none
Group Policy Preference not working for IE7: check for revocation

    Question

  • As we experienced a lot of "issues" with opening management consoles in our current project, we decided to create a group policy for our administrative accounts which are used when accessing servers. Our servers do not have direct access to the internet which causes the SQL management studio or Exchange 2007 management console to start awfully slow. We are aware that this behaviour is normal. ( Blog post of mine about this issue )

    The point is we are trying to set the following advanced options in IE7 to disabled:

    • Check for publisher's certificate revocation
    • Check for server certificate revocation

    Creating this gpo supposedly should set the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    • default setting (both settings enabled): 0x00023c00 (166432)
    • after manually setting both disabled: 0x23e00 (146944)
    • after applying the GP preference settings: 0x002c9 (713)

    In the interface the checkboxes are both disabled, so far so good, but the revocation check actually does happen. The network monitor feature in sysinternals process monitor clearly shows this.

    We decided to use a registry preference policy which sets the value to 0x23e00 (146944). This does actually work, but I was wondering why the preference policy diddn't worked.

    Any thoughts?

    Sunday, January 25, 2009 7:59 PM

Answers

  • Hi,

     

    As the KB926717  explains, "applications other than Internet Explorer use the settings", these four settings are as follows:

     

        * Enable FTP folder view (outside of Internet Explorer)

        * Use passive FTP (for firewall and DSL modem compatibility)

        * Always use ClearType for HTML

        * Check for Publisher’s certificate revocation

     

    General auto-configuration/resetting will not change those settings. We have to manually configure them.

     

    Sorry for the inconvenience this has brought, I will forward your feedback to product team.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 05, 2009 1:29 AM
    Moderator

All replies

  • Hi,

    if the client is not Vista or Windows Server 2008, you have to install the Group Policy Preference extension first.
    http://support.microsoft.com/kb/943729

    Also, have you checked the Registry settings after applying GPP settings?

    If you have install GPP extension, please try to reinstall the extension to make sure it’s not corrupt.

    Thanks


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, January 26, 2009 10:16 AM
    Moderator
  • The client is Windows 2008, but for windows 2003 we do install the GP preference extension.

    Registry setting after applying: 0x002c9 (713)

     

    Kind regards

    Monday, January 26, 2009 1:10 PM
  • Hi,

    The Registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Only affect "Check for publisher's certificate revocation" settings.

    The following articles explain why some IE settings cannot change.

    http://support.microsoft.com/kb/926717

    If you would like to change "Check for Server certificate revocation". You can use the following Policy:

    User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/advanced Page/Check for Server certificate revocation.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Wednesday, January 28, 2009 4:00 AM
    Moderator
  • Hey,

    I do agree with the following:

    Mervyn Zhang said:

    The Registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

    Only affect "Check for publisher's certificate revocation" settings.



    Not with the other part:

    When I right click the IE7 preference settings in the GPO editor, I have the option to display the settings as an xml file.
    This results in the following possiblities:
    GPO with checkbox checked:
    <reg id="PubCertRevocation" type:"REG_DWORD" hive="HKEY_CURRENT_USER" key:"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" name="State" value="000000c9" />

    GPO with checkbox cleared:
    <reg id="PubCertRevocation" type:"REG_DWORD" hive="HKEY_CURRENT_USER" key:"Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" name="State" value="000002c9" />

    I really don't see why they simple can't use the value "0x23e00" as is set by a manual uncheck. I am aware that the workaround is eassy, though I hate this kind of behaviour. If they provide the possibility for a certain feature it should work or they should warn.
    Tuesday, February 03, 2009 9:11 PM
  • Hi,

     

    As the KB926717  explains, "applications other than Internet Explorer use the settings", these four settings are as follows:

     

        * Enable FTP folder view (outside of Internet Explorer)

        * Use passive FTP (for firewall and DSL modem compatibility)

        * Always use ClearType for HTML

        * Check for Publisher’s certificate revocation

     

    General auto-configuration/resetting will not change those settings. We have to manually configure them.

     

    Sorry for the inconvenience this has brought, I will forward your feedback to product team.

     

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, February 05, 2009 1:29 AM
    Moderator
  • Well thanks for the follow up.

    Kind regards,
    Thomas
    Friday, February 06, 2009 8:32 PM
  • Hi,

    We ran into this issue recently.
    Our IE Preference GPO did still set this wrong key.

    After we resaved the GPO however the GPO entry changed:

    - <Reg id="State" type="REG_DWORD" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" name="State" defaultValue="00023C00" bitfield="1" aggregateValue="00000000" aggregateMask="00000200">
      <SubProp id="PubCertRevocation" value="00000000" mask="00000200" />
      </Reg>

    Now the policy setting doesn't work at all, but at least doesn't set a wrong Regkey.
    Also the policy for some reason the policy was applied to the System User (HKCU\.Default) which is used by the SCCM Client.

    In our case .Net Framework Hotfixes failed with a "Generic Trust Failure (0x800B010B)" and other Setups using Certificates failed as well.

    kind regards,

    mike

    Thursday, March 08, 2012 11:53 AM
  • Your issue is similar to this with the .NET update problems:  http://social.technet.microsoft.com/Forums/en-US/winserverwsus/thread/e29bab28-4b44-48eb-b56c-23a025499ec1

    I think this must be a bug in MS's application of IE group policies?  It's basically wiping out the other default settings and putting in some odd 0x000000C9 somewhere along the way. 

    Friday, May 11, 2012 5:08 PM