[animate animation=”fadeIn” delay=”0″ duration=”2s” iterations=”1″]Get The Most Complete Group Policy Change Auditing Solution![/animate]
With IE 11 now generally available for Windows 7 and newer versions, the obvious question is, how do I manage IE 11 configuration using Group Policy? Of course, now that IE Maintenance Policy has been deprecated, your choices for managing IE using GP include either the Admin Template settings (inetres.admx) that come with the version of IE you need to manage, or GP Preferences Internet Settings. Microsoft has been *pretty good* at adding support for new browser versions in GP Preferences as they rev Windows, well, until Windows 8.1, that is. In that version, we might have expected to see an update to GP Preferences, supporting IE 11. That however, was not the case, as shown here:
But, all is not lost. In previous versions of IE support in GP Preferences, Microsoft would add new browser support whenever there were substantial changes in configurable features and functionality within IE. For example, when they went from IE 5 and 6 support to IE 7, they added explicit support for IE 7. When IE 8 support was made available in GPP, a hotfix added support for IE 9, but didn’t really change any of the options available to configure in GPP. IE 8 and 9 became lumped together. Similarly, when Windows 8 shipped with IE 10, Microsoft added explicit support for IE 10 in GPP because of fairly significant option changes in IE 10. All along the way, if you looked under the covers at how Microsoft targeted IE GPP settings for each version of IE, it was rather clever.
Within the XML underlying the IE settings in the GPO, they leveraged Item-level targeting (ILT) to ensure the right settings made it to the right version of IE on the client. Specifically, they use a hidden File ILT to check for the version of IExplore.exe running on the client machine and the use that to determine which IE settings to deploy from the GPO. An example of this File filter for IE 8 and 9 settings is shown here:
<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="18.104.22.168" max="10.0.0.0" lte="0"/>
Note that the version number of the iexplore.exe file is greater than or equal to 8 and less than 10. This means that you can have IE settings for IE 5 &6, IE 7 and IE 8 & 9 in a single GPO, and using these filters, Microsoft ensures that the right settings go to the right version of IE. Now, when Microsoft shipped Windows 8 and IE 10, this filter condition changed to >=10.0.0.0 and <22.214.171.124! And when Windows 8.1 shipped, the same condition held true.
So, what can we assume from this? Well, first off, it means that setting IE 10 GP Preferences settings will indeed apply to IE 11 just fine. It also means that any versions beyond IE 11 will work as well, using IE 10 GPP settings. Of course, this starts to break down as features in subsequent versions of IE are changed or added, because unless Microsoft updates the UI for editing these newer IE features, they won’t be exposed in GP editor. But, for the time being, you’re covered on IE 11 with the current IE 10 support, at least for the stuff that is the same across both browser versions. Hopefully it doesn’t also mean that Microsoft has no plans to update GPP IE settings in the future, should browser settings change significantly.
Finally, I will add, with a plug to my buddy Jeremy Moskowitz, that his PolicyPak product, which extends GP to manage 3rd party application settings, also includes a “Pak” for IE, that has explicit support for all versions of IE up to 11. So check it out!