I worked at a client recently where the presence of a check in the "Automatically detect settings" box in the Connections | LAN Settings part of Internet Explorer Options appeared to cause no end of problems. Long delays loading websites and poor logon performance of published applications were the primary issues observed. There's probably some network-based reason behind this, but given that when the box was unchecked everything worked fine (because we'd deployed all the proxy server settings and the like through Environment Manager), the obvious answer seemed to find some way to uncheck the box for all users, and everything would be fine.
However, getting the check out of the darned box didn't seem to be as easy as we first anticipated.
The check box of evil |
Most of you are probably sitting there and thinking "easy, just use the Group Policy Internet Explorer Maintenance options". That's a good point - but deploying Internet Explorer settings through the mechanisms available in Group Policy soon becomes murky.
You've got three distinct sets of settings. Those in Internet Explorer Maintenance (which incidentally have been deprecated from Server 2012/IE 10 onwards anyway), those in Windows Components | Internet Explorer, and those in Preferences | Control Panel | Internet Settings. Unfortunately, all three of these have different sets of available options, and some of them interact differently - some overwrite, some merge, some do both. It soon becomes a nightmare to maintain, particularly if you've got multiple browser versions.
My normal stance on this is to transfer as much as possible into AppSense Environment Manager by deploying the Registry settings directly. I'm going to do an article with a sample configuration soon, because you have to use Registry Actions directly for a lot of the stuff you used to see in Internet Explorer Maintenance, as there is no ADM/ADMX support.
For the problem in question, though, there appeared to be no easy way to deploy this option so it was unchecked by default. Group Policy Preferences don't allow it to be deployed through Internet Options. Internet Explorer Maintenance was unworkable due to the way it interacted with other settings, and as mentioned earlier, is slated for removal anyway. The base Internet Explorer GPOs in Windows Components | Internet Explorer don't seem to have a setting for manipulating this either. It might have been an option to set the default profile up with the box unchecked and then let users build their settings from there, but that seemed unsatisfactory given that a lot of users were already using the new environment. Besides, if the setting ever needed to be changed back, we would be back to square one again.
Hunting the Internet for Registry settings that controlled this seemed to be the only option. Eventually, we discovered a setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections called DefaultConnectionSettings that seemed to control this.
However, the value is a REG_BINARY, which straight away complicates matters. Manipulating binary values with either regedit.exe from the command line, AppSense EM Registry Actions or even Group Policy Preferences can be tricky, especially when it turns out - as in this case - that we need to change one particular bit of the binary value in order to uncheck the setting. As usual, there's only one surefire way to do this without taking the risk of wiping out the whole value - a touch of scripted goodness.
I was looking to do this in PowerShell, but I managed to find a VBScript that did the job nicely - handy that Environment Manager supports both equally well! As in my last post, I must apologize to the author of the script for not remembering where I pulled this from - feel free to get in touch and I will credit you for it.
Let's look at our test user before we put the script in place. We've configured a proxy server, proxy port and various other browser settings through Registry Actions in Environment Manager, so we want to make sure that we leave these settings intact.
Next we will add the script to Environment Manager. Interestingly, I've started putting Internet Explorer settings into the Logon trigger rather than the Process Started one recently, because I'm coming across more and more applications that interact with Internet Explorer settings (such as the proxy server and port). Of course, this makes Personalization a tad trickier too - but this is something to be discussed in a different article, probably the one I alluded to earlier about IE settings.
Set up a Custom Action, set the scripting type to VBScript, and insert the following code
Option Explicit
On Error Resume Next
'Create a constant for the HKEY_CURRENT_USER object
Const HKCU = &H80000001
'Define variables
Dim strComputer
Dim strRegistryKey
Dim objRegistry
Dim strRegistryValue
Dim binValue
strComputer = "."
strRegistryKey = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
strRegistryValue = "DefaultConnectionSettings"
'Connect to the Registry
Set objRegistry = GetObject("winmgmts:\\"& strComputer & "\root\default:StdRegProv")
'Retrieve the current settings.
objRegistry.GetBinaryValue HKCU, strRegistryKey, strRegistryValue, binValue
'Change the 'Automatically detect settings' box to unticked
binValue(8) = 03
'binValue(8) = 13 - Enable this line to check the box instead of uncheck
'Save the changes
objRegistry.SetBinaryValue HKCU, strRegistryKey, strRegistryValue, binValue
There is, rather helpfully, a commented-out line you can use should you want to check the box again, for whatever reason.
To stop users from being able to change the setting once you've unchecked it, also set the following Registry value
So now your configuration items should look like this
Now we need to save the configuration into the Management Center and deploy it out. Once it has deployed out, let's log on and see what our settings look like now!
Of course, as we expected, they look exactly as we want them to :-)
The box is unchecked, our proxy server settings are intact - and best of all, the user can't mess with the settings that were giving us such a problem!
As I mentioned previously, there's probably an underlying issue which is the reason why the "Automatically detect settings" option caused such a problem. But if turning it off made those problems go away, and didn't cause any other adverse effects, then it stands to reason that disabling it is a good thing. This does, however, bring us to the mish-mash of settings that Microsoft provide us with to manage the Internet Explorer browser, and it is high time I did an article with a sample configuration that shows AppSense admins how to manage it more quickly and easily. That is a subject I will hopefully visit over the next few weeks.