Group Policy for Proxy Settings is not applied on some machines

I have configured a GPO which is publishing the Proxy settings and the Exceptions through a PAC file.

I received many complaints that internet is not working on some machines. First thing i logged in to one of these machines which has a problem and checked the Registry:

Hkey_Current_User\Software\Microsoft\Windows\Current Version\Internet Settings

Check the following Values:

AutoConfigURL    you should see The URL of the PAC file for example: ( http://10.1.1.15/proxy.pac)

Proxy Enable  0   it should be 1

That’s mean that the proxy GPO is not applied on this machine, but if you see the correct values are there then the policy is applied and you have to go through different solution from what I’m writing here for Example try to Delete the Connections Folder under Internet Settings on registry, then open the Internet Explorer the folder should come again and this might solve the problem.

Anyway lets go back to our problem which is the policy is not received at all, so after check i found that its because of the version of the IE which is 11 , but IE Maintenance is deprecated for IE10 / 11 and the policies won’t apply for these versions.

 

More information you can find here:  http://technet.microsoft.com/en-us/library/jj890998.aspx

The following are best practices on how to set the Proxy Settings.

Case 1: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher we will notice that IEM is not available in GPO.

Windows Server 2008R2 DC with IE9 or lower                                   Windows Server 2008R2 DC with IE10 and higher

clip_image002                                          clip_image004

Case 2: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher and trying to use GPP User Interface but notice that you can see only to Internet Explorer 8 and IE10 is missing.

clip_image006

Goal: How to configure proxy settings for IE10 and higher.

We have 2 ways we can reach the desired outcome:

1. Using GPP User Interface

In order to reach what do we require we need one of the following machines added in the Domain:

· Windows Server 2012

· Windows Server 2012R2

· Windows 8.0 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=28972

· Windows 8.1 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=39296

Requirement to have installed on the machines before starting: http://support2.microsoft.com/kb/2928422/en-us

(Before starting we advise to have the latest updates on the machines.)

a. Considering you have chosen any of the above machines just open the Group Policy Management Console (required Administrator rights to edit policies)

clip_image007

b. Then you need to choose the group policy item in which you create settings and go to the following path:

[User Configuration] -> [Preferences] -> [Control Panel Settings] -> [Internet Settings] -> Right click and choose Internet Explorer 10.

clip_image008

Note: Although Internet Explorer 10  is displayed in the User Interface, it will apply also for higher versions like: IE11, IE12 (if it will be released), etc. up to IE99.

[Connections] -> [LAN Settings]

-> Screenshot to be replaced by the 1st appearance:

clip_image009

c. Reaching the LAN Settings, we notice that is similar to the Internet Control Panel.

We have the same options to create a proxy configuration

–  Automatically detect settings

–  Use automatic configuration script

–  Proxy Server

d. The first thing we notice is that we have red underline settings:

Settings which are underlined in red are not configured at the target machine, while settings underlined in green are configured at the target machine.

In order to change the underlining, use the following function keys:

F5 – Enable all settings on the current tab.

F6 – Enable the currently selected setting.

F7 – Disable the currently selected setting.

F8 – Disable all settings on the current tab.

 

Article reference: http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

e. Configuring each setting in particular.

Its recommend to not keep activated (green underlined) a setting that you don’t need.

Automatically detect settings.

I checked the setting Automatically detect settings:

clip_image011

Use an automatic configuration script

I added the address to my proxy .pac file and pressed F6.

clip_image012

Proxy server

I checked the Proxy Server box and pressed F6 for each field completed.

clip_image014

2. The alternative way of configuring the Proxy Setting is deploying the registries keys directly.

Note: would address to be careful when choosing this path.

Key path / location for the registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

– Automatically detect settings

Registry key: “AutoDetect

Value Type: REG_DWORD

Value Data:

0 -> Disable

1 -> Enable

(Introduced in IE10 – This is a helper key, meaning that it applies for the first time and sets the value and gets deleted so you will have the option of a preference)

–  Use automatic configuration script

Registry Key: “AutoConfigURL

Value Type: REG_SZ

Value Data: “http://<servername|host>/my_proxy.pac

– Proxy Server

To configure this you may need up to 3 registry keys:

“ProxyEnable” -> checkbox for “Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connection).”

Value Type: REG_DWORD

Value Data:

0 -> Disable

1 -> Enable

clip_image016

“ProxyServer

Value Type: REG_SZ

Value Data: “ProxyServerName:Port

clip_image018

ProxyOverride

Value Type: REG_SZ

Value Data: “list_of_exclusion

clip_image020

Value Data: “list_of_exclusion;<local>”

<local> value represents the check: “Bypass proxy server for local addresses”

The value is added automatically when enabling the check box in the GPP UI.

When deploying through the registry key is required.

clip_image022

You have different ways you can deploy the registry keys. The only important aspect is to deploy correctly the registry keys provided above.

But in this article I will present how it can be done via GPP Registry Item:

Location of the policy: [User Configuration] -> [Preferences] -> [Windows Settings] -> [Registry ]-> Right Click | New | Registry Item

clip_image023

Registry information Registry  Items Values
“Automatically detect settings”Action -> Replace

Hive ->  HKEY_CURRENT_USER

Key Path -> Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name -> “AutoDetect”

Value Type -> “REG_DWORD”

Value Data -> “0” or “1”

0 – Disable

1 – Enable

clip_image024 clip_image026
“Use automatic configuration script”Action -> Replace

Hive ->  HKEY_CURRENT_USER

Key Path -> Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name -> “AutoConfigURL”

Value Type -> “REG_SZ”

Value Data -> “http://<servername>/my_proxy.pac

clip_image027 clip_image029
“Use a proxy server for your LAN (These settings will not apply to dial-up for VPN connections)”Action -> Replace

Hive ->  HKEY_CURRENT_USER

Key Path -> Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name -> “ProxyEnable”

Value Type -> “REG_DWORD”

Value Data -> “0” or “1”

0 – Disable

1 – Enable

clip_image030 clip_image032
Proxy Server : “ ProxyServerName:Port”Action -> Replace

Hive ->  HKEY_CURRENT_USER

Key Path -> Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name -> “ProxyServer”

Value Type: REG_SZ

Value Data: “ProxyServerName:Port”

clip_image033 clip_image035
“ProxyOverride”Action -> Replace

Hive ->  HKEY_CURRENT_USER

Key Path -> Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value Name -> “ProxyOverride”

Value Type -> “REG_SZ”

Value Data -> “http://<servername|host>/my_proxy.pac

clip_image036 clip_image037
“Bypass proxy Server for local addresses”The option is represented by the entry “<local”> added in ProxyOverride setting value data. clip_image039 clip_image041

 

Resources:

http://technet.microsoft.com/en-us/library/jj890998.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=28972

http://www.microsoft.com/en-us/download/details.aspx?id=39296

http://support2.microsoft.com/kb/2928422/en-us

http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: