In order to use Group Policy to control settings like the Home page (non-forcibly), Proxy settings, and the SSL/TLS options on the Advanced tab of the Internet Options control panel applet, you use our new friend, Group Policy Preferences (GPP). However, Microsoft has decided to give us all a giant middle finger by making it impossible to edit GPP for IE 10 anywhere except Windows Server 2012 and Windows 8. I don't understand how Microsoft can, in good conscience, do this to their customers--I know for sure that if I harmed my employer's customers intentionally like Microsoft is doing here, I would no longer be employed (and for good reason).
The specific problem for him is that he doesn't have Windows Server 2012 or Windows 8 in his environment. In other words, it is impossible for him to create a GPO with GPP settings to manage IE 10 in his production environment. Or is it? Sometimes, you can give Microsoft the middle finger and work around their unwillingness to facilitate their customers' needs.
Note that Microsoft does not support any of what I'm about to tell you here. Test it thoroughly before deploying it in a production environment. Because this is an unsupported configuration, if/when it breaks, you get to keep all the pieces. This is a hack, and it is theoretically possible that Microsoft could break it at any time with a future IE 10 patch, or even a future group policy client patch.
Fire up your Group Policy Management Console and create a new GPO in your domain. Edit the GPO, then go to User Configuration > Preferences > Control Panel Settings > Internet Settings. In the right pane, right-click in the white area, point to New, and select "Internet Explorer 8." Configure as desired. Note that even on a computer with IE 10 installed, you'll see the Internet Settings window as it appeared in IE 8, so if a setting from IE 8 no longer exists in IE 10, it will not apply to IE 10, even after finishing the hack. After all, you can't change a setting that doesn't exist. Note that the F5 through F8 keys will control the green and red underlines on the dialog. Red means that setting won't apply, so make sure to edit the option and hit F6 afterward to enable it.
Now that you have your settings as you want them, close the Group Policy Management Editor. Now go back to the Group Policy Management Console, find and select your GPO, and go to the Details tab. Look for the "Unique ID" and copy it. In my case, the GPO's Unique ID is {2EEFF6D1-9F81-4624-B227-103465CB4D41}. Now that you have this copied, open Notepad as an administrator (right-click it in the Start menu, click "Run as Administrator"). Now go to File > Open, and go to \\domain\sysvol\domain.fqdn\Policies\Unique ID\User\Preferences\InternetSettings (domain is either the fully-qualified domain name of your domain or your domain's NetBIOS name, domain.fqdn is your domain's fully-qualified domain name, and Unique ID is the ID you copied from above--in my test case, this path ended up being \\testdomain\SYSVOL\testdomain.internal.rekkanoryo.net\Policies\{2EEFF6D1-9F81-4624-B227-103465CB4D41}\User\Preferences\InternetSettings). There you'll find an XML file InternetSettings.xml. Select and open it. Scroll to the right until you see min="8.0.0.0" max="9.0.0.0". Change the 9.0.0.0 to 11.0.0.0, then save the file. (Post-publishing note: If you're planning to use the Windows 8.1 Preview at some point, you can change this value to 12.0.0.0 and it will work, however, at that point it's easier to just use the RSAT on Windows 8.1 to edit the GPO the supported way.)
Now go link this GPO somewhere and test it before you roll it out to production, and keep in mind that this is NOT supported! The only Microsoft-sanctioned way to make these settings is to create/edit a GPO using a Windows Server 2012 server with the Group Policy Management tools installed or a Windows 8 Pro workstation with the Remote Server Administration Tools for Windows 8 installed. That gives you a nice interface that looks nearly identical to the actual IE 10 settings interface and doesn't need any XML file hacking to force the application.
Now go link this GPO somewhere and test it before you roll it out to production, and keep in mind that this is NOT supported! The only Microsoft-sanctioned way to make these settings is to create/edit a GPO using a Windows Server 2012 server with the Group Policy Management tools installed or a Windows 8 Pro workstation with the Remote Server Administration Tools for Windows 8 installed. That gives you a nice interface that looks nearly identical to the actual IE 10 settings interface and doesn't need any XML file hacking to force the application.
Now some of you may be inclined to point out the settings that are available in User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer, and you'd be correct that some management can be done from there. Unfortunately these settings, while plentiful, are woefully inadequate to replace all of the old Internet Explorer Maintenance functionality. And yes there's also the IE Administration Kit, but it doesn't have the periodic reapplication flexibility that Group Policy has, nor does it fit in with the ideal of doing as much as possible through Group Policy. Although Group Policy is a behemoth, it is definitely an elegant solution if handled properly.
Post-publishing note: I forgot to mention at the original publication of this article that there is a homepage setting in the Administrative Templates for Internet Explorer and that setting applies to all IE versions from 5 to 11. That setting, however, is forcible. When using this policy setting, the user does not have the ability to change the homepage. Granted, this is almost certainly what most administrators want, but I'm sure there are a few out there who would appreciate the equivalent of the Internet Explorer Maintenance behavior, which allowed the homepage to be set at policy application but gave the user the flexibility to change it.
Post-publishing note: I forgot to mention at the original publication of this article that there is a homepage setting in the Administrative Templates for Internet Explorer and that setting applies to all IE versions from 5 to 11. That setting, however, is forcible. When using this policy setting, the user does not have the ability to change the homepage. Granted, this is almost certainly what most administrators want, but I'm sure there are a few out there who would appreciate the equivalent of the Internet Explorer Maintenance behavior, which allowed the homepage to be set at policy application but gave the user the flexibility to change it.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.