locked
ie11 Group Policy - MS Laziest developers. RRS feed

  • General discussion

  • Why is every time i have to deal with anything to do with microsoft, I end up wanting to bang my head against the desk? The answer, lazy and incompetent developers.

    They release a new version of their browser, ie 11, release new ADMX files that didn't even work to begin with. Ok so now i have the link with the brilliant installation instructions.

    https://www.microsoft.com/en-us/download/details.aspx?id=40905

    The instructions of course, don't work. The admx files are owned by trusted installer. So a quick copy as administrator is NOT going to overwrite the files. This means I have to take ownership of the files then run the copy.

    WHY NOT JUST RELEASE THE ADMX FILES IN A MICROSOFT UPDATE THAT RUNS AS TRUSTED INSTALLER AND OVERWRITES THE FILES AS REQUIRED? INSTEAD OF EXPECTING IT DEPARTMENT TO WASTE TIME.

    Why is that the ie10 gpo works with ie11 but they don't rename the ie10 to ie 11, they just say oh its the same use the 10 group policy. This is the common theme throughout the group policy support by microsoft, a complete after thought.

    how confusing is it with ie group policy now, there is like 3 different places you can change the ie gpo and half of the settings don't work from some of the sections and half does work. Its just a mess, a complete mess.

    • Changed type Karen Hu Thursday, April 30, 2015 9:32 AM
    Wednesday, April 29, 2015 12:16 PM

All replies

  • Hi,

    Are you copying to C:\Windows\PolicyDefinitions or do you have a central store? Judging by your issue its not a central store and its the local ADMX files you are trying to replace?

    Thanks,

    Wednesday, April 29, 2015 12:46 PM
  • If i update the central store:

    \\domain.com\SysVol\domain.com\Policies\PolicyDefinitions\inetres.admx
    \\domain.com\SysVol\domain.com\Policies\PolicyDefinitions\en-us\InetRes.adml

    It still does not add the ie11 (well ie10) to the internet settings under control panel settings. I only get ie8 available. 

    Why does not the instructions indicate updating the central store and instead points towards updating the trusted installer owned files in C:\Windows\PolicyDefinitions?

    Do i need to have a windows server 2012 domain controller or windows 8 client pc with rsat before i can get the ie 11 gpo working?

    Why not release a KB that fixes up all the IE group policies for IE 11. Removing all the non valid policies and so on. This way sysadmins could know which IE policies are working without having to spend days testing what is what.

    • Edited by Johnmclain Wednesday, April 29, 2015 1:14 PM
    Wednesday, April 29, 2015 1:11 PM
  • Are you running the local Group Policy Editor or are you administering an Active Directory Group Policy through GPMC?
    Wednesday, April 29, 2015 1:14 PM
  • I am a domain administrator. I am trying to modify Ie group policy for 100+ users. Ive just upgraded from ie9 to 11 for all my users and various gpo settings have stopped working, an example, the secondary home page setting.

    I am quite experienced with gpo and adding in new admx files.

    By comparison the Office 2010 GPO was very good, they even released a speadsheet listing in detail what each function does and where it is. Maybe the IE team can learn a thing or two about group policy from the office team?

    Wednesday, April 29, 2015 1:40 PM
  • Sorry, without angering you more..... one more question. Are we talking about configuring policies here:

    or like this:

    Not trying to insult your intelligence but I cant see what you're configuring and can only go on what you're writing which is applicable in multiple locations.

    Thanks,

    Wednesday, April 29, 2015 1:48 PM
  • Yep that is the IE group policy. That is what i am referring to.

    The internet settings is stuck at ie8 even after updating the inetres in the central store. I tried updating my windows 7 pc directly and going through the RSat GPO and that made no difference.

    I am not the only person who had this problem.

    http://www.alexheer.co.uk/it-blog/configuring-ie11-settings-via-group-policy

    Read the comments a few people are not getting the ie10 internet settings come up after applying the inetres.

    ps, i am not angry. Just disappointed :)

    • Edited by Johnmclain Wednesday, April 29, 2015 2:00 PM
    Wednesday, April 29, 2015 2:00 PM
  • No I think you missed what I was saying. That blog is also wrong unless I am completely missing what you and he are saying. More than possible!!

    The ADM(X) templates are for managed GPO settings. (My top screenshot)

    The second screenshot is for Group Policy preferences, this is not the same as Group Policies and do not run off of ADM(X) templates. I'm assuming you are wanting to use the second screen shot I have show in my last post?

    What version of Windows are you running GPMC from?

    Thanks,

    Adam

    Wednesday, April 29, 2015 2:06 PM
  • Ok that explains why the internet settings do not get updated with admx file changes.

    The domain controller is a 2008 r2 sp1. with ie9, i will update to ie11 when i can schedule in some down time, i suspect that might solve the problem with the gpo preferences, well hope so.

    My desktop with RSAT is windows 7 sp1 with ie11. 

    I read another blog and it said that you need windows 8+ or windows 2012+ to be able to get the ie10 in the internet settings section.

    If i update the inet res on the central store, will that affect existing policies that have used the internet control panel section of the gpo?

    Once I have a updated the default inetres on the central store, do i still need to go to add remove templates and add the updated inetres file in?

    Wednesday, April 29, 2015 2:10 PM
  • https://support.microsoft.com/en-us/kb/2898604

    Answers your question in which case as to why you cant configure IE 11. GPP is governed by the version of RSAT you are running on the configuring client. RSAT revisions are release with every new version of Windows..... Updating your DC to IE11 will not help. Get a Server 2012 R2 or Windows 8.1 machine with RSAT and configure the GPP from there as per the above KB selecting to configure a IE 10 GPP which will also apply to IE11

    It sounds to me like you have indeed updated the ADMX files correctly and if you look in the location in my first screen shot for GPO's you will indeed find IE11 policies.

    I believe what you are seeing is in fact by design and correct.

    Not meaning to shoot you down or insult your experience as this issue once caught me out a few years ago, GPP is a powerful tool and handy. It is worth doing some reading an understanding the differences between GPO and GPP. They work very differently.

    Hope you get it sorted,

    Thanks,

    Adam

    Wednesday, April 29, 2015 2:19 PM
  • Also, as per your other question, read up on the Central store and why it was introduced. the add remove templates is only for the old ADM file types which you no longer want to use.
    Wednesday, April 29, 2015 2:21 PM
  • ok thanks that explains it. I have a new server 2012 for sql 2012 that i can manage the gpo from.

    Wednesday, April 29, 2015 2:24 PM
  • No worries,

    Make sure it is 2012 R2 or Windows 8.1. not 2012 or Windows 8. They are different

    Wednesday, April 29, 2015 2:26 PM
  • Do you have an example of a admx policy that is specifici to the new ie11 admx that you know of so that i can confirm the new admx is loaded correctly?
    Wednesday, April 29, 2015 2:30 PM
  • Sorry missed this one:

    User Configuration\Administrative templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

    Wednesday, April 29, 2015 2:44 PM
  • I found that replacing the inetres file in the central store caused the windows 7 desktop pc to not login and get stuck on please wait. Basically it corrupts our primary group policy file. I will basically have to rebuild the entire thing due to this.

    I have more issues with it unfortunately. I created a new GPO on the 2012 server then applied it to our main ou as normal and ran the gpresult /R on the client pc that should have the ie11 gpo preferences applied. However the settings do not get applied on new profiles.

    Also is there a way in ie11 to suppress every single warning, prompt, popup, information bar regarding addons. I don't want the users to be prompted about addons at all, ever. Is that possible?

    I tried disabling the "enhanced" protection mode while that did supress the notification bar that an addon was not compatible and disabled, it just led to a similar bar coming up with a run or disable prompt. Is it possible to have IE11 not prompt users constantly about everything they do?

    Wednesday, April 29, 2015 3:28 PM
  • I would look in your event log, the central store is only used when amending policies within GPMC I believe. Whatever is slowing down your computer startup I would imagine is separate. Are you doing any item level targeting at all on the preference or any other preferences?? specifically with OUs? Would be done in the section shown below.

    If so try applying Windows 7 SP1 hotfix rollup to one of your clients. This includes a fix for a bug when doing item level targeting against OU's as well as others.

    https://support.microsoft.com/en-us/kb/2775511

    Specifically

    https://support.microsoft.com/en-us/kb/2693010

    When you say you are applying the GPO to your main OU do you mean the OU containing the computers or the users?

    Thanks,



    • Edited by Adam--D Wednesday, April 29, 2015 3:48 PM
    Wednesday, April 29, 2015 3:46 PM
  • Ok what i did was remove all the IE policies from the primary group policy on an 2008 r2 pc with the old inetres admx still in place. Then replaced the inetres admx and created a new policy on the 2012 server gpo and added all the IE policies in there. This has worked in that it has not corrupted the primary group policy leading it to be stuck on please wait.

    The only problem i have now is that the ie11 policies done through the gpo preferences are not apply to my windows 7 pc even though the policy is showing as applied on gpresult /R

    Are there any hotfixes for ie11 policies not applying to windows 7? I thought i saw one in my searches but can't find it now. The windows 7 pcs are fully up to date with updates as well, so can't work out why these policies like setting two default homepages does not apply to new profiles.

    Seems i am not the only one:

    http://community.spiceworks.com/topic/485435-ie-11-group-policy-settings-not-applying

    Is there any references as to what is applied through the preferences and what is applied via the admx section of gpo?

    I think i know why the homepage was not applying, its the f6, to change the line from red to green. :)

    So the only thing outstanding is the annoying alerts about addons. :(

    • Edited by Johnmclain Wednesday, April 29, 2015 3:58 PM
    Wednesday, April 29, 2015 3:54 PM
  • I would look in your event log, the central store is only used when amending policies within GPMC I believe. Whatever is slowing down your computer startup I would imagine is separate. Are you doing any item level targeting at all on the preference or any other preferences?? specifically with OUs? Would be done in the section shown below.

    If so try applying Windows 7 SP1 hotfix rollup to one of your clients. This includes a fix for a bug when doing item level targeting against OU's as well as others.

    https://support.microsoft.com/en-us/kb/2775511

    Specifically

    https://support.microsoft.com/en-us/kb/2693010

    When you say you are applying the GPO to your main OU do you mean the OU containing the computers or the users?

    Thanks,




    OK, I think you are missing this whole concept of the central store. ADMX files don't get added to individual Group Policies.

    https://msdn.microsoft.com/en-us/library/bb530196.aspx?f=255&MSPPError=-2147217396

    I asked a few questions regarding where you are applying this group policy and constraints you may or may not have on the GPP. You also said you created the new IE settings on a 2012 Server. 2012 R1 or R2? it makes a difference.

    Thanks,

    Wednesday, April 29, 2015 4:00 PM
  • I understand perfectly the concept of the central store. When i had the original inetres admx loaded it did not have the new ie11 policies. The new one does.

    I have a policy Windows 7 64bit 2015, this has all (95%) of my group policies settings in it and its applied to the user and computer ou of all the users. When swapping out the inetres file before removing the IE settings it prevented the windows 7 pc from logging in and was stuck at please wait. This has happened before with gpo and happens when the policy is corrupted, this happened a few weeks ago when i removed a flash update from the gpo. Ended up having to restore an old version of the gpo, but that is not relevant.

    I have now updated the central store with the new inetres and the ie11 policies are loaded fine.

    The outsanding problems i have is just the addon alerts. Which is not a major problem but an annoyance for the users.

    If i enabled enhanced protected mode i get the message that addons (namely java) is not compatible and is disabled (its fine that its disabled) i just don't want the warning message to popup.

    If i disable enhanced protection mode, then i get the message the the addon (java) has been enabled and that the user can decide whether they want to disable or run the addon.

    Ideally i want enhanced protection mode on and i want to suppress any warnings about addons. This is because warnings generate IT support desk phone calls.

    New server is 2012 r2

    One other thing i would like to be able to do is set the toolbars of the IE without restricting them from being changed.

    What i would like is for the favourite bar, command bar and the status bar enabled by default but i want users to be able to change the settings if they want.

    This is because that is how it used to look and we had a few calls from users asking where their favourite bar has gone since upgrading to ie11.

    I see options for enabling those but then it restricts it.

    edit: Ok i have found a way to suppress the addon warnings, its a policy called disable addon performance notifications or something like that. ill just leave the default toolbar config as no other option and thats it all sorted.

    Thanks for your help

    • Edited by Johnmclain Wednesday, April 29, 2015 4:34 PM
    Wednesday, April 29, 2015 4:10 PM