locked
Locking down IE proxy settings under PC Settings\Network\Proxy on Windows 8.1 RRS feed

  • Question

  • Our current Windows 8/IE10 tablets apply a group policy which sets up the IE proxy configuration and prevents users from changing that configuration.

    This is done using the settings "Prevent changing proxy settings" and "Disable changing automatic configuration settings" (located at computer configuration\administrative templates\windows components\internet explorer).

    With Windows 8.1/IE11, the proxy server settings are still greyed out in the LAN settings dialog box under Internet Options\Connections in the desktop IE environment.

    However in 8.1 the proxy settings can also be accessed from the Settings charm: Settings - Change PC Settings - Network - Proxy.  From this location, ordinary users can modify and save changes to the proxy configuration.

    Is there any way to lock this down?

    Monday, January 13, 2014 3:05 PM

Answers

  • Update on this - a very helpful Microsoft engineer came back with a workaround which, while not ideal, is a lot better than letting users change their proxy settings.

    When I said I was going to post it here, the engineer said to make sure I started with the statement that Binary registry keys as used in this solution shouldn't generally be messed about with, and that editing the registry without first backing it up may also lead to plagues of locusts, etc.  All the usual disclaimers, so use this at your own risk.

    His solution, which we've tested, involves switching from per-user proxy settings to per-machine proxy settings. 

    The Microsoft workaround word for word is:

    The first thing we need to do is to export the following registry key from a machine that has the correct proxy settings set.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    This contains the following 2 binary registry keys which have the connections settings: “DefaultConnectionSettings” and “SavedLegacySettings”

    The next step is to open the newly exported .reg file and to change the path:

    From: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    To: HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    For a test on a single machine you can manually change this, from elevated cmd: regedit <file>.reg

    For a bigger scale you can create a script to deploy the file containing the binary registry keys from the .reg file we exported with the path HKLM.

    The final steps as discussed we need the following policy applied:

    http://gpsearch.azurewebsites.net/#683

    the policy is not being applied correctly then deploy the Registry Item directly: If

    HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

    ProxySettingsPerUser

    Dword

    Value=0

    We have the following values:

    0 -> policy set at machine level.

    1 -> policy set at user level.

    Friday, January 24, 2014 3:28 PM
  • Just a quick update on this - the workaround supplied by MS needs another workaround on on top to make sure the settings stick:

    Based on the MS solution, we created a startup script which writes the registry keys “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” and HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings”.

    There is some logic in the script so that once the keys are written once, the script does not attempt to write them again.

    This works correctly and the settings will hold, sometimes for several days.

    However every so often something happens which causes the contents of these keys to be overwritten.

    We have proved that the two binary keys are being overwritten by the registry settings which are held within the HKLM\Software\Microsoft\Windows\Current Version\Internet Settings area – the AutoconfigURL, ProxyServer and ProxyEnable values.  (This was proved by putting obviously nonsense settings in this area. When the problem next occurred, the values visible in the user interface, which had been correct, now showed these nonsense settings).

    We have worked around this by setting autoconfigURL, proxyserver and proxyenable values under HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings to be the correct values so when it does overwrite it just rewrites what was there already.

    (We still haven’t worked out exactly what triggers this overwrite, and we can’t reproduce it – we have tried the following steps:

    1. reboot

    2. gpupdate

    3. gpupdate /force

    4. change to group policy followed by a gpupdate

    5. Log on as admin….

    … none of these seem to directly trigger the problem, so really not sure what’s going on!) 

    • Marked as answer by NickyMayB Thursday, February 27, 2014 1:44 PM
    Thursday, February 27, 2014 1:38 PM

All replies

  • Change PC Settings - Network - Proxy is applied to user based apps.. So there should be a group policy some what similar to this... 

    This is local group policy in 8.1

    In latest server this group policy should be there... 

    Computer Configuration---->Administrative Templates----> Network---->Network Isolation

    To configure this policy in server 2012

    http://technet.microsoft.com/en-us/library/hh831418.aspx


    PS

    It seems these gpsettings are available in server 2012 onwords.. 

    So if you don't have 2012 you have to do this through local group policy...


    • Proposed as answer by Aravindaiud Wednesday, January 15, 2014 3:46 AM
    • Edited by Aravindaiud Wednesday, January 15, 2014 4:03 AM
    • Unproposed as answer by NickyMayB Wednesday, January 15, 2014 10:09 AM
    Wednesday, January 15, 2014 3:41 AM
  • Hi Hetti,

    Thanks for your answer but I already have "proxy definitions are authoritative" and "Internet proxy server for apps" defined in the group policy applying to my Windows 8.1 machines.

    The problem is that using the PC settings\Network\proxy interface, an ordinary user can switch off the proxy server and connect their corporate tablet directly to the internet, thus bypassing all proxy security settings.  Switching off the proxy via this interface allows direct internet connection from both the Desktop and the "metro" versions of IE11.

    Does anyone know of any means to prevent users from changing these settings?

    Wednesday, January 15, 2014 10:09 AM
  • Hi,

    Based on my research,I cannot find the related policy to prevent user from using the PC settings\Network\proxy interface.

    But I suggest we can prevent user from modifying the proxy configuration by registry.

    Please modify the following key value to 0 :

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

    DWORD: 0 (0)

    Then,set the Edit permission of Internet Settings.

    Regards,


    Kelvin hsu
    TechNet Community Support




    • Edited by kelvin_hsu Thursday, January 16, 2014 12:07 AM
    Wednesday, January 15, 2014 4:48 PM
  • Kelvin,

    Modifying the ProxyEnable key as you suggest just disables the proxy server altogether.

    We have found that editing the permissions of the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key by removing the "Delete" and "Create Subkey" permissions for the user seeems to prevent users from changing settings without obviously breaking anything else but we're not happy with this as a solution so have raised a call with Microsoft to try to find a better way to resolve this.

    Will post back when/if they come up with anything.

    Thursday, January 16, 2014 10:00 AM
  • Update on this - a very helpful Microsoft engineer came back with a workaround which, while not ideal, is a lot better than letting users change their proxy settings.

    When I said I was going to post it here, the engineer said to make sure I started with the statement that Binary registry keys as used in this solution shouldn't generally be messed about with, and that editing the registry without first backing it up may also lead to plagues of locusts, etc.  All the usual disclaimers, so use this at your own risk.

    His solution, which we've tested, involves switching from per-user proxy settings to per-machine proxy settings. 

    The Microsoft workaround word for word is:

    The first thing we need to do is to export the following registry key from a machine that has the correct proxy settings set.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    This contains the following 2 binary registry keys which have the connections settings: “DefaultConnectionSettings” and “SavedLegacySettings”

    The next step is to open the newly exported .reg file and to change the path:

    From: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    To: HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

    For a test on a single machine you can manually change this, from elevated cmd: regedit <file>.reg

    For a bigger scale you can create a script to deploy the file containing the binary registry keys from the .reg file we exported with the path HKLM.

    The final steps as discussed we need the following policy applied:

    http://gpsearch.azurewebsites.net/#683

    the policy is not being applied correctly then deploy the Registry Item directly: If

    HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

    ProxySettingsPerUser

    Dword

    Value=0

    We have the following values:

    0 -> policy set at machine level.

    1 -> policy set at user level.

    Friday, January 24, 2014 3:28 PM
  • Just a quick update on this - the workaround supplied by MS needs another workaround on on top to make sure the settings stick:

    Based on the MS solution, we created a startup script which writes the registry keys “HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings” and HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings”.

    There is some logic in the script so that once the keys are written once, the script does not attempt to write them again.

    This works correctly and the settings will hold, sometimes for several days.

    However every so often something happens which causes the contents of these keys to be overwritten.

    We have proved that the two binary keys are being overwritten by the registry settings which are held within the HKLM\Software\Microsoft\Windows\Current Version\Internet Settings area – the AutoconfigURL, ProxyServer and ProxyEnable values.  (This was proved by putting obviously nonsense settings in this area. When the problem next occurred, the values visible in the user interface, which had been correct, now showed these nonsense settings).

    We have worked around this by setting autoconfigURL, proxyserver and proxyenable values under HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings to be the correct values so when it does overwrite it just rewrites what was there already.

    (We still haven’t worked out exactly what triggers this overwrite, and we can’t reproduce it – we have tried the following steps:

    1. reboot

    2. gpupdate

    3. gpupdate /force

    4. change to group policy followed by a gpupdate

    5. Log on as admin….

    … none of these seem to directly trigger the problem, so really not sure what’s going on!) 

    • Marked as answer by NickyMayB Thursday, February 27, 2014 1:44 PM
    Thursday, February 27, 2014 1:38 PM
  • We are having very similar difficulties locking down Windows 8.1 from users wishing to change the proxy settings via the charms. We want to deny them access to either turning off the proxy or changing it.

    I have tried the solutions within this thread with limited success. I can get the proxy settings locked down for a specific user using the registry key permissions, but not for all users who use the machine. Has anyone got a definitive set of instructions on how to lock down the charms proxy settings for the entire machine and any user who uses it?

    I find it hard to comprehend that MS didn't include locking this down within Group Policy. Seems strange as this is such an important setting to have control over for businesses wishing to lock down their settings. Am I missing an ADM template or something for Windows 8.1 which includes it?

    Thanks

     
    Wednesday, August 13, 2014 1:53 PM
  • The settings outlined here do work for us for all users.

    I see the link above http://gpsearch.azurewebsites.net/#683 doesn't seem to work any more though so you might have missed the fact that you have to set the policy:

    computer configuration - administrative templates - windows components - internet explorer - make proxy settings per machine (rather than per user) to ENABLED.

    That forces all users on the machine to look at the machine registry for the proxy settings.

    I agree that it's a pretty major thing to have missed out - when I raised the premier call about it the engineer said he would escalate it but I haven't seen a proper solution yet. 

    If anyone knows different that'd be great because this method is a pain to maintain - every time you want to change the proxy settings you have to recreate the binary registry keys and redeploy.

    Wednesday, August 13, 2014 2:18 PM
  • Thanks, that appears to be the missing piece I was looking for. Got it working locally, will now try and get it going via Active Directory. Appreciate the quick reply, had been stuck on this for while
    • Proposed as answer by Isaac Breuer Monday, October 19, 2015 11:44 PM
    • Unproposed as answer by Isaac Breuer Monday, October 19, 2015 11:46 PM
    Wednesday, August 13, 2014 3:02 PM
  • Not the most elegant solution, but this is what i did.

    I added the following lines to my login script that set read only permission for the user, so we accomplish 2 things,

    1. if the user turns off proxy from settings (in windows8 or windows10) it has no effect, since it doesn't change the proxyenabled registry to 0.

    2. Even the user navigates to the registry he is denied changing it, something that was an issue for me in older versions of Windows as well.

    :Set permissions for proxy registry key

    for /f "delims= " %%a in ('"wmic path win32_useraccount where name='%UserName%' get sid"') do

    ( if not "%%a"=="SID" ( set myvar=%%a goto :loop_end

    )

    )

    :loop_end echo \registry\user\%myvar%\Software\Microsoft\Windows\CurrentVersion\Internet Settings [1 8 17] > %TEMP%\regini.txt

    Regini %TEMP%\regini.txt

    :end registry permission

    Monday, October 19, 2015 11:48 PM
  • An update on this - there is now a hotfix for Windows 8.1 that provides a much easier fix to this problem, and prevents having to do all the shenanigans I detailed in the other answers.

    The hotfix solves the core issue and makes the group policy settings work in the Settings interface so that users cannot change their proxy settings even if those settings are configured per user rather than per machine:

    https://support.microsoft.com/en-us/kb/2990969

    For Windows 10, the issue is fixed in build 10586 (Threshold 2) as long as you set the policy under user configuration\administrative templates\windows components\internet explorer\Prevent changing proxy settings.  If you have the settings configured under computer, as we did, the users are still able to change the proxy.

    • Edited by NickyMayB Wednesday, April 13, 2016 4:04 PM
    • Proposed as answer by John Taurins Wednesday, September 7, 2016 1:25 PM
    Wednesday, April 13, 2016 3:14 PM
  • I know this is an old thread but I wanted to update it as this issue still exists on Server 2016. We had a requirement to set the proxy configuration for all servers to provide internet access on them(internet access is blocked without proxy by a lot of other config). I tried the information in the article below but it obviously didn't work.

    http://searchenterprisedesktop.techtarget.com/answer/Group-Policy-settings-replace-manual-proxy-settings

    I then found this blog and made some headway but getting these registry settings to apply consistently and then stick was a bit of a challenge. I found another way of applying them consistently that's mentioned in the article below.

    http://thesolving.com/server-room/how-to-deploy-a-registry-key-via-group-policy/

    Just to be clear, I applied all the registry settings that are mentioned by NickyMayB. It was fairly simple from there on to apply these settings on all the required machines.

    Hope this helps someone else as well.

    Tuesday, January 30, 2018 5:25 PM