none
Batch files no longer will run directly from IE from internal 'local intranet' site after upgrade to Windows 10 Creator Update RRS feed

  • Question

  • (This was originally posted in the Windows 10 General forum and suggested by post here)

    In our organization, we host a self serve printer driver installation, though an internal site. There are printer installation maps with  hyperlinks on a map of that particular office. It is done this way due to the large number of employees who travel in between offices in that we don't want to deploy printers through GPOs.

    This hyperlink consists of a simple .cmd file that initiates a connection to the UNC path of the server hosting that particular printer, there's around 75 print servers al in all.  When the end user would click on the printer hyperlink, they'd be prompted to execute the .cmd file and it would initiate a printer connection and drivers would be installed.

    There's a few of us on Windows 10 v1703 who are testing and we've run into an issue with executing the .cmd directly from our internal website with IE (we're not using Edge and all internal sites redirect to IE if opened in Edge).  The .cmd file looks like it runs, but just does nothing and this has been re-confirmed working on v1607 and earlier versions of Windows.

    Clients on v1703 now need to save out the .cmd file before executing, while this may not seem like a big deal, our user base is used to how printers are installed and have been done this way for many years.

    I've tried changing the IE security settings for the 'local intranet' zone to it's lowest settings and enabled / disabled each setting individually just to see if there was particular setting that would change this behavior for us.

    I found a similar complaint, though not the same exact use case, but confirms my suspicion that something has changed with this version of IE in it's security model.

    https://community.spiceworks.com/topic/1996523-creators-update-1703-ie11-cannot-run-a-batch-file-from-internal-sharepoint

    I've found that if I recompile the .cmd files into an .exe using a 3rd party utility, it looks like I can run it directly from the hyperlink, but if it remains a .cmd file clients on v1703 need to save it out first.  I'd like to offer this as an absolute last resort, as this would require compiling hundreds of .cmd files and modifying dozens of printer maps with updated hyperlinks.

    I only could fine marketing types of announcements regarding what's new in the Creators Update (v1703), but nothing that went into the lower levels of the changes to security.

    I was wondering if anyone else has run into this and if they've found a workaround, I'm hoping this is something that can be changed using GPOs.

    Thanks in advance.

    Tuesday, June 27, 2017 12:12 PM

All replies

  • Hi, 

    Please first add the internal site in trusted site and try to run this site in compatibility mode to check the results. 

    If the issue still persists in IE 11, please use Process monitor to capture the events during reproduce this issue and upload the saved pml file onto OneDrive and share the link here for our research. 

    Process Monitor v3.05

    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

    Using Process Monitor to capture system events

    http://www.sophos.com/en-us/support/knowledgebase/119038.aspx


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 29, 2017 10:38 AM
    Moderator
  • Thank you for the response.

    Adding the site to the 'trusted site list' made no difference, same thing with adding the domain to the compatibility view.  I'm presented with the chance to Run, Save, etc for the .cmd file, selecting Run does nothing.  The only way I can get this to run is to select the Save option, then Open Folder, then I can run it. Our end users are very much used to just selecting Run, which is nothing more than a single line .cmd file that is 'start \\printserver\printer'

    Here's a procmon capture.

    https://1drv.ms/u/s!Aroejk5Xae40fpmilMJxX9tjIys

    Thanks.

    Thursday, June 29, 2017 12:54 PM
  • Hi Christopher,

    can you post your web page markup and scripts please for the links/buttons that launch the .cmd/.bat files.

    see https://stackoverflow.com/questions/18980957/is-it-possible-to-run-an-exe-or-bat-file-on-onclick-in-html

    also confirm that indeed the domain is mapped to the Intranet Zone (File>Properties menu)

    also Internet Options>Security zone, click "Reset all zones to default"


    Rob^_^

    Friday, June 30, 2017 9:48 PM
  • Hi, 

    The could be related to the known issue about print in IE11 after install KB4022725. 

    Please make sure to install recent updates KB4022716 which Addressed an issue introduced by KB4022725 where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.

    https://support.microsoft.com/en-za/help/4022716

    After this update, check the results. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 10:11 AM
    Moderator
  • KB4022716 was applied and made no difference in the running of the .cmd file, within the hyperlink.  

    I'm still presented with the file in the hyperlink, I have the option to Run, Save, or Cancel.  The only options that work are to Save or Save as and run independently.  The Save and Run option within IE will not work either.

    Wednesday, July 5, 2017 4:01 PM
  • The intranet zone has been confirmed.

    I've reset the zone security to their defaults, additionally, I've gone into the Intranet Zone and reduced each of the individual settings to their least restrictive setting and that sill didn't work.

    This is a convenience page for users to perform self service printer installs.  Since a large percentage of our user base is not based out of a single office, we provide this method of installing printers. Users go to our intranet page, where they're presented with state list, they pick the state, they see the list of locations within that state, they click the office and are presented with a map of that location (single page .mht page) that has a picture of a printer where's located in the building. They click on the picture of the printer and that's the hyperlink for the .cmd file.

    Here's an example of the hyperlink used to serve the .cmd file for the printer install.

      href="http://servername.fqdn/cbsprinting/birm/cmd/birm-sa-ir5035-a.cmd"

    Here's an example of the single line .cmd file use to install the printer.

    "start \\printserver\printername"

    After clicking the hyperlink, regardless of OS version, we've always been presented with a dialog to Run, Save, or Cancel. Prior to 1703, users have been able to select the Run option and it would initiate the connection to the print server.  Now selecting Run does nothing, it just dies.  Same with the Save and Run option.

    This method has worked on Window XP, Windows 7, and Windows 10 (1507, 1607).  In piloting the upgrades to 1703, we've since found that it will not work on 1703.  The only thing that works is to Save the file then run independently.

    Wednesday, July 5, 2017 4:22 PM
  • Any update on this? We're experiencing the same issue. It was working on older versions of IE but it seems an update broke it.
    Friday, February 16, 2018 10:49 PM
  • I think this is the way it will remain with the improved security model in IE, as the author of the original thread, I couldn't find any documentation stating that this was an intentional change on Microsoft's part.

    Our issue was that we had hosted self serve printers on our intranet using this method, it was quick and simple and our IE security was set to reflect that it was an intranet site, so the risk was low.

    Since then we've had to convert all of the printer installation .cmd files into .html files and the installation routine is now using javascript, which only works on Intranet sites. 

    Tuesday, February 20, 2018 2:03 PM