KnowledgeBase: Internet Explorer 10 security settings are silently applied to client computers when you use GPMC to view the Group Policy Preferences settings

Last week, Microsoft issued KnowledgeBase Article 2849027, discussing that Internet Explorer security-related preferences are silently applied to targeted computers, without any indication this is happening.

 

The situation

Internet Explorer 10 settings can be managed with Group Policy Preferences on Windows 8 (with the Remote Server Administration Tools installed) and Windows Server 2012.

Note:
You cannot currently manage them with Group Policy Preferences on previous versions of Windows, although Internet Explorer 10 is available as a download for Windows 7.

Although these settings work like a charm, some undesirable behavior has been identified.

The first thing you should know about Internet Explorer preferences is the way you set settings; The Internet Explorer preferences mimic the Internet Options screen and tabs. To set a setting, you press F5, F6, F7 or F8 to set them or not set them:

  • Pressing F5 enables all settings on the tab (underlines them with green)
  • Pressing F6 enables the currently selected setting (underlines with green)
  • Pressing F7 disables the currently selected setting (underlines with red)
  • Pressing F8 disables all settings on the tab (underlines with red)

When you view the settings on a tab you would press F8 to not include the settings for Internet Explorer in the preference.

However, on the Security tab, there are no green or red lines to indicate settings get applied:

The Security Tab of the Internet Explorer 10 Group Policy Preferences (click to open screenshot in new window)

Without viewing the possible settings on all the tabs (including the Security tab) of the preference you would have a Group Policy preference XML file of only a few lines. Each of these lines corresponds with a specific setting you’ve selected while creating the preference.

When you once viewed a tab, its settings get added to the XML file. This is by design, but the settings from the Security tab, get added to the XML file as enabled settings as you can see in the screenshot below: (left: not visited the Security tab. right: visited)

Difference between having visited the Security Tab of the Internet Explorer 10 Group Policy Preferences (click for larger screenshot)

There is no visual indication displayed to remind you that the related settings under the Security tab are applied to client computers after you click OK.

Note:
You don’t need to have changed any of the settings on the Security tab of the Internet Explorer 10 preferences for this behavior to occur.

In this scenario, the current default settings under the Security tab are silently written to the Internetsettings.xml file, and then the file is delivered to client computers. Therefore, unintended settings are applied to client computers.

 

The cause

This issue occurs because the green circle icon and red-dashed circle icon functionality is missing under the Security tab in Windows 8 and in Windows Server 2012. This issue occurs only when you try to create or edit an Internet Explorer 10 Group Policy Preferences setting in the Group Policy Management Console (gpmc.msc).

 

The resolution

A supported hotfix is available from Microsoft, as part of KnowledgeBase Article 2849027.

To apply this hotfix, you must be running Windows Server 2012, or Windows 8 that has the Remote Server Administration Tools for Windows 8 installed.

After you install the hotfix, the Security tab for Internet Explorer 10 Group Policy Preferences features the green lines, providing the missing indication:

The Security Tab of the Internet Explorer 10 Group Policy Preferences after applying KB2849027 (click to open screenshot in new window)

 

Related Microsoft KnowledgeBase articles

2849027 Internet Explorer 10 security settings are silently applied to client computers when you use GPMC to view the Group Policy Preferences settings
2530309 Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment
274846 How to set advanced settings in Internet Explorer by using Group Policy Objects

Further reading

Internet Explorer 10 administration – Part 1: Overview
Internet Explorer 10 administration – Part 2: Group Policy
Internet Explorer 10 administration – Part 3: Group Policy Preferences
Internet Explorer 10 administration – Part 4: IEAK 10
Internet Explorer 10 administration – Part 5: Unattended installation answer files
How to enable Group Policy Preferences support for IE9 on Windows 7
Using Group Policy Preferences
Managing Internet Explorer with Group Policy

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.