As we known that Internet Explorer Maintenance (IEM) has been removed from IE10. Client machine with IE10+ installed cannot get the content configured in IEM from DC GPO.
Here is official reference:
In earlier versions of the Windows® operating system, Internet Explorer Maintenance (IEM) could be used to configure a subset of Internet Explorer 10 settings in an environment using Group Policy. In Windows® 8, the IEM settings have been deprecated in favor of Group Policy Preferences, Administrative Templates (.admx), and the Internet Explorer Administration Kit 10 (IEAK 10).
Because Group Policy Preferences and IEAK 10 use asynchronous processes when they run, we recommend that you choose to use only one of the tools within each group of settings, for example using only IEAK 10 within the Security settings or Group Policy Preferences within the Internet Zone settings. In addition, it's important to remember that policy is enforced and can't be changed by the user, while preferences are configured, but can be changed by the user.
For more information about Group Policy, see Configuring and Administering Group Policy Settings, Using Group Policy Preferences, Using Administrative Templates, Group Policy Settings Reference for Windows and Windows Server, Group Policy ADMX Syntax Reference Guide, and Enable and Disable Settings in a Preference Item.
Once upgrade IE version to IE10+ in Windows 2008 R2 DC, it also can be found that IEM is disappeared in “Edit” window of GPO.
Before upgrading to IE10 on Windows 2008 R2 DC
After upgrading to IE10 on Windows 2008 R2 DC
The target of this article is: How to apply “The content of IE Settings” from DC to IE10+ installed client after IEM have been deprecated from IE10.
Currently, there are two popular DC OS: Windows 2012 and Windows 2008 R2.
Either “Preferences -> Windows Settings -> Registry” or “Preferences -> Control Panel Settings -> Internet Settings” can help to apply “The content of IEM” to IE10+.
Here is official reference:
How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2: http://support.microsoft.com/kb/2898604
The detailed steps will be attached in end of this article.
There is NO “IE10/IE11” items in “Preferences -> Control Panel Settings -> Internet Settings”. This is by design because Windows 2008 R2 was released before IE10/IE11.
It’s suggested to use “Preferences -> Windows Settings -> Registry” or logon scripts to apply “The content of IE Settings” to IE10+.
The detailed steps will be attached in Detailed Steps part of this article.
It’s suggested to use “Preferences -> Windows Settings -> Registry” applying “The content of IEM” to IE10+ or logon scripts
There is NO “IE10/IE11” item in “Preferences -> Control Panel Settings -> Internet Settings”
We use setting “Internet Properties -> LAN Settings” as an example to show you detailed steps by following three method.
In this example, we want to set “LAN Settings” as below picture shows.
1) Checked “Automatically detect settings”.
2) Enable “Proxy Server” as “ProxyServer:8080”.
3) Selected “Bypass proxy server for local addresses”.
1) Please configure “Internet Properties -> LAN Settings” in local IE on DC in advanced:
If “Exceptions” is required, please configure it at here:
2) Please click “Registry Item” on GPO.
3) Click “…” button in below picture and enter path of “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections”, then choose “DefaultConnectionSettings” and click “Select” button.
4) Click “OK” to confirm this setting.
5) Use same method as step 3)-4) to new “Registry Item” in same GPO.
Enter path of “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings” and then choose “ProxyEnable” and click “Select” button.
6) Enter path of “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings” and then choose “ProxyServer” and click “Select” button.
7) If you checked “Bypass proxy server for local addresses” or configured “Exceptions”, please enter path of “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings” and then choose “ProvideOverride” and click “Select” button.
Note: if checked “Bypass proxy server for local addresses”, “ProvideOverride” will contain “<local>” at the end of value, such as “LocalServer;LocalServer1;<local>”.
8) The whole configuration should as below:
9) Apply this GPO to the test OU and run “gpupdate /force” in clients.
10) It will work on IE8, IE9, IE10 and IE11 clients.
1) Select one of below item with IE (version).
Windows 2008 R2 DC
Windows 2012 DC
In Windows 2008 R2 DC, please install http://support.microsoft.com/kb/2530309, so that the settings from item “Internet Explorer 8” in below picture will apply to IE8 and IE9 installed clients.
In Windows 2012 DC, refer to http://support.microsoft.com/kb/2898604
The settings from item “Internet Explorer 10” in below picture in fact will apply to IE10 and IE11 installed clients.
2) Use “Internet Explorer 10” in Windows 2012 DC as an example: click “Internet Explorer 10” option in above right picture, “New Internet Explorer 10 Properties” window pop up.
3) Click “LAN settings” button on “New Internet Explorer 10 Properties” window. There are “red dashed line” under the items.
4) Press F5 (or F6) to confirm the entry with “red dashed line” turning to “green dashed line” so that the settings will be applied.
F5 – Enable all settings on the current tab.
F6 – Enable the currently selected setting. F7 – Disable the currently selected setting. F8 – Disable all settings on the current tab.
Note: refer from http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
Those that are red underlined (or have a red circle next to them) are going to be ignored. Those that are underlined with a green solid line (or next to a green circle) are going to be noted, captured in the GPO, and enforced on the target user or computer.
5) Configure proxy server as above picture, and click “OK” to confirm and quit.
a. Checked “Automatically detect settings”.
b. Enable “Proxy Server” as “ProxyServer:8080”.
c. Selected “Bypass proxy server for local addresses”.
6) Apply this GPO to the test OU and run “gpupdate /force” in IE10/IE11 installed clients.
Note: The similar steps can be performed from Windows 2008 R2 DC to IE8 and lower IE version installed clients.
Note: step 1~4 can be done in any IE machine, here we use DC as example.
2) Then open registry table by running “regedit” on DC.
3) Export below value to a file named as “registry.reg”.
Windows Registry Editor Version 5.00
4) The create another file named as “Test.bat”:
reg import registry.reg
5) Copy “registry.reg” and “Test.bat” into according policy sysvol path (general it’s similar as “sysvol/domain/Policies/GPOUniqueID/User/Scripts/Logon”) on DC and set “Test.bat” as logon script.
6) Apply this GPO to the test OU. End-user must re-logon in client to get logon-script.
Xiaoman Wang from GBSD DSI Support Team
Just talked with XiaoMan. Thank you for resolve our IE Proxy problem.I think this article should better be on TechNet.
I agree with Louis's comment, this is a comprehensive article had to struggle with it due to lack of proper information.
Gosh almighty Microsoft doesn't make anything easy - pick one interface Microsoft - keep the zones, favorites, tab settings and simply add features to the group policy adm or admx files as new versions arrive. This is maddening to say the least the hoops needed to jump thru to edit policies and worry about deprecations etc... One size fits all for policies don't muck with stability.
I need a clarification, after applying the GPP settings for IE exception, once the GPO is applied the users are not able to login to the outlook account, if I unlink the policy they are able to access. Please give a solution.
If I have to apply GP via 2008 R2 for IE 11, can I apply policy for Custom Level - Security Setting - for Trusted Sites. Like I want to Enable or Disable some of the Settings. How to knoe what is the Registry Key for each Security Settings. Like Enable .Net Framework, or Enable ActiveX Filtering. Please help me to find out the Registry Key for each Security Setting under Trusted Sites.
Great work! Thank you
Very Useful, thanks for the details artical.
Privacy Tab is greyed out when you try to apply settings using the preferences method.
Ran into an issue using method two with exceptions. Only way to get them to stick was to list the exceptions as a second task under the same policy. Hope this helps.