• KB25303 - Group Policy Preferences do not apply to Internet Explorer 9 (Hotfix)

    What this hotfix basically does is add support for IE9 to Group Policy Preferences in a Windows Server 2008 R2 domain. For further details, please see this post on the Group Policy Center blog or the Microsoft KB article linked below.

    KB2530309 - Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9 in a Windows Server 2008 R2 domain environment

    SYMPTOMS
    Consider the following scenario on a Windows 7-based or Windows Server 2008 R2-based computer:
    • You have a domain server that is running Windows Server 2008 R2.
    • You use the Group Policy Administration Tools for Windows Server 2008 R2.
    In this scenario, in the domain in which you are using Internet Explorer Group Policy Preferences, you encounter the following problems.

    Problem 1
    Microsoft Internet Explorer 6, Windows Internet Explorer 7, and Windows Internet Explorer 8 Group Policy Preference items do not apply to users who are running Windows Internet Explorer 9.

    Group Policy Preferences logging shows the following...
    Nonworking scenario
    Code:
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] {683F7AD7-E782-4232-8A6D-F22431F12DB5}
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Starting class <IE8> - Internet Explorer 8.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Starting filter [AND FilterFile].
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Adding child elements to RSOP.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Set user security context.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] C:\Program Files\Internet Explorer\iexplore.exe
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] apmGetFileVersionEx
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] apmCompareVersionTokens [SUCCEEDED(S_FALSE)]
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Set system security context.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Failed hidden filter [FilterFile].
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Filters not passed.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Completed class <IE8> - Internet Explorer 8.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x3a0,tid=0xb18] Completed class <InternetSettings>.
    Working scenario
    Code:
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] {683F7AD7-E782-4232-8A6D-F22431F12DB5}
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Starting class <IE8> - Internet Explorer 8.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Starting filter [AND FilterFile].
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Adding child elements to RSOP.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Set user security context.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] C:\Program Files\Internet Explorer\iexplore.exe
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] apmGetFileVersionEx
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] apmCompareVersionTokens
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Set system security context.
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Passed hidden filter [FilterFile].
    yyyy-mm-dd hh:mm:ss.ms [pid=0x398,tid=0x29c] Filters passed.
    This article was originally published in forum thread: KB25303 - Group Policy Preferences do not apply to Internet Explorer 9 (Hotfix) started by Arthur View original post
    Comments 7 Comments
    1. Michael's Avatar
      Michael -
      Interestingly without this fix, allowed pop-ups configured by GPO are not processed (as if they're not there at all).
    1. Michael's Avatar
      Michael -
      I've managed to get around the IE9 and Pop-up blocker issue as follows:

      Scenario: Running 2008 R2 SP1, with Windows 7 SP1 + IE9 clients. Setting Pop-up exceptions on this GPO (even with the KB2530309 fix) does not work:

      User Config > Policies > Admin Templates > Windows Components > Internet Explorer - Pop-up allow list - Enabled

      To get around this problem, install KB2530309, then navigate to:

      User Config > Preferences > Control Panel Settings - Internet Settings

      Right click Internet Settings > New > Internet Explorer 8 (Note: With the KB2530309 fix, this applies to both IE8 and IE9).

      Select the Privacy tab > Settings. Enter your Pop-up exceptions here and apply changes.

      Now run gpupdate /force on your workstation or restart your workstation. Pop-up exceptions will now work correctly with IE9.
    1. tushan's Avatar
      tushan -
      Thanks Michael for sharing this solution. What can people like me do without people like you. I'm about to implement your solution but out of interest, does this inlude the likes of Adobe Readers and flash constantly asking you to upgrade, even if you don't want to.Kind regardstushan
    1. Michael's Avatar
      Michael -
      Quote Originally Posted by tushan View Post
      Thanks Michael for sharing this solution. What can people like me do without people like you. I'm about to implement your solution but out of interest, does this inlude the likes of Adobe Readers and flash constantly asking you to upgrade, even if you don't want to.Kind regardstushan
      Newer versions of Adobe Reader and Adobe Flash do have built in auto-updaters. As a recommendation, you should be using Adobe Reader 9 or 10 and Adobe Flash 11.1.
    1. Arthur's Avatar
      Arthur -
      Just to add to what Michael said, the easiest way to disable the updater in Adobe Reader is to use the Customization Wizard. To do the same with Flash Player, you need to create a text file called mms.cfg containing the text below, and place it into %SystemRoot%\System32\Macromed\Flash (for 32-bit editions of Windows) and/or %SystemRoot%\SysWOW64\Macromed\Flash (for 64-bit editions) on each PC you are installing it to. For more info regarding deployment, click here (Flash Player) or here (Reader).

      Code:
      AutoUpdateDisable=1
      If the updates section of the Flash Player Settings Manager is greyed out (in the Control Panel) you will know the mms.cfg file has worked.

    1. Alis_Klar's Avatar
      Alis_Klar -
      Does this this only affect domains running Win Server 2008 R2. What about 2003 domains?
    1. Michael's Avatar
      Michael -
      Well GPP is only available on 2008/2008 R2 Server and IE9 Windows Vista or later.

      2003 Server isn't affected by this at all as it only supports IE8.

      If you mean a 2003 Server with 7 clients + IE9 (using RSAT) then yes this would apply, but to be honest I would avoid using GPP with IE8 or IE9 as in my experience (and a few others here) it appears to break IE. It's something Microsoft will probably fix in 2008 R2 SP2 and Windows 7 SP2.
  • Recent Posts

    Trapper

    Recommend a couple of decent WLAN points

    Enterprise class to handle up to 100 devices wireless G/N, not centrally managed.

    Going to be used as a stop gap in mobile class rooms,

    Trapper Today, 12:13 AM Go to last post
    Liam

    All staff emails

    Ha ha, so I'm not alone. I was chatting to another IT manager last week, that school still use sims for similar purposes so I guess that's a blessing.

    Liam Yesterday, 11:52 PM Go to last post
    sparkeh

    All staff emails

    Sheesh I wish I had your problems, staff can barely login to their email, let alone communicate over it.

    sparkeh Yesterday, 11:48 PM Go to last post
    Schikitar

    Scratch 2.0 Install Method (no .msi)

    [MENTION=1839]Arthur[/MENTION], would you be willing to share the process/steps for creating your MSI package? I think it would be of great benefit to

    Schikitar Yesterday, 10:48 PM Go to last post
    plexer

    Cancelling Sky TV

    £65 wow we got up to £35 which was too much although that's without movie or sports as movies is cheaper on nowtv now pay £25 for same deal.

    plexer Yesterday, 10:48 PM Go to last post