Internet Explorer Group Policy Nightmare

I’ve been a fan of Group Policy since the days of Novell Netware and ZENWorks. There is something fascinating in the concept of defining settings and then forcing them on the targeted devices or users. This post is about controlling Microsoft Internet Explorer settings via GPO and the changes that they made with the release of IE 10 and 11.  This article is meant to sum up a few things I’ve found difficult to figure out. If you’re confused with setting up IE with GPO and GPP, read on.

Tools for Configuring Internet Explorer

Internet Explorer settings have spreaded all around the Group Policy Object Editor. Some of them (stuff under Administrative Templates in the editor, to be exact) come from an ADMX Template called inetres.admx while others come from the editor itself. Some of the reasons for this inconsistence goes way back to the time before Windows 2000, AD and hence GPO. This is where things get a bit tricky.

Group Policy Administrative Templates

Inetres.admx contains the Administrative Templates section of IE settings that are available in both Computer and User side of the policies. These settings are and have been the preferred way of configuring IE for many years now. The problem is, they don’t contain the settings that most organizations most certainly need to configure, proxy settings to name one.

This is where you need the various and confusing set of tools.

Other Tools

Internet Explorer Administration Kit (aka IEAK) is a tool to customize IE at the time of installation. It is mainly targeted towards OEM manufacturers but is widely used in enterprises too to customize certain aspects of IE at the time of deployment. This stuff goes way back and if I remember correctly the tool wore the same name customizing IE4 or IE5 back in the nineties while I was administering a Novell Netware environment with ZENWorks.

Internet Explorer Maintenance (aka IEM) is found in Group Policy Object Editor under Windows Settings and has roots in the same set of tools. The UI in Group Policy Object Editor resembles the one in IEAK.

In the preferences section there is also a node called Internet Settings. This has been around for quite a while too. The UI is the same as in the Internet Options dialog found in the browser itself. More on this later on.

The Issue

The proxy settings, for example, have been possible to configure with any of the above mentioned tools. So what seems to be the issue? Well, with the release of Windows Server 2012 and Windows 8 (IE10 to be precise), the Internet Explorer Maintenance node in the GPO Editor was removed.

IEM used to be
Internet Explorer Maintenance in place in Windows Server 2008 R2.

IE missing IEM
Missing Internet Explorer Maintenance in Windows Server 2012/R2.

There is a TechNet article which describes alternatives for IEM and for the various settings previously configured with it. All’s good then, right? Well, not quite. What if you have previously configured all the stuff with IEM? After you upgraded your Domain Controllers and clients IEM is gone and you’re left without a way to edit those already configured settings. As with all GPOs, the values and settings are still in the objects and in effect to where they are applied; you just can’t edit, change or remove those settings.

Note: regardless of the tool used the settings end up modifying the same registry values. Having multiple settings changing the same settings can have unpredictable results.

How to Fix It?

So how do you remove settings configured with IEM afterwards when you don’t have it?

Delete the old GPOs

There’s of course the simple and obvious solution; just delete the old GPOs and create new ones. Unfortunately, this is not always possible. You might have loads of other stuff  in that same object, you can’t just delete it.

Getting back the Internet Explorer Maintenance Node

You need to get back the Internet Explorer Maintenance node to be able to remove thos settings. How do you accomplish this?

By trial and error I found out that the key is not in going back to a previous version of inetres.admx. It’s not related to the OS version either. Internet Explorer itself is the one that has effect to what is available in Group Policy Editor and what’s not. Well, the OS is kind of related to it as you can’t have Windows Server 2012 or Windows 8 with IE9, but still. Get a Windows Server 2008 R2 or Windows 7 machine loaded with IE9, fire up the GP Editor and then, you have the old IEM back in business. Open the GPO in question, right click the IEM node, select Reset Browser Settings.

IE IEM Reser Browser

You’ve just cleared out the legacy settings lingering in he GPO!

There’s one more issue with this. Opening up a GPO with an older GPO Editor displays an error message like the on below.

ie gpp error with older os
An invalid or out of place input element was detected and will be ignored (<IE10 name=Internet Explorer 10″ clsid=”{683F7AD7-E782-4232-8A6D-F22431F12DB5}”/>)

I don’t know whether this will lead to problems, but I doubt it. It’s just that the old editor doesn’t understand the new settings.

How to Configure IE Settings from Now On?

OK, once that’s fixed, what should you use to replace IEM? I personally would prefer to see the missing settings appear in IE Administrative Templates and have been waiting for them since forever, with no luck so far.

You’ve got IEAK and GPP. As said, IEAK is for deployment time only so you’re left with Internet Settings in Group Policy Preferences. That is what Microsoft recommends too. Surprise, there is some confusion there too. Let’s clear those out too.

Internet Setting in Group Policy Preferences

With Internet Settings you can create different settings for each version of IE. The versioning starts from IE5 as seen below. This, on the contrary, is OS related. When editing with a Windows Server 2008 R2 or Windows 7 machine, it only displays versions up to 8. When editing with a newer OS (2012 or 2012 R2), you can create settings for IE9 and IE10 also. But wait, where’s IE11? Check out the screen shots below. This is where things get annoying.

GPP Settings missing IE 9, 10 and 11
Settings for IE 9 and 10 missing in Windows Server 2008 R2.

IE GPP Settings with 9, 10 and 11
Settings for IE 9 and 10 in Place in Windows Server 2012 / R2.

As “documented” in various forums it turns out that they’ve changed the item level targeting that controls the targeting of this particular GPP. Check out the definition below. As from IE10 the targeting says if version is 10 or greater (actually 99).

IE GPP Filter.

As implied, the settings for IE10 also apply to IE11. This is not by any means implied in the UI or mentioned in any help file (as if there is one).

Note: Remember the magic buttons of F5, F6, F7 and F8 when editing Group Policy Preferences. 🙂 See more here.

Conclusion

Configuring Internet Explorer settings has been a pain in the butt for many years now. The number of different tools is overwhelming at first not to mention the inconsistence, dependencies and confusing UI’s of the tools.

Just thinking about the amount of frustration and time wasted in all the organizations using this stuff and trying to figure this out just makes me shake my head…

One thought on “Internet Explorer Group Policy Nightmare

Leave a Reply

Your email address will not be published. Required fields are marked *

Please, do the math and help fight spam * Time limit is exhausted. Please reload the CAPTCHA.