On Server 2012 it appears that the "Internet Explorer Maintenance" container is now gone by default from GPO > User Configuration > Policies > Windows Settings.

Has this been hidden or deprecated deliberately, or is this problem just on my 2012 controller?  Is there a way to bring it back if necessary?

Thanks!

Hi,

Windows Server 2012 RC with Internet Explorer 10 deprecates Internet Explorer Maintenance (IEM) in favor of a more robust tool called Group Policy Preferences. Administrators can also use Internet Explorer Administration Kit (IEAK) to configure specific settings. The following Microsoft TechNet article shows the settings that are available in Internet Explorer Maintenance, along with how these settings can be managed in Group Policy Preferences or IEAK.

Internet Explorer Maintenance Replacements

http://technet.microsoft.com/library/hh846772.aspx

Regards,

Hi,

I have an additional Question to this.

I just want to apply proxy setting to my users on my network, I do not want to use IEAK to do this, I do not need to customize IE in any other way. 

Since I cannot use IEM to do this anymore and your 2012 group policy does not seem to have any proxy settings for IE, how does one actually apply these settings to all users on the network.

Why am I forced into using this IEAK package.

REALLY frustrating.

I await your reply.

Thanks

So with no Windows 7 support with IEAK 10 (Server 2012).....How would you add sites to Trusted Sites in the Internet Security Zone? I normally use Internet Explorer Maintenance and sites are grayed out in Group Policy Preference (Internet Settings).

Thanks

Mark

Have you tried setting the group policies from a 2008 R2 DC or Windows 7 client instead of a Windows Server 2012 host?  Or are you saying that IEM is greyed out in the older clients, too?

Plans were to decommission all 2008 servers with 2012 upgrades. I basically need to be able to edit the Internet Security Zone's trusted sites on Windows 7 clients without having to manually run around to 50 machines and add these. I'm sure there are some with hundreds that need to do the same. There has to be some GP solution, as this has to be a very common task for a Domain administrator.

Understood.  But it is common practice with Group Policies to edit/manage them from a machine that understands them.  If the GPO is viewable/changeable on Windows 7, work with the GPO there.

Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...

Thanks

Mark

Sorry for my ignorance but I haven't managed Group Policies from a client....always from the Server OS. Are you referring to RSAT?...

Thanks

Mark

Yep, RSAT is what you need.

I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems. 

When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing. How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS? 

Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.

I would like to be able to use Windows 8 and Windows 2012 to administer existing Group Policies in our domain that are applied to 2000, 2003, 2008, 2012, XP, Vista, 7, and 8 operating systems.

When I attempt to edit a Group Policy, User > Policies > Windows Settings > Internet Explorer Maintenance is missing.
How to I edit a Group Policy that uses Internet Explorer Maintenance via a Windows 8 or 2012 OS?

You cannot create nor modify an IEM GPO using Win8/WS2012 - you must use a down-version OS.

Installing Internet Explorer Maintenance Replacements (http://technet.microsoft.com/en-us/ie/bb219517.aspx) didn't restore my ability to manage IEM settings via GP.

No it doesn't provide that ability, it is intended that these "replacements" are a complete alternative to IEM.

I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.

But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.

If they are removing it can you please advise where I can set the proxy in GPO now.

Thanks Jo

I have just installed IE 10 on my Win 7 sp1 machine and I have lost IEM in group policy.

But when I go to a Win 7 SP1 machine with IE 8 installed its back in the same GPO.

If they are removing it can you please advise where I can set the proxy in GPO now.

You either need to rollback from IE10, or, administer IEM from your IE8 pc, or, adopt an alternative to IEM (such as GPP)

Even if you do administer from your IE8 pc, machines with IE10 will not respect the IEM settings. The IEM settings require the necessary IEAK/CSE DLL's, and they are not present on an IE10 machine.

The best advice I can give you, is adopt GPP until or unless MS come up with some other alternative.

More information here: http://technet.microsoft.com/en-us/library/jj890998.aspx

@Arthur_Li

The problem with this approach is that the "robust" product group policy preferences doesn't force the settings to users or workstations. Meaning I can deploy a setting - but then the user isn't prohibited from changing it! That kind of defeats the purpose don't you think? Kind of displays what I've suspected all along - that Microsoft continues to demonstrate a real lack of understanding as to how their customers employ their product in the real world. But maybe MS thinks its okay that users can reduce the security settings of their browsers...

Also I find the hammer and sickle you have chosen as your avatar very interesting. Is Microsoft - an American company born in the cradle of capitalism and free enterprise - now openly advocating communism and the repression of religious, economic, and political liberties? That's what your avatar represents... So I'm curious why it was chosen.... 

This is really bad and frustrating !!! does Microsoft force us to use earlier OS just to create/edit Group Policy for IE settings. what the heck..

The real frustrating part for us was finding which GPOs had IE Maintenance configured and which didn't. To make matters more difficult, the GP search feature (in RSAT for Windows 8) is broken right now. It won't show user components!

I ended up having to an older version to track them down. Here is exactly how I did it: http://deployhappiness.com/tracking-down-rouge-cses-ie-maintenance-addition/

And if you are wanting to search for specific settings with PowerShell, here is a good how-to.

The fact that this is even necessary is disturbing. Group policies have been around since what - NT 4.0? Come on MS why are you screwing with a good thing... 

So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.

Its the way it is man. Microsoft doesn't care to support previous iterations of their products. Upgrade to IE10 and do business the new way, or get stuck in time. Personally - I upgraded to Chrome instead. 

So, the only way to remove or edit IEM settings would be to roll back IE? That sounds a little too ridiculous for me to immediately accept.

No, that's not the only way.
If a machine (workstation or server) has IE10 installed on it, then IEM will never apply to it, and, GPMC for IEM cannot be used on that machine to manage GPOs which include IEM.

So, if you still need to use IEM for non-IE10 targets, do that from a non-IE10 machine (server or workstation).

Or, gasp, Microsoft could have just renamed the existing GPO section to "Maintenance Mode for Internet Explore 9 and earlier" and leave it in place and accessible.

And create a new GPO subsection named "Internet Explorer 10", with a pointer to the new management tools.

ist a realy shame, that many of perfect, easy things are gone. many Point, arguments to use Microsoft products, are not avallable anymore. for example, the very easy to configure Proxy Settings for Internet Explorer.

Microsoft is dismounting himself!

(just for example, think about TMG..... grrrrrr)

Hi !!!

I have Win 2008 R2 as my DC with I.E 10 installed on it and now I'm unable to change my GPO settings because the Internet Explorer Maintenance is missing. All my users are using I.E 9, Just because the I.E 10 with Windows 7 does not work correctly with OWA (Exchange 2010) . The drag and drop does not work. :/ (http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop)

How can I edit the proxy settings in Win2008 R2 with the I.E 10 installed? Must I rollback to I.E 9??

Hi !!!

I have Win 2008 R2 as my DC with I.E 10 installed on it and now I'm unable to change my GPO settings because the Internet Explorer Maintenance is missing. All my users are using I.E 9, Just because the I.E 10 with Windows 7 does not work correctly with OWA (Exchange 2010) . The drag and drop does not work. :/ (http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop)

How can I edit the proxy settings in Win2008 R2 with the I.E 10 installed? Must I rollback to I.E 9??

Consider using a Win7 machine (which has IE10 installed), add the RSAT to that machine, and administer your GPO from it. This is what we do.

Hi Don,

 

I cannot do it! Did  you see the post http://social.technet.microsoft.com/Forums/exchange/en-US/7b305d16-654a-470b-a89a-f0f9aedf409b/ie10-on-win7-and-owa-2010-cant-drag-and-drop ?

Did you tried to use the OWA with I.E 10 on Windows 7?

I don't have any e-mail client in my network and all my 400 users are using OWA. What should I do??? To install the Chrome to them? So they will be able to manage his e-mails easily.

Att

Joo Pedro.

An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:

• Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
• When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
• There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.

Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...

There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.

An additional issue to this is that Microsoft is inconsistently implementing the IE security solution. I see a number of problems:

• Were is IE9 and IE10 on the preference mode? I have IE10 on an R2 domain controller and all we see in Group policy is 5, 6,7 and 8. The people maintaining group policy are not even able to keep up with the IE changes.
• When I make IE changes under preferences I end up getting hundreds of settings instead of the setting I want. I need a proxy exception list and nothing else. Instead I get what might be hundreds of settings.
• There are already hundreds of settings in group policy under the Administrative templates. Microsoft needs to make up its mind about how they want to manage IE. Through administrative templates or through the preference configuration.

Personally I like the Administrative templates method the best. It would be great if we could get a similar method for proxy exceptions that is similar to to the site to zone assignment list. Give me a domain name (and allow wild cards) and let me designate a proxy for each entry.Take the limits out of the proxy exception list that the current method has (1024 characters I think). We can trust as many sites as we want, and we should be able to have as many exclusions as we want...

There really is no good method today for proxy exceptions and hopefully the great developer gods will hear our prayers and provide something more useful.

if you have a long list of proxy exceptions, using proxy-auto-config (e.g. wpad.dat or proxy.pac) is much more likely to be better for you.
we've used proxy.pac for many years, it's simple, and very efficient.

@ Joo Pedro

No, we don't use OWA, so I don't have this problem.

For the GP editing, do you have a Win7 machine with IE9, and you could install RSAT upon this machine?
This way, you can edit your IEM GP from that machine.
Or do I misunderstand your question?