none
Missing: Group Policy > Internet Explorer Maintenance

    Question

  • On Server 2012 it appears that the "Internet Explorer Maintenance" container is now gone by default from GPO > User Configuration > Policies > Windows Settings.

    Has this been hidden or deprecated deliberately, or is this problem just on my 2012 controller?  Is there a way to bring it back if necessary?

    Thanks!

    Thursday, June 28, 2012 5:14 AM

Answers

  • Hi,

    Windows Server 2012 RC with Internet Explorer 10 deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences. Administrators can also use Internet Explorer Administration Kit (IEAK) to configure specific settings. The following Microsoft TechNet article shows the settings that are available in Internet Explorer Maintenance, along with how these settings can be managed in Group Policy Preferences or IEAK.

    Internet Explorer Maintenance Replacements

    http://technet.microsoft.com/library/hh846772.aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, June 29, 2012 7:13 AM
    Moderator

All replies

  • Hi,

    Windows Server 2012 RC with Internet Explorer 10 deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences. Administrators can also use Internet Explorer Administration Kit (IEAK) to configure specific settings. The following Microsoft TechNet article shows the settings that are available in Internet Explorer Maintenance, along with how these settings can be managed in Group Policy Preferences or IEAK.

    Internet Explorer Maintenance Replacements

    http://technet.microsoft.com/library/hh846772.aspx

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, June 29, 2012 7:13 AM
    Moderator
  • Hi,

    I have an additional Question to this.

    I just want to apply proxy setting to my users on my network, I do not want to use IEAK to do this, I do not need to customize IE in any other way. 

    Since I cannot use IEM to do this anymore and your 2012 group policy does not seem to have any proxy settings for IE, how does one actually apply these settings to all users on the network.

    Why am I forced into using this IEAK package.

    REALLY frustrating.

    I await your reply.

    Thanks

    Monday, October 15, 2012 3:47 AM
  • So with no Windows 7 support with IEAK 10 (Server 2012).....How would you add sites to Trusted Sites in the Internet Security Zone? I normally use Internet Explorer Maintenance and sites are grayed out in Group Policy Preference (Internet Settings).

    Thanks

    Mark



    • Edited by marks62 Saturday, December 22, 2012 2:58 PM
    Friday, December 21, 2012 4:42 PM
  • Have you tried setting the group policies from a 2008 R2 DC or Windows 7 client instead of a Windows Server 2012 host?  Or are you saying that IEM is greyed out in the older clients, too?

    tim

    Saturday, December 22, 2012 9:28 PM
  • Plans were to decommission all 2008 servers with 2012 upgrades. I basically need to be able to edit the Internet Security Zone's trusted sites on Windows 7 clients without having to manually run around to 50 machines and add these. I'm sure there are some with hundreds that need to do the same. There has to be some GP solution, as this has to be a very common task for a Domain administrator.
    Monday, December 24, 2012 12:32 PM
  • Understood.  But it is common practice with Group Policies to edit/manage them from a machine that understands them.  If the GPO is viewable/changeable on Windows 7, work with the GPO there.

    tim

    Monday, December 24, 2012 2:24 PM
  • Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...

    Thanks

    Mark

    Monday, December 31, 2012 1:08 AM
  • Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...

    Thanks

    Mark


    Yep, RSAT is what you need.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, December 31, 2012 1:16 AM
  • I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems. 

    When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing. How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS? 

    Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.

    Thursday, January 03, 2013 5:30 PM
  • I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems.

    When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing.
    How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS?

    You cannot create nor modify an IEM GPO using Win8/WS2012 - you must use a down-version OS.

    Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.

    No it doesn't provide that ability, it is intended that these "replacements" are a complete alternative to IEM.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 03, 2013 7:56 PM
  • I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.

    But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.

    If they are removing it can you please advise where I can set the proxy in GPO now.

    Thanks Jo

    Thursday, March 07, 2013 6:13 AM
  • I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.

    But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.

    If they are removing it can you please advise where I can set the proxy in GPO now.

    You either need to rollback from IE10, or, administer IEM from your IE8 pc, or, adopt an alternative to IEM (such as GPP)

    Even if you do administer from your IE8 pc, machines with IE10 will not respect the IEM settings. The IEM settings require the necessary IEAK/CSE DLL's, and they are not present on an IE10 machine.

    The best advice I can give you, is adopt GPP until or unless MS come up with some other alternative.

    More information here: http://technet.microsoft.com/en-us/library/jj890998.aspx


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)



    • Edited by DonPick Thursday, March 07, 2013 8:27 AM
    Thursday, March 07, 2013 7:15 AM
  • @Arthur_Li

    The problem with this approach is that the "robust" product group policy preferences doesn't force the settings to users or workstations. Meaning I can deploy a setting - but then the user isn't prohibited from changing it! That kind of defeats the purpose don't you think? Kind of displays what I've suspected all along - that Microsoft continues to demonstrate a real lack of understanding as to how their customers employ their product in the real world. But maybe MS thinks its okay that users can reduce the security settings of their browsers...

    Also I find the hammer and sickle you have chosen as your avatar very interesting. Is Microsoft - an American company born in the cradle of capitalism and free enterprise - now openly advocating communism and the repression of religious, economic, and political liberties? That's what your avatar represents... So I'm curious why it was chosen.... 


    Friday, April 12, 2013 8:29 PM
  • This is really bad and frustrating !!! does Microsoft force us to use earlier OS just to create/edit Group Policy for IE settings. what the heck..
    Tuesday, April 16, 2013 3:13 PM
  • The real frustrating part for us was finding which GPOs had IE Maintenance configured and which didn't. To make matters more difficult, the GP search feature (in RSAT for Windows 8) is broken right now. It won't show user components!

    I ended up having to an older version to track them down. Here is exactly how I did it: http://deployhappiness.com/tracking-down-rouge-cses-ie-maintenance-addition/

    And if you are wanting to search for specific settings with PowerShell, here is a good how-to.


    If my answer helped you, check out my blog (and subscribe): DeployHappiness.com

    • Proposed as answer by ZackinMA Tuesday, April 23, 2013 8:44 PM
    Tuesday, April 23, 2013 7:11 PM
  • The fact that this is even necessary is disturbing. Group policies have been around since what - NT 4.0? Come on MS why are you screwing with a good thing... 
    Tuesday, April 23, 2013 8:45 PM
  • So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.
    Wednesday, June 05, 2013 5:03 PM
  • Its the way it is man. Microsoft doesn't care to support previous iterations of their products. Upgrade to IE10 and do business the new way, or get stuck in time. Personally - I upgraded to Chrome instead. 
    Wednesday, June 05, 2013 6:19 PM
  • So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.

    No, that's not the only way.
    If a machine (workstation or server) has IE10 installed on it, then IEM will never apply to it, and, GPMC for IEM cannot be used on that machine to manage GPOs which include IEM.

    So, if you still need to use IEM for non-IE10 targets, do that from a non-IE10 machine (server or workstation).


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, June 05, 2013 9:25 PM
  • Or, gasp, Microsoft could have just renamed the existing GPO section to "Maintenance Mode for Internet Explore 9 and earlier" and leave it in place and accessible.

    And create a new GPO subsection named "Internet Explorer 10", with a pointer to the new management tools.

    Sunday, July 14, 2013 12:59 AM
  • ist a realy shame, that many of perfect, easy things are gone. many Point, arguments to use Microsoft products, are not avallable anymore. for examüple, the very easy to configure Proxy Settings for Internet Explorer.

    Microsoft is dismounting himself!

    (just for example, think about TMG..... grrrrrr)


    Martin Volkart, IMV Informatik

    Tuesday, July 16, 2013 8:20 AM
  • Hi !!!


    I have Win 2008 R2 as my DC with I.E 10 installed on it and now I'm unable to change my GPO settings because the Internet Explorer Maintenance is missing. All my users are using I.E 9, Just because the I.E 10 with Windows 7 does not work correctly with OWA (Exchange 2010) . The drag and drop does not work. :/ (http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop)

    How can I edit the proxy settings in Win2008 R2 with the I.E 10 installed? Must I rollback to I.E 9??


    Wednesday, July 31, 2013 6:29 PM
  • Hi !!!


    I have Win 2008 R2 as my DC with I.E 10 installed on it and now I'm unable to change my GPO settings because the Internet Explorer Maintenance is missing. All my users are using I.E 9, Just because the I.E 10 with Windows 7 does not work correctly with OWA (Exchange 2010) . The drag and drop does not work. :/ (http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop)

    How can I edit the proxy settings in Win2008 R2 with the I.E 10 installed? Must I rollback to I.E 9??



    Consider using a Win7 machine (which has IE10 installed), add the RSAT to that machine, and administer your GPO from it. This is what we do.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, July 31, 2013 9:04 PM
  • Hi Don,

     

    I cannot do it! Did  you see the post http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop ?

    Did you tried to use the OWA with I.E 10 on Windows 7?

    I don't have any e-mail client in my network and all my 400 users are using OWA. What should I do??? To install the Chrome to them? So they will be able to manage his e-mails easily.

    Att

    João Pedro.

    Thursday, August 01, 2013 10:56 AM
  • An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:

    • Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
    • When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
    • There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.

    Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...

    There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.

    Friday, August 09, 2013 3:37 PM
  • An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:

    • Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
    • When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
    • There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.

    Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...

    There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.


    if you have a long list of proxy exceptions, using proxy-auto-config (e.g. wpad.dat or proxy.pac) is much more likely to be better for you.
    we've used proxy.pac for many years, it's simple, and very efficient.

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, August 10, 2013 12:02 AM
  • @ João Pedro

    No, we don't use OWA, so I don't have this problem.

    For the GP editing, do you have a Win7 machine with IE9, and you could install RSAT upon this machine?
    This way, you can edit your IEM GP from that machine.
    Or do I misunderstand your question?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Saturday, August 10, 2013 1:01 AM
  • Hi Don,


    I think it should solve my problem, but I've uninstalled the I.E 10 from my DC and now I'm able to change my proxy settings.

     

    Thanks any way!

    João Pedro.

    Tuesday, August 13, 2013 7:00 PM
  • I have used the PAC file myself, but the main draw back tends to be that an IIS or load balancer issue takes out the PAC file and we end up with an outage. I have also had problems were a typo in the PAC file (we used Java Script) caused an outage as well. I think the PAC file is probably the best work around, but I still think Microsoft should migrate the proxy settings and the exclusions to the same type of configuration that we use for trusted sites.

    Your point is excellent within the existing framework, but I still think Microsoft could clean this up a bit.

    Monday, August 19, 2013 8:55 PM
  • Why MS has removed IEM? That was really Stupid thing to do!
    Wednesday, October 16, 2013 7:30 AM
  • I find myself in the same boat with IE 10 on systems and being unable to access Internet Explorer Maintenance Mode - AND I NEED TO SET TRUSTED SITES. GPP IS NOT SUITABLE FOR ENFORCING A STANDARDIZED SECURITY CONFIGURATION ON WORKSTATIONS.
    Tuesday, November 05, 2013 2:21 PM
  • GPP isn't the best because users can modify and it overrides the settings you define as an admin. Certainly not the way things should work. You do have a couple options though. You can use GPP to modify the registry to add the sites you want. Then set the GPP to always overwrite - so it negates the users modifying it. 

    That looks like this in my example:

    You'll need to define a numeric value to determine which zone the site is placed in. See this article for more information:

    http://support.microsoft.com/kb/182569

    Now this setting model still allows users to add and remove their own trusted sites. But it does not allow them to permanently remove your settings. They can change them but they come back upon the next GP refresh. 


    Tuesday, November 05, 2013 4:22 PM
  • Add me to the list of frustrated users!!!

    All I am trying to do is uncheck the "Automatically detect settings" option. Time and time again, I end up on old technet blogs that keep referring me to Internet Explorer Maintenance option and I am unable to find it on my Server 2008 r2 box.

    BTW, this is a HUGE vulnerability since we have had WAPD MITM attacks due to having this checked which has brought our network several times. Not to get this question mixed up with that but the underlying reason for me to do this ASAP is to alleviate our situation and we have had no luck with unchecking "Automatically detect settings" from GPMC.

    Please help!

    Thursday, November 14, 2013 7:23 PM
  • That setting I believe has been moved out of the Internet explorer maintenance into the windows components section. Its now located at:

    User configuration - administrative templates - windows components - internet explorer.

    Thursday, November 14, 2013 7:33 PM
  • Don, are you on valium? The valley of tears this page is becoming proves MS didn't communicate this succesfully. We are stuck with "We've replaced 1 working button for 3 broken buttons" without a clear explanation of why, or even a clear method of how to use the 3 new buttons. There's no tool, no one ring to rule them all, just an Open Source like work-a-round type of solution. I am stuck with mixed server and computer park of differing Windows OS-es doing fine before this and now I have a problem. I am going to move to Chrome.
    Tuesday, December 17, 2013 3:55 PM
  • I suspect Don is just as much a Victim as we are. That said, once I got over being upset about what they did, I did find that I can effectively manage it. There are things I don't like about it, but over all the solution became more effective when I stopped fighting it.

    As for Chrome and Firefox, I have had it with trying to manage them. They come with their own problems, and once introduced, you have another browser and all of the problems that come with it and you still have IE that needs to be maintained and update as well. I wish I could get back to the point where I only had one browser to secure, update and configure... Microsoft proved to be more effective for us than the other two...

    I wish Microsoft had done this different, but the assumption that going to another browser was going to solve my problems turned out to be more of a headache than it was worth...


    • Edited by Oldguard Tuesday, December 17, 2013 10:19 PM
    Tuesday, December 17, 2013 10:18 PM
  • Don, are you on valium?

    Constantly ;)  I find an IV drip works best for me...

    But back on the topic of IE, we have around 900 custom web apps that won't work on anything other than IE without a lot of re-development, and they are used across 45,000 desktops. So Chrome isn't viable for us, nor firefox. We've never had one ring to rule them all, not now, not never.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Tuesday, December 17, 2013 11:12 PM
  • I suspect Don is just as much a Victim as we are. That said, once I got over being upset about what they did, I did find that I can effectively manage it. There are things I don't like about it, but over all the solution became more effective when I stopped fighting it.

    As for Chrome and Firefox, I have had it with trying to manage them. They come with their own problems, and once introduced, you have another browser and all of the problems that come with it and you still have IE that needs to be maintained and update as well. I wish I could get back to the point where I only had one browser to secure, update and configure... Microsoft proved to be more effective for us than the other two...

    I wish Microsoft had done this different, but the assumption that going to another browser was going to solve my problems turned out to be more of a headache than it was worth...


    Well said!

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Proposed as answer by dbiz Wednesday, January 08, 2014 5:13 PM
    • Unproposed as answer by dbiz Wednesday, January 08, 2014 5:13 PM
    Tuesday, December 17, 2013 11:13 PM
  • For whatever reason Microsoft is being unresponsive on this one.  For people like us who used IEM for adding sites to security zones without locking users out you can simply use GPO to update a registry entry.  Simple instructions are located here:

    http://www.grouppolicy.biz/2012/07/how-to-configuring-ie-site-zone-mapping-using-group-policy-without-locking-out-the-user/

    I cannot really figure out why someone from MS did not post this years ago.  It simple and straight forward.  Obviously IEAK is huge overkill for 99.9% of admins and not a solution.

    Wednesday, January 08, 2014 5:18 PM
  • One thing Microsoft need to realise is the COST to their CUSOMERS in time and effort every time they change something. Perhaps the should follow the tried and tested practices of the past. "If it works DON'T FIX IT". They then may save themselves a lot of trouble.

    It is all well and good saying I can use my Windows 2008 DC to remove the Internet Explorer Maintenance Policy. Unfortunately this setting has disappeared from my 2008 system AS WELL AS the 2012 system. Although it is showing in the Group Policy Modeling.

    HOW CAN I GET RID OF IT? - please

    Thursday, January 23, 2014 5:29 PM
  • mon simple besoin et d'appliquer le Proxy sur IE des postes clients, je suis sur DC 2012 et la plupart des client sont sous windows 7, mon cauchemar a commencé avec la migration de mon DC vers 2012 server.aprés une semaine de recherches j'ai essayé d'utiliser les GPP puis IEAK pour appliqué les proxy a partir d'une GPO, mais vrm c'a ne marche pas bien.

    Avec les GPP (c'était la catastrophe) le proxy a été appliqué sur les postes clients mais il m'a bloqué sur mon application web (Hermes), l'application est devenu figé sur tous les postes ce qui m'a poussé de supprimer la GPP et le pire c'est de passer sur tous les postes pour réinitialisé les paramétres IE).

    Avec IEAK ce n'est pas du tout pratique pour appliquer tout simplement le Proxy, puisque la plus part des options se trouvent sur l'outils d'administration de GPO.

    je suis vrm coincé avec plus de 100 postes, quelqu'un a une proposition?????

    Thursday, January 23, 2014 6:32 PM