Select Page

There’s no doubt that Microsoft’s dropping support of IE Maintenance Policy for systems running IE 10 and above has been a blessing and a curse. As I’ve observed, the blog postings I’ve done on this site related to this issue continue to have the highest view counts. Clearly people were caught unawares as a result of this change and are scrambling to manage it. One of the challenges of course, for any decent-sized organization that had deployed a large number of IE Maintenance policies, is migrating these to something equivalent (where it exists) within either Administrative Templates or GP Preferences.

The first challenge is finding where all these settings exist. The second challenge is doing something about it! Fortunately, we (SDM Software) have been helping customers manage this problem, and I thought I would share some of the things we’re doing to help with this issue. As a starting point, I want to show how you can migrate a very commonly used setting within IE Maintenance policy–setting the user’s IE home page–to another policy area without much effort. The first challenge, of course, is discovering where all of these IE Maintenance settings exist. Fortunately, our GPO Exporter product was designed with this kind of discovery in mind.  Exporter has the ability to inventory settings across all the different policy areas, or you can export just settings from a particular area. In addition, the PowerShell cmdlet that comes with Exporter — Export-SDMGPSettings — let’s you take full advantage of the power of PowerShell. For our scenario, let’s say we want to discover where all the IE Maintenance Home Page settings exist across all GPOs in our domain. It’s as simple as doing the following in PowerShell:

[codebox lang=”ps”]
Export-SDMGPSettingsAllPolicyAreas “Internet Explorer Maintenance” | where {$_.SettingPath.Contains(“Home Page URL”)}

This one-liner uses the Exporter cmdlet to export settings only within IE Maintenance policy, from all GPOs in my domain. This is then piped to a where clause that looks for the word “Home Page URL” in the setting value. The result is the following list of GPOs containing IE Maintenance Home Page settings:

Exporting IE Maintenance Home Page Settings

Exporting IE Maintenance Home Page Settings

Now that we know where all the GPOs containing these settings reside, the next step is doing something about it. In the simplest case, we can migrate these to an Administrative Template setting. The setting at User Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Disable changing home page settings. If that setting is enabled, and a home page is configured, the user will have their home page set in IE and will not be able to change it. So, my strategy here, now that I have the IE Maintenance Home Page settings using GPO Exporter, is to use our Group Policy Automation Engine (GPAE) to automatically set this Administrative Template setting in each GPO that is now implementing IE Maintenance policy. I could also use GPAE to unset the IE Maintenance policy after setting the Admin Template one, but since the IE Maintenance policy will be ignored anyway on systems with IE 10 or greater installed, I’ll leave that exercise for another day. So, let’s see the what the total script looks like for doing all of this:

[codebox lang=”ps”]
#First, we store all the IE Maintenance settings in a variable, using the GPO Exporter cmdlet
$IEHomePageSettings = Export-SDMGPSettingsAllPolicyAreas “Internet Explorer Maintenance” | where {$_.SettingPath.Contains(“Home Page URL”)}

#Now, we iterate through those settings, and set the corresponding Admin Template setting in the same GPO, using GPAE
foreach ($item in $IEHomePageSettings)
$connectString = “gpo://”+$item.Domain + “//” + $item.GUID
$gpo = get-sdmgpobject -gpoName $connectString
$setting = $gpo.GetObject(“User Configuration/Administrative Templates/Windows Components/Internet Explorer/Disable changing home page settings”)
$setting.Put(“Home Page”,$item.SettingValue)
write-host “Saved new home page value to GPO “+ $item.GPOName

That’s all there is to it. We get a reference to the GPO, a reference to the setting in the GPO, set the “State” property of the setting to Enabled, then set the “Home Page” property to the same value as in IE Maintenance, save it to the GPO and then move on!

Of course, you can also set the home page for IE using GP Preferences, and GPAE can do that as well. I’ll leave that example for another time, but suffice it to say that with the combination of GPO Exporter and GPAE (and PowerShell, of course) no migration task is too big!