Missing: Group Policy > Internet Explorer Maintenance
On Server 2012 it appears that the "Internet Explorer Maintenance" container is now gone by default from GPO > User Configuration > Policies > Windows Settings.
Has this been hidden or deprecated deliberately, or is this problem just on my 2012 controller? Is there a way to bring it back if necessary?
Thanks!
June 28th, 2012 8:14am
Hi,
Windows Server 2012 RC with Internet Explorer 10 deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences. Administrators can
also use Internet Explorer Administration Kit (IEAK) to configure specific settings. The following Microsoft TechNet article shows the settings that are available in Internet Explorer Maintenance, along with how these settings can be managed in Group Policy
Preferences or IEAK.
Internet Explorer Maintenance Replacements
http://technet.microsoft.com/library/hh846772.aspx
Regards,
June 29th, 2012 10:13am
Hi,
I have an additional Question to this.
I just want to apply proxy setting to my users on my network, I do not want to use IEAK to do this, I do not need to customize IE in any other way.
Since I cannot use IEM to do this anymore and your 2012 group policy does not seem to have any proxy settings for IE, how does one actually apply these settings to all users on the network.
Why am I forced into using this IEAK package.
REALLY frustrating.
I await your reply.
Thanks
October 15th, 2012 6:47am
So with no Windows 7 support with IEAK 10 (Server 2012).....How would you add sites to Trusted Sites in the Internet Security Zone? I normally use Internet Explorer Maintenance and sites are grayed out in Group Policy Preference (Internet Settings).
Thanks
Mark
December 21st, 2012 7:42pm
Have you tried setting the group policies from a 2008 R2 DC or Windows 7 client instead of a Windows Server 2012 host? Or are you saying that IEM is greyed out in the older clients, too?
December 23rd, 2012 12:28am
Plans were to decommission all 2008 servers with 2012 upgrades. I basically need to be able to edit the Internet Security Zone's trusted sites on Windows 7 clients without having to manually run around to 50 machines and add these. I'm sure there
are some with hundreds that need to do the same. There has to be some GP solution, as this has to be a very common task for a Domain administrator.
December 24th, 2012 3:32pm
Understood. But it is common practice with Group Policies to edit/manage them from a machine that understands them. If the GPO is viewable/changeable on Windows 7, work with the GPO there.
December 24th, 2012 5:24pm
Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...
Thanks
Mark
December 31st, 2012 4:08am
Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...
Thanks
Mark
Yep, RSAT is what you need.
December 31st, 2012 4:16am
I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems.
When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing. How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS?
Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.
January 3rd, 2013 8:30pm
I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems.
When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing.
How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS?
You cannot create nor modify an IEM GPO using Win8/WS2012 - you must use a down-version OS.
Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.
No it doesn't provide that ability, it is intended that these "replacements" are a complete alternative to IEM.
January 3rd, 2013 10:56pm
I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.
But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.
If they are removing it can you please advise where I can set the proxy in GPO now.
Thanks Jo
March 7th, 2013 9:13am
I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.
But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.
If they are removing it can you please advise where I can set the proxy in GPO now.
You either need to rollback from IE10, or, administer IEM from your IE8 pc, or, adopt an alternative to IEM (such as GPP)
Even if you do administer from your IE8 pc, machines with IE10 will not respect the IEM settings. The IEM settings require the necessary IEAK/CSE DLL's, and they are not present on an IE10 machine.
The best advice I can give you, is adopt GPP until or unless MS come up with some other alternative.
More information here:
http://technet.microsoft.com/en-us/library/jj890998.aspx
March 7th, 2013 10:15am
@Arthur_Li
The problem with this approach is that the "robust" product group policy preferences doesn't force the settings to users or workstations. Meaning I can deploy a setting - but then the user isn't prohibited from changing it! That kind of defeats the purpose
don't you think? Kind of displays what I've suspected all along - that Microsoft continues to demonstrate a real lack of understanding as to how their customers employ their product in the real world. But maybe MS thinks its okay that users can reduce the
security settings of their browsers...
Also I find the hammer and sickle you have chosen as your avatar very interesting. Is Microsoft - an American company born in the cradle of capitalism and free enterprise - now openly advocating communism and the repression of religious, economic, and political
liberties? That's what your avatar represents... So I'm curious why it was chosen....
April 12th, 2013 11:29pm
This is really bad and frustrating !!! does Microsoft force us to use earlier OS just to create/edit Group Policy for IE settings. what the heck..
April 16th, 2013 6:13pm
The real frustrating part for us was finding which GPOs had IE Maintenance configured and which didn't. To make matters more difficult, the GP search feature (in RSAT for Windows 8) is broken right now. It won't show user
components!
I ended up having to an older version to track them down. Here is exactly how I did it:
http://deployhappiness.com/tracking-down-rouge-cses-ie-maintenance-addition/
And if you are wanting to search for specific settings with PowerShell,
here is a good how-to.
April 23rd, 2013 10:11pm
The fact that this is even necessary is disturbing. Group policies have been around since what - NT 4.0? Come on MS why are you screwing with a good thing...
April 23rd, 2013 11:45pm
So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.
June 5th, 2013 8:03pm
Its the way it is man. Microsoft doesn't care to support previous iterations of their products. Upgrade to IE10 and do business the new way, or get stuck in time. Personally - I upgraded to Chrome instead.
June 5th, 2013 9:19pm
So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.
No, that's not the only way.
If a machine (workstation or server) has IE10 installed on it, then IEM will never apply to it, and, GPMC for IEM cannot be used on that machine to manage GPOs which include IEM.
So, if you still need to use IEM for non-IE10 targets, do that from a non-IE10 machine (server or workstation).
June 6th, 2013 12:25am
Or, gasp, Microsoft could have just renamed the existing GPO section to "Maintenance Mode for Internet Explore 9 and earlier" and leave it in place and accessible.
And create a new GPO subsection named "Internet Explorer 10", with a pointer to the new management tools.
July 13th, 2013 9:00pm
ist a realy shame, that many of perfect, easy things are gone. many Point, arguments to use Microsoft products, are not avallable anymore. for example, the very easy to configure Proxy Settings for Internet Explorer.
Microsoft is dismounting himself!
(just for example, think about TMG..... grrrrrr)
July 16th, 2013 4:22am
Hi !!!
I have Win 2008 R2 as my DC with I.E 10 installed on it and now I'm unable to change my GPO settings because the Internet Explorer Maintenance is missing. All my users are using I.E 9, Just because the I.E 10 with Windows 7 does not work correctly with OWA
(Exchange 2010) . The drag and drop does not work. :/ (http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop)
How can I edit the proxy settings in Win2008 R2 with the I.E 10 installed? Must I rollback to I.E 9??
Consider using a Win7 machine (which has IE10 installed), add the RSAT to that machine, and administer your GPO from it. This is what we do.
August 1st, 2013 12:04am
An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:
- Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
- When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
- There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.
Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate
a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...
There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.
August 9th, 2013 11:41am
An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:
- Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
- When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
- There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.
Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate
a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...
There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.
if you have a long list of proxy exceptions, using proxy-auto-config (e.g. wpad.dat or proxy.pac) is much more likely to be better for you.
we've used proxy.pac for many years, it's simple, and very efficient.
August 9th, 2013 8:06pm
@ Joo Pedro
No, we don't use OWA, so I don't have this problem.
For the GP editing, do you have a Win7 machine with IE9, and you could install RSAT upon this machine?
This way, you can edit your IEM GP from that machine.
Or do I misunderstand your question?
August 9th, 2013 9:05pm