none
Windows 8 / IE11 forget proxy settings applied by GPO on reboot

    Question

  • I've just about run out of ideas here on what may be causing this. I've toyed with policies quite often, but never ran into this problem before.

    Windows 8 with IE11. While there are GPO's active on the system, the settings are kept free to alter by the user if need be. We use a proxy, so I'm required to provide the proxy and the exceptions in a policy to the PC's to make sure they work under normal conditions. I added a couple of settings in the GPP (Group Policy Preferences) with the correct settings, enabled these settings (green lines) and tested these on a test system. They work fine, I get my proxy settings pushed through.

    Then we get to the rollout on the systems that are affected (not that many, just 10 accounts total, all in nearby rooms). I can run a gpupdate /force to reload the settings, and can confirm the proxy settings are applied properly. So the policy itself seems sound also on the workplaces it needs to be active on. Users still have the option to change the proxy settings on their own discretion, but that's exactly what we want to happen.

    Now we run into the problem that when part of these PC's are rebooted, the PC somehow seems to decide the proxy isn't worth its time anymore, and kills all settings for the proxy back to default. Either that, or it just switches the proxy off. Running a gpupdate /force reapplies the policy and everything starts working again, but WHY is Windows 8 / IE11 adament about forgetting these settings?

    The really maddening thing is that on a couple of PC's with Windows 8 and IE11 (and the same policies applied) it isn't a problem and the proxy remains filled in, as I would expect from GPO's. These include my test system, which makes me unable to replicate the problem and test locally.

    I've tried enhancing the policy with using a forced wait for the network to become available) aswell as a forced logonscript run on boot instead the standard 'after 5 minutes'. Find these under 'Computer Configuration - Policy - Administrative Templates - System - Logon' and 'Computer Configuration - Policy - Administrative Templates - System - Group Policy'. Neither setting seems to work tho. I've also tried going with a Computer Configuration Startup script in which I just request to run 'gpupdate' with the '/force' as the switches. But this also seems not to do anything.

    In short: Does anyone know why Windows 8 / IE11 falls back to something outside the scope of policies, while it accepts the forced policy update with the correct settings when 'gpupdate /force' is issued manually afterwards? And has anyone any idea what I can do to make sure the policy is applied regardless of what Windows 8 / IE11 thinks it should be?

    Friday, December 12, 2014 4:01 PM

Answers

  • And it seems my colleague found a probable cause after spending about 60 mins on this...

    TMG client software installed, which overrules anything GPO's push in... Removed that software from the affected machines, and will check this on Monday with the users.

    *bangs head on desk, since we have already stated that this software is not to be installed anymore*

    <sigh>

    • Marked as answer by Neko- Monday, December 22, 2014 12:22 PM
    Friday, December 19, 2014 4:30 PM

All replies

  • Just to complete the picture... I've also moved the policy containing the GPP up to order 1 (of the three we have in there), so it's applied last. In essence, it shouldn't matter what policy is applied, the last one (having order number 1 on it) should be the one to overrule anything below it.
    Saturday, December 13, 2014 10:45 AM
  • Hi,

    >>Now we run into the problem that when part of these PC's are rebooted, the PC somehow seems to decide the proxy isn't worth its time anymore, and kills all settings for the proxy back to default.

    Based on the description, we may enable GPP debug logging for Internet Settings to check if we can find some information regarding this phenomenon.

    To enable GPP debug logging for Internet Settings, we need to enable the following setting:

    Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure Internet Settings preferences logging and tracing

    Besides, regarding how to enable GPP debug logging, the following blog can be referred to as reference.

    Enabling Group Policy Preferences Debug Logging using the RSAT

    http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx

    Best regards,

    Frank Shen


    Monday, December 15, 2014 7:12 AM
    Moderator
  • Just had a go with that... Found out that when I login and refresh the polciy using gpupdate /force, the proxy settings are filled in properly.

    Once I reboot tho, the proxy switches itself off (the entries regarding the proxyname and such remain, as does the 'bypass for local addresses, but it's all grayed out). Once I switch the proxy back on, and check under 'Advanced', I find everything in order, except for the exclusion list which is emptied.

    So I forced the gpupdate, verified that the proxy was switched on, and the exclusion list was populated. I then restarted the PC, only to find that above situation (proxy switched off, and exclusionlist empty) had reasserted itself.

    Waited a bit and did a forced policy update again. Then verified the logged files (which was just User.txt).

    After anonymizing the output a bit, I copied the contents to http://pastebin.com/YyWswW83 for your review. It looks like it contains 3 batches of GP updates.

    The one at 13:20 is likely the primary one in which I forced the GPUpdate. The one at 13:22 is the one issued on the restart of the computer, while the one at 13:24 is the (once again) forced gpupdate.

    From my understanding it seems as if the no-change of GPO detection works, but also causes it to skip the policy. Tho I admit that's speculation on my part. Any and all light you (or anyone else) may be able to shine on this, will be greatly appreciated.


    • Edited by Neko- Monday, December 15, 2014 12:48 PM
    Monday, December 15, 2014 12:48 PM
  • Just altered the policy. Threw out the startup script that was supposed to force a GPUpdate, on account of it not working, and it being a solution that should be implemented out of the box anyway.

    Allowed the entry to allow forced updating of the GPO, by going to the Computer Configuration, Policy, Administrative Templates - System - Group Policy, and enabling the Policy execution for Internet Settings preferences.

    Under that one the slow network setting and the 'apply policy if object has not changed' were applied, with a 'Normal' priority.

    Went to the PC, kicked in a GPUpdate /force, and then ran a reboot. Which didn't change anything. I was under the impression that despite me unlinking the policy for the debug, the setting would remain active on the PC, but that seems not to be the case. So I don't have a follow-up logging at the moment. Reenabled the policy, and will have to check with the user tomorrow (can't chase the user off for reboots at every turn).

    I'm still pretty much baffled about this behavior and have yet to find anything that hints as to why this is happening :(


    • Edited by Neko- Wednesday, December 17, 2014 1:46 PM
    Wednesday, December 17, 2014 1:45 PM
  • Toyed with the resetting of IE to factory defaults. Didn't change behavior
    Forcefully changed settings to use WPAD by editing the registry: https://social.technet.microsoft.com/Forums/windowsserver/en-US/cb6abb30-4360-4d3d-93fc-61823b2a5c20/turn-off-auto-detect-settings-in-ie-using-gpo - No change in behavior.

    Still wiped all ticks and didn't enable the proxy (while weirdly, in all cases IE still was able to connect to the MSN website, despite not having anything on auto-detect and not having the proxy settings being applied).

    My colleague created two new policies that seem to be working, but are yet being worked on. If any progress is made on that I'll be sure to post that up.

    Friday, December 19, 2014 4:01 PM
  • And it seems my colleague found a probable cause after spending about 60 mins on this...

    TMG client software installed, which overrules anything GPO's push in... Removed that software from the affected machines, and will check this on Monday with the users.

    *bangs head on desk, since we have already stated that this software is not to be installed anymore*

    <sigh>

    • Marked as answer by Neko- Monday, December 22, 2014 12:22 PM
    Friday, December 19, 2014 4:30 PM
  • Hi, if someone know how resolve?

    because I already remove all updates and the problem still.

    Monday, December 22, 2014 11:58 AM
  • Hi, if someone know how resolve?

    because I already remove all updates and the problem still.

    You might have the wrong thread. I started this one, and with assistance of Frank, and my co-worker finally figured out some stuff on GPP, and the fact that the TMG software was overruling anything set forth from the GPO's. 

    So in my case it wasn't updates and whatnot, but an extra piece of software installed that we had already deemed removed unless explicitly required by something.

    Monday, December 22, 2014 12:22 PM