you will end up with a full registry tree view to the path of the settings and not very intuitive. We however, can modify the GPO and make it look a lot cleaner without affecting anything.
First, expand the GPO keys:
Here is what it looks after the clean-up:
Let’s rename the GUIDS to represent the Search Provider. Just click on the GUID and on the right side pane, you can figure out which GUID is for Bing and Google.
It will end up looking like this:
In this screenshot, we can see the warning as the GPO was applied without the User Preferences GPP (I had disabled this GPO to better illustrate how this works).
With these steps, you should successfully set your prefer search provider on your manage environment. We suggest that you be running the latest IE cumulative updates and Windows Roll-ups to assure you are fully patch and free of any known issues.
In this blog post, we are covering a few methods you could used to manage secondary home pages on your environment using Group policy objects.
Requirement: To a local or domain administrator and be familiar with GPMC.MSC console and Group Policy Preferences.
The Disable changing secondary home page settings Administrative Template. This policy is available under the Computer and User configuration Policy.
Screenshot:
The advantage of using Group Policy Preferences is that it allows you to specify a default home page but still allow users to change it if they want.
Windows 2012 R2 Demo:
F5 – Enable all settings on the current tab
F6 – Enable the currently selected setting
F7 – Disable the currently selected setting
F8 – Disable all settings on the current tab
DEFAULT, WITH RED UNDERLINED INDICATING IS NOT ACTIVE
EDIT MODE, AFTER DEPRESSING F6 TO ACTIVATE AND EDIT THE SETTING. NOTICED THE GREEN UNDERLINE!
Using Group Policy Preferences Registry – This requires you to be more familiar with the registry, but it gives you a more granular approach.
To clean up the GPP GPO, follow these simple steps:
The Policy is ready and should provide you with the home page and a secondary homepage.
Related Blog:
How to configure Internet Explorer 11 homepage using Group Policy?
In this quick post, we will share different methods you can use to remove Internet Explorer 11 from Windows 10 in favor of just having MS EDGE as the only browser.
NOTE:
We recommend that if you are going to use any of the methods shared in this blog, you stick to one and not to mixed them up.
Example: If you are going to use the Programs and Feature from Control Panel to remove it, use it to add it.
If using the CMD line DISM command to removed it, use it to add it.
————————————————————————————————–
DISABLE: Restart after this command is executed!
————————————————————————————————–
From and elevated command window type:
dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64
You will see…
Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7600.16385
Disabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
Restart Windows to complete this operation.
Do you want to restart the computer now (Y/N)?
————————————————————————————————–
ENABLE: You can use the command below to add it back.
————————————————————————————————–
From and elevated command window type:
dism /online /Enable-Feature /FeatureName:Internet-Explorer-Optional-amd64
You will see the following….
Deployment Image Servicing and Management tool
Version: 6.1.7600.16385
Image Version: 6.1.7600.16385
Enabling feature(s)
[==========================100.0%==========================]
The operation completed successfully.
Restart Windows to complete this operation.
Do you want to restart the computer now (Y/N)?
