none
Group Policy keeps deleting AutoConfigURL registry key

    Question

  • I have a GPO assigned to a sub OU to our user Accounts OU for testing I have a limited number of pilot users in this OU so I can test and verify that PAC file and proxy service is working and policies are correct.

    Initially when the user logs in (I'm also one of the users) the key is set (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings) but it seems intermittently or periodically it will be deleted.

    Any ideas on how to find out what and when it's happening?

     


    Tom

    Tuesday, September 22, 2015 10:50 AM

Answers

All replies

  • Is your filter software updating the machines?  For example, the WebSense endpoints will push their configuration to the clients.

    I would look at your proxy and determine if that is pushing URLs

    DHCP creating the setting?


    Tuesday, September 22, 2015 2:46 PM
  • >>Any ideas on how to find out what and when it's happening?
     
    Just to confirm that when you log off and log in again, will you get the registry key again?
     
    As suggested above, check whether any other application/configuration in your environment which might be deleting key.
     
    Or, try to run process monitor to capture which process is deleting this key if possible.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, September 23, 2015 8:22 AM
    Moderator
  • Is your filter software updating the machines?  For example, the WebSense endpoints will push their configuration to the clients.

    I would look at your proxy and determine if that is pushing URLs

    DHCP creating the setting?


    I have a GPO creating the entry, it's an AdminTemplate so unless something is deleting it, it should stay.

    My thought was another GPO over writing it. But I don't know how to find it, except by process of elimination, which is what I just started doing.

    I blocked inheritance of all GPOs and adding them back one at a time.

    Which is a little cumbersome and time consuming.


    Tom

    Wednesday, September 23, 2015 11:39 AM
  • >>Any ideas on how to find out what and when it's happening?
     
    Just to confirm that when you log off and log in again, will you get the registry key again?
     
    As suggested above, check whether any other application/configuration in your environment which might be deleting key.
     
    Or, try to run process monitor to capture which process is deleting this key if possible.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Yes, since it's Group Policy we can actually do gpupdate /force to bring it back.

    I didn't think of process monitor, but now I will add that so I can watch it. Great idea, I have the event viewer open and watching GP do it's random update but nothing granular.

    I was thinking about what 3rd party app could be doing it also since you both have mentioned it.

    We have Trend Micro but I haven't seen anything in the logs either.


    Tom

    Wednesday, September 23, 2015 11:44 AM
  • Yes, since it's Group Policy we can actually do gpupdate /force to bring it back.

    This makes me feel group policy is not involved here, issue seems more likely on other applications/configurations in your environment.
     
    Anyway, try the process monitor approach and see if we find the root cause. Alternatively, we can also use Registry Auditing:
     
    http://blogs.msdn.com/b/cobold/archive/2011/11/29/monitoring-when-registry-keys-are-modified.aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, September 24, 2015 2:25 AM
    Moderator
  • Hi,
     
    I'm just writing to check how's everything going? 
     
    Thanks,
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, September 28, 2015 6:59 AM
    Moderator
  • Hi,
     
    I'm marking the reply as answer as there has been no update for a couple of days.
     
    If you come back to find it doesn't work for you, please reply to us and unmark the answer.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, October 6, 2015 9:59 AM
    Moderator