none
SiteToZone GPO applying, but sites not appearing in IE

    Question

  • Hello,

    We have a GPO set for computer configuration, applied at top of domain level, that sets Site To Zone assignments for many sites. Our users log onto a 2012 R2 remote desktop deployment with user profile disks (essentially roaming profiles). ESC is turned off on each of the servers in the pool.

    Until recently, this GPO was working fine, but for most (if not all) users, the GPO is now seen to apply but the sites do not appear in IE under any zone.

    If the user logs into the server whilst they have admin privileges, turns ESC on, and then back off through server manager, the sites all of a sudden appear in IE control panel. This then seems to follow them when logging into other servers, and cures the issue.

    This is obviously not a workable solution for all 250 users in our org, so am hoping someone may be able to assist with diagnosing this? I wonder if there was some Windows update that has messed with the ESC config in the registry somehow, which caused this?

    Cheers, Eds

    Friday, July 08, 2016 11:56 AM

All replies

  • Am 08.07.2016 um 13:56 schrieb Eds19891:
    > Until recently, [...]
     
    ... out of the sudden, there was the 14.06.2014 and MS16-072
     
    Microsoft Security Bulletin MS16-072 - Important
     
    MS16-072: Security update for Group Policy: June 14, 2016
    -> Siehe Known Issues
     
    Ask Premier Field Engineering (PFE) Platforms | Who broke my user GPOs?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, July 08, 2016 12:41 PM
  • Am 08.07.2016 um 13:56 schrieb Eds19891:
    > Until recently, [...]
     
    ... out of the sudden, there was the 14.06.2014 and MS16-072
     
    Microsoft Security Bulletin MS16-072 - Important
     
    MS16-072: Security update for Group Policy: June 14, 2016
    -> Siehe Known Issues
     
    Ask Premier Field Engineering (PFE) Platforms | Who broke my user GPOs?
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     

    Thanks for that info, however the GPO in question has default security filtering, so authenticated users already have Read permissions.


    The policy is applying, as I can see the registry entries appear and disappear when I disable the GPO link and gpupdate, it is more on the IE side of things where the issue lies I think!

    Friday, July 08, 2016 2:35 PM
  • Am 08.07.2016 um 16:35 schrieb Eds19891:
    > The policy is applying, as I can see the registry entries appear and
    > disappear when I disable the GPO link and gpupdate, it is more on the IE
    > side of things where the issue lies I think!
     
    you configure SiteToZoneList in Computer config and user config aswell?
    They can not be mixed. IE will prefer computer config.
     
    In this mixec situation, the reg values would be transported and
    deployed to the users registry, but they will not show up or take efect.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, July 08, 2016 2:44 PM
  • Am 08.07.2016 um 16:35 schrieb Eds19891:
    > The policy is applying, as I can see the registry entries appear and
    > disappear when I disable the GPO link and gpupdate, it is more on the IE
    > side of things where the issue lies I think!
     
    you configure SiteToZoneList in Computer config and user config aswell?
    They can not be mixed. IE will prefer computer config.
     
    In this mixec situation, the reg values would be transported and
    deployed to the users registry, but they will not show up or take efect.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     

    I only added to the user section as a test, we have been applying only to computer config up until this issue.

    The registry entries that appear, appear under HKLM. The computer config is where we want to and have been setting it.

    Friday, July 08, 2016 2:47 PM
  • Am 08.07.2016 um 16:47 schrieb Eds19891:
    > I only added to the user section as a test, we have been applying only
    > to computer config up until this issue.
     
    You need to stay within the same object, if you want to test anything.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Friday, July 08, 2016 4:00 PM
  • I added the settings in the same object, under both user and computer configuration.

    Point is, toggling ESC on and off again fixes the problem for that user.


    • Edited by Eds19891 Friday, July 08, 2016 4:10 PM
    Friday, July 08, 2016 4:10 PM
  • Hi,
    If I understand correctly, you could link the updated group policy with both user and computer configuration to 250 user as you test, so the problem is to restart ESC for all users. In this case, you can do so faster by using a PowerShell script. Please refer to the following article for the script:
    https://4sysops.com/archives/disable-internet-explorer-enhanced-security-configuration-ie-esc-on-remote-computers-with-powershell/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2016 8:36 AM
    Moderator
  • Thanks for the reply, but the problem is it seems to have to be done on a per user basis, not a per server basis.

    If I log in as an admin on one of the servers, and toggle ESC, it only fixes the issue for that user, not all of the others. That's why to fix it for a user as a one off, I had to assign them admin privileges, log in as them, toggle ESC and then remove admin privileges.

    Also, when you toggle ESC, it messes with the IE homepage and default page, which I do not want to happen.

    Tuesday, July 19, 2016 9:36 AM
  • Hi,

    Let us do a test: please create a new user, add it into the OU which the GPO is applying to, and then apply group policy to see if the site appears or not.

    And if we suspect that there is some update causing the issue, we could compare the working account and problematic one to see if we could find the difference.

    Regards,

    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, July 22, 2016 1:30 AM
    Moderator
  • I have created a new user, and this account also seems to be affected. The sites do not appear in IE.

    Oddly, gpresult /r shows the "SiteToZoneAssignment" GPO applied under user settings, even though it only contains computer settings.

    I am going to try and recreate the GPO first to see if that helps.

    Friday, July 22, 2016 4:29 PM
  • Hi,
    I am checking how the issue is going.
    Have you recreated GPO for test and checked if it works?
    If you still have any questions, please feel free to contact us. Appreciate for your update.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 26, 2016 1:12 AM
    Moderator
  • I have recreated the GPO, with all the default security settings, and just set the site to zone assignment under computer configuration.

    I logged onto a server as an admin, ran gpupdate /force, and can see that the GPO is applied under computer configuration. Looking in HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains, I can see one key for each of the sites applied in the GPO, so I know the GPO is applying correctly.

    I then logged on as my test user, ran another gpupdate /force just to be sure, opened IE, went to internet settings and there is nothing listed in the intranet or trusted sites!

    Just in case it was a GUI issue, I went to the site I set to be in the intranet zone, went to page properties, and it still shows Internet zone, not Intranet.

    I don't think this is an issue with the GPO, something on the server must be stopping this from taking effect!

    Tuesday, July 26, 2016 10:11 AM
  • > sure, opened IE, went to internet settings and there is nothing listed
    > in the intranet or trusted sites!
     
    This is expected - Sites you define via GPO do not show up in the UI.
     
    > I don't think this is an issue with the GPO, something on the server
    > must be stopping this from taking effect!
     
    Do you mind sharing your exact zone assignment entries?
     
     
    Tuesday, July 26, 2016 10:40 AM
  • I wasn't sure that was the case, as they used to appear. On my Windows 10 workstation, they appear and disappear as I enable and disable the GPO! I expected the behaviour to be that they appear in the list, but are not modifiable by the user.

    The assignments are working fine on my Windows 10 workstation, so again don't suspect this to be the issue, but they are:

    • https://adfs.corybrothers.com - 1
    • http://10.1.3.81 - 2
    • http://www.cnsonline.net - 2
    • https://signon.defra.gov.uk - 2
    • http://shiptrak.co.uk - 2
    Tuesday, July 26, 2016 11:07 AM
  • > I logged onto a server as an admin, ran gpupdate /force, and can see
     
    Just to make sure - Internet Explorer Enhanced Security Configuration is
    enabled or disabled for your user?
     
    If ESC is enabled, IE accesses different registry keys for zone
    assignments... :()
     
    Tuesday, July 26, 2016 1:27 PM
  • We have it disabled on all of our servers. This is why I was suspecting perhaps a security update that may have changed something in the registry, that explains why toggling it on and off again fixes it?

    Not sure if possible to enable for specific users? Is there a HKCU registry entry I should be checking?

    Tuesday, July 26, 2016 1:42 PM
  • We have it disabled on all of our servers. This is why I was suspecting perhaps a security update that may have changed something in the registry, that explains why toggling it on and off again fixes it?

    Not sure if possible to enable for specific users? Is there a HKCU registry entry I should be checking?

    I found the HKLM registry entries, and it's definitely disabled for both Users and Admins.
    Tuesday, July 26, 2016 1:51 PM
  • I found it!!!!

    For some reason, if I look under HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap, there is an entry there called IEHarden, it's a REG_DWORD and has a value of 1

    If I delete this, or set it to 0, IE immediately shows me my sites set by GPO!

    Why is this key here? If IE ESC is turned off for the server as a whole, then this key shouldn't exist surely? That may also explain why toggling ESC on and off again while logged in as that user fixes the problem.

    Could there have been some security update that creates this key initially?

    • Proposed as answer by Eds1989 Tuesday, July 26, 2016 2:09 PM
    Tuesday, July 26, 2016 2:01 PM
  • > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings\ZoneMap, there is an entry there called IEHarden, it's a
    > REG_DWORD and has a value of 1
     
    Hm - might this be set in the default user profile by accident?
     
    Tuesday, July 26, 2016 3:00 PM
  • The default user profile is a virtual hard disk created by Windows when deploying our remote desktop servers.

    We have not modified the template, and do not configure this registry setting by any other means.

    Tuesday, July 26, 2016 4:08 PM
  • > We have not modified the template, and do not configure this registry
    > setting by any other means.
     
    Ok, I have no clue where this results from - simply delete it via GPP
    registry and all should be fine.
     
    Wednesday, July 27, 2016 9:56 AM
  • That looks to be our workaround, but I would like to try and determine what is causing the issue in the first place.

    If due to an update from Microsoft, I would think they should be made aware if not already.

    Wednesday, July 27, 2016 1:54 PM
  • Hi,
    In the Terminal Server environment we have a concept called Terminal Services Shadowing.
    On a terminal server, whenever applications are installed, it first writes the new application registry entries to the HKEY_CURRENT_USER\Software registry location. At the same time, to ensure that these new entries are available for all the users on the terminal server, the new registry entries are propagated to another location in the registry called the shadow region:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software
    So when we initially built the Terminal servers the IE Enhanced security feature creates a registry key under:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap] – IEHarden
    If you turn off the IE Enhanced Security from the UI or run the batch file, it will remove the settings from various other locations but not from the Shadow region.
    Please see details from the following blog:
    https://blogs.msdn.microsoft.com/askie/2012/09/11/how-to-troubleshoot-ie-enhanced-security-warning-content-from-the-website-listed-below-is-being-blocked-by-the-internet-explorer-enhanced-security-configuration/
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 01, 2016 1:54 AM
    Moderator
  • Hi Wendy,

    That key does not exist for us, so don't think relevant. I believe this was an issue with 2003 and 2008, which I would assume had been fixed by 2012 R2.

    Many thanks.

    Eds

    Monday, August 01, 2016 9:25 AM
  • Hi Eds,
    According to my research from some documents, Martin might be right that IEHarden seems to be located in default user profile, we could deploy a new profile to confirm that. 

    If that is the case, in addition to delete the key from GPP, you could also edit the Default User profile and set the IEHarden value, going forward you will remove existing profiles which will allow the users to pick up the modified default user profile settings during their next logon.
    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, August 03, 2016 9:37 AM
    Moderator
  • Hi Wendy,

    That is a workaround in my eyes, not a solution.

    I am not sure if I explained in a previous post, but we use Server 2012 R2 remote desktop services, and we make use of user profile disks.

    As such, our "Default Profile" is an empty VHDX file, that has no registry hive or appdata folder. If you can advise how to modify the template VHDX, we can give that a go.

    As there is no registry, it is the remote desktop session host that generates the new users' profile if I am understanding it correctly. My query would be, why has it only just started issuing new profiles with this IEHarden key, when it hasn't done for the previous 100 or so users we have setup on these servers?

    Again, the only thing I keep coming back to, but cannot pin down for certain, is that a Windows update has altered something that causes new profiles to get this key by default. We can remove the key using group policy, but I would rather fix the issue, rather than applying ANOTHER group policy registry fix for something that was already working.

    Regards

    Eds

    Friday, August 05, 2016 11:54 AM
  • > this IEHarden key, when it hasn't done for the previous 100 or so users
    > we have setup on these servers?
     
    Two possible reasons I can think of:
     
    a) C:\Users\Default\ntuser.dat is the baseline registry for every new
    user. The Value is present there.
    b) ActiveSetup (or RunOnce) runs a program that populates this value at
    first logon.
     
    If you are curious: Run Sysinternals process monitor with a filter for
    IEHarden in an admin session, then logon a new user. This will show you
    if the value is written at logon - if not, it was already present.
     
    Friday, August 05, 2016 1:07 PM
  • Ok so it looks like out of our 8 session host servers, the key is only created in the user's registry on 2 of them (the two that our consultants setup for us ages ago).

    Can you advise how to setup the filter criteria in procmon to look for registry events/keys?

    Many thanks

    Eds

    Friday, August 05, 2016 4:24 PM
  • Found it!

    Copied the PML to my PC for faster processing, and just did a "Find".

    Looks like on the two servers our consultants setup, the Key Wendy mentioned HKLM\Wow64\Software...\Terminal Server\Install\...Internet Settings\ZoneMap, the key existed.

    Deleted the key, and new profiles created correctly on those servers.

    Consultants have no idea why they are different, so we will likely never know what caused this to come about :P

    Thanks all for your help!

    Eds

    Friday, August 05, 2016 4:48 PM
  • Hi Eds,
    I am so glad that we have found the key, it is the great step on this issue and thank you for your corporation with us during this period of time.
    If any replies as above are helpful to you, please help to mark them as answer which will offer some help to others with the same issue.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 08, 2016 1:21 AM
    Moderator