Thanks to fellow Group Policy MVP Alan Burchill for warning about this–apparently if you install Internet Explorer 10 on your Windows 7 workstation, and you also happen to manage Group Policy from that machine, the IE 10 installation removes the option to edit IE Maintenance policy from that machine completely. I even confirmed that the MMC snap-in for managing IE Maintenance policy, called IEAKSIE.DLL, was indeed removed from my IE 10 enabled Windows 7 machine that I use for managing policy. If you remember, I blogged about how Microsoft removed IE Maintenance Policy from Server 2012 and Windows 8 when it shipped those OS versions. I thought this was a good thing at the time, but it did leave folks that had heavily deployed IE Maintenance policy in the lurch when they needed to edit those GPOs from a Windows 8 or Server 2012 machine. But this latest change is just downright stupid, as it forces IT administrators to either forgo IE 10 as an upgrade on their administrative workstations, or forgo being able to manage IE Maintenance policy going forward. And, if they warned us about it, they weren’t very vocal about it.
I guess I’ll be de-installing IE 10 tonight…
Such a poorly communicated and unfortunate move, if it proves to have no work-around other than removing IE 10, is just silly.
EDIT: It’s important to point out here, as I’m reminded by one of the comments below, that when you install IE 10, you are removing both the MMC snap-ins to edit IE Maintenance Policy from that machine, as well as the Client Side Extensions for processing IE Maintenance Policy. So any workstations that have IE 10 will neither be able to create/edit nor receive IE Maintenance settings. I wanted to clarify that.
Darren
I agree that it will catch many out. What about copying the last version of IEAKSIE.DLL back and registering it? I haven’t tried it myself. Maybe not supported, but that may be a workaround for those that get stuck.
Cheers,
Jeremy
Jeremy-
I actually tried that. Didn’t work. So then I fired up Dependency Walker and found a couple of other DLLs it was expecting. Copied those over too–still failed. Then I refreshed Depends and found yet more files, this time from the IE Program Files folder. Clearly the UI was inexorably intertwined to IE so they were probably forced to de-install it. Not a great solution however.
Darren
Darren,
Thank you for sharing this, and also Dependency Walker – a utility I know will come handy in the future.
Tarun
The IEM section was depreciated, and you should give up on it, as IE10 isn’t going anywhere, and later IE versions ALSO won’t use it. With an hour’s work I managed to duplicate all the work it did for us (trusted sites, home pages, etc.) via GPP, and now I can apply settings to all my IE7, 8, 9 and 10 machines without trouble.
Are there new options to populate cookie-settings (and exception lists for cookie-handling) with GPO/GPP?
It appears that the GPP area for this is still grayed out in Windows 8. A quick search of admin templates did not yield anything there.
Darren
Hi Fred, please can you tell me how you set the homepage as I can’t seem to get this working.
Cheers,
Dave
David-
Are you using GP Preferences Internet Settings to set the home page?
Darren
Darren,
I’m using group policy preferences to set the homepage, but it’s no longer applying on Internet Explorer 10 workstations. Any way to fix this? Thanks!
Kyle-
You might want to ask this question on the GPOGUY.Com GPTalk forum: http://gpoguy.com/group-policy-forums/forum/gptalk/
Darren
STOP THE POSTING!
They copied the Central Store from prod to the new domain and all is better with the lost settings.
I’d still like to know where to find the list of depricated settings, though.
Thanks,
Thomas-
GPMC settings reporting will still report on IE Maintenance settings that have been defined in a GPO. You just can’t see them from GP Editor. So you can figure out which settings you have in your IE Maintenance policy there and then duplicate them as much as possible in either Admin Templates or GP Preferences.
Darren
The issue we have from our standpoint is we have an enourmous Network with thousands of policies, and there are quite a few that utilize IE Maintenance settings. I totally understand the logic that Microsoft took when they decided to remove them. Don’t get me started on sticky settings and the issues involved with the old preferences but not informing us that IE 10 removes that feature is just sloppy. Unfortunately for us remediating the setttings with GPP isn’t an easy option due to the fact that 1. We have so many policies and 2. We have a small team that manages policies so resource contraints are our biggest hurdle. It would have been nice if MS could have provided a migration tool for large environments.
Vincent-
I agree. This was not handled smoothly all around–from both a communication and feature coverage perspective. We have our GP Automation Engine that can read/write both IE Maintenance and GPP Internet Settings policy, but frankly, it’s not yet supporting the newer versions of GPP Internet Settings, so it won’t help much at the moment. Microsoft should have provided some migration capabilities here.
Darren
I found out that not only the admin component (Snapin within GPEdit) is removed by IE 10 when installed on WIN 7, but also it will break processing of IE Maintenance settings. This is poorly or rather not documented at all (for WIN 8 yes, but not for WIN 7). Already received confirmation on this by Microsoft.
Patrick
That’s correct Patrick. Just as in Windows 8, both editing and processing of IE Maintenance policy is removed after the upgrade to IE 10.
Darren
Many thanks for this.. I had installed IE 10 on SBS 2011.. And after adding users and pc’s it set the Group Policy in the SBS Users, homepage url
(http://company) but with no way of removing or changing the policy??
Uninstall worked great though..
Hi, I am a student currently studying windows server and been using 2008 r2 and have been
trying to use GOP to change the proxy on my windows 7 test rig, no luck I can remove the connections tab but proxy stays the same
Has anybody ever used the GPP Internet Explorer Extension and tried to set only one single setting?
According to http://technet.microsoft.com/en-us/library/jj890998.aspx the “GPP Internet Explorer Extension” is the official replacement for at least a part of the IEM settings. Thus I would expect it to be an easy to use and accurate component. But it is definitely not…
Let’s say you want to configure only the Home Page URL and nothing else. Try it.
You will notice that by default many other settings are part of the GPP Item. OK, there are there green and red markers in GPP which control, if the setting will be applied or not. But hey, why are most settings “green” in the IE Extension? Why not “red” and if I want to use one, I would mark it “green”. That is how I would expect it to be at least.
However, if you work hard through all the various dialogs and manually mark it all “red” by using the “F8” key you should be able to limit the GPP item the “Home Page URL” only. Should you? Ok, you will see that the GPMC report looks more clean now, though still – after all the hard end error-prone work – undesired settings are shown in the report (e.g. “Open new tabs…”). Annoying… but even worse: under the hood a lot more settings will be applied. If you examine the corresponding XML file of the GPP Item you will see that there quite is noticeable amount of settings without the “disabled” flag set to “1” (which means it will be applied to the user’s registry). And if you monitor (e.g. with ProcessMon) what actually happens during the GPO refresh cycle, you will be surprised… even security zones settings are being applied though you did not intend to do so.
Conclusion:
it is not possible to set only one explicit setting with GPP IE Extension.
A bunch of uncontrolled and unwanted settings will always be added.
My advise is: if at all, use it very carefully.
If that is an issue to you, please let Microsoft know.
I did, but chances for fixes and changes increase the more customers complain.
Sincerely,
Patrick
Patrick-
A great observation and I confirmed this behavior myself. I will check with the “powers that be” to see what is missing here.
Darren
Patrick-
After I read your comment, and tried it, and then shared my findings with some fellow MVPs, they reminded me that red (F8) does not mean, “Do Nothing”. Red means disable settings. Here’s a test that worked for me. Open a new GPO on GPP Internet Settings. Go to the home page dialog and press F6 to turn it green (enabled). Set a home page. Do nothing else. Just hit ok to save the GPO. Now go and look at the XML. The only settings in there are the home page settings. So, it’s not as bad as I thought (or as you thought) unless I’m missing something in your scenario?
Darren
Darren – thanks for spending time on this and for your helpful hint. Yes, indeed, you are right. If you do it that disciplined, the result is quite acceptable. But try this one: Before changing the home page, simply click on one of the other tabs (e.g. “Security”). Just for a quick look, without touching anything. Then switch back to “General” tab and proceed as you suggested (enter home page, press F6). How does the XML now look like?
In my case it is filled with a bunch of unwanted settings. Just by viewing a different tab… this is a pitfall. And I do not see a way back once the settings are in there.
Regarding the meaning of the red markers: yes, it means disabled and disabled means it will not be applied: “A setting with a dashed red underline or red circle with a slash is disabled. The preference extension does not apply this setting’s value to the user or computer.
( excerpt from http://technet.microsoft.com/en-us/library/cc754299.aspx )
Patrick-
Yes, I confirmed this “quick look” behavior with other MVPs and the GP product team. It is definitely something to be wary of, to say the least.
As for disabled behavior, I agree that the help text is confusing at best, and wrong at worst 🙂
Darren
Guy just came across this thread when searching for the same issue. I am the IT Manager of a large school in australia and we migrated to office365.
With moving to o365 we had to quickly upgrade to ie10 as spell check is removed from office and replaced with the browser spell check instead, however this was only available in Ie10 so we were really stung twice by Microsoft
Hi.
Any one can explain how control IE 10 with Server 2012 GPO? or How to deploy Internet Explorer Administration Kit (IEAK) in active directory envirnmet through GPO. if any it should be centalised.
With IE10, you have the choice of either Administrative Templates and/or GP Preferences Internet Settings.
Darren
So after I removed IE 10, am I supposed to get the IE Maintenance policy back? or is there something I’m missing?
Joe-
Yes, it should re-appear as an option.
Darren
Hi,
I need to have Internet explorer 10 enabled in Group policy preferences in windows 2008 r2 machine. I have IE10 admx file and ie10 installed on windows server 2008 r2. is there any way to enable IE10 in GPP!!!
The way to get the IE 10 options in GP Preferences is to use a Windows 8 or Server 2012 machine to manage those settings.
Darren
You, have, got, to, be, kidding, me. What is the point off all this? I’ll stick with Chrome.
How can you keep separate settings for machines with IE9 configured with IEM and machines with IE 10. With the admx and adml files having the same names but different settings?
The only way to do this is for IE Maintenance is to use a WMI Filter, or put all the machines that have IE 9 installed in a security group and filter based on that. For the WMI Filter, you would essentially have to use a filter that queries for a particular file (or file version) that is unique to IE 9. Have a look at the CIM_DataFile class for this. It’s not going to be cheap though, as I would imagine it has to query the file instance of files on a system to find the one you’re after. The security group approach is probably simpler on the back-end but assumes you can find and maintain the list of IE 9-based machines reliably. Not easy.
Darren
The WMI Filter will prevent different users/computers from processing the group policy. But by replacing the inetres.admx in the central repository , are we then breaking all the IE8 installs? I am looking for verification that the admx file have no impact on the processing of the group policies, and they are there for managing/editing of the policies.
Why for Office or adobe do they release a new set of admx files with new names – but here they are making us replace the files.
The key to understanding the ADMX and it’s effect on existing policy, is to look inside the inetres.admx for IE and see if the registry key locations are specific to a given version of IE or not. A quick exploration of the version for IE 10 that I have on my machine seems to indicate that they are not version specific. That is, if you use an inetres.admx file for IE10 it will set non-version specific registry values for IE. Now it may be that some of those values are ignored by older browsers, but updating the ADMX files will not in and of themselves, changes the values written into the GPOs. They just change what you see in GP Editor.
Darren
Hi Darren,
Great name! 😉
So I’m in the same situation as MattK. We are using IE9 and have a GPO with IEM settings defined.
I wish to deploy IE10 for testig purposes. I created a custom install using the IEAK 10 but after deploying this to a machine which has the IE9 GPO applied to it all my security settings in IE10 are gone!
So now I’m looking to update the inetres.admx in our domain but I’m concerned it will wipe out the IEM and therefore we will lose all our security configuration for IE9.
Based on what you said however, while the IEM settings will no longer be visible in GP Editor, the IE 9 GPO will still contain the IEM settings I configured and therefore IE9 configuration will not be affected unless I begin modifying internet explorer settings to a GPO which is being applied to these IE9 machines?
Thanks!
Darren-
So, I’m a bit confused by your description. interes.admx is not necessarily related to IEM. IEM can manage some of the same settings that can be managed using Admin Templates (i.e. inetres.admx). That said, you are correct. The GPO containing IEM settings will simply be ignored by machines running IE10–either from an editing or a processing perspective.
Darren
Will changes made to IE10 machines with the new process affect IE9 machines?
If you are using GP Preferences Internet Settings, specifically for IE 10, then no, those settings won’t apply to IE9 machines.
Darren
Darren,
I’ve just read that you’re no fan of IEM which I completely understand… BUT there are 3 things that we push on our clients:
1. Autodetect proxy must be ON
2. Set the homepage to our intranet
3. Cookie privacy level must be set to ‘Normal’
4. We add a bunch of sites too trusted and internet zone.
Option 1 is not available in preferences (?!) and no policy can be found to force this to ‘ON’.
Option 2 seems possible in Preferences.. = OK
Option 3 is greyed out at preferences, no policy to be found! The internet seems full of questions about this one but no answers?
Option 4 is possible with the Zone assignment list but is impossible to manage since there is no alpha sort!
Would you have any advice on how to manage these settings by GPO without using IEM?
Tiele-
Yes, while IEM was buggy and difficult to use, it did fill some needs that Microsoft seems to have just ignored when they got rid of it. The sad reality of it is that in order to do all that you want above, you are stuck with using something like GP Preferences Registry extension to put the registry values underlying those settings on a system. I wish I had a better answer but that is the state of things around IE management today.
Darren
1. Autodetect proxy must be ON
Thru GPP:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
AutoDetect = 1 (to force enabling “Automatically detect settings)
(I have discovered this thru regmon and this could not be found in the internet =) )
2. Set the homepage to our intranet
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Disable changing home page settings
3. Cookie privacy level must be set to ‘Normal’
I think its available in Group policy not GPP
4. We add a bunch of sites too trusted and internet zone.
available in Group policy (Site to Zone Assignment) not GPP
What is really said is that to configure the well-known “Automatically detect settings” setting from a Windows 8 management-machine you have to do it throug GPP registry feature.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/5a8a47fd-ab72-488c-bfad-d8c10d18b6be/ie-lan-settings-automatically-detect-settings
The solution is not quite straigfh forward.
Than you for your post.