Hi everyone!

Just a quick post to make you aware of a feature in IE7 that is not going to be included in IE 8.  This pertains to the options IE7 provides you when closing out a multi-tabbed IE process.  These check box options are available when unhidden:

So with the, “Open these the next time I use Internet Explorer” checked, IE7 keeps track of the currently open tabs and will then re-open them when the IE is re-opened.  This option, however, is not included with IE8.  However, a similar option is available in IE8 – see details below:

Open tabs you've previously closed

If you close one or more tabs during a browsing session, or close a browsing session entirely—either accidentally or on purpose—you can now use Internet Explorer 8 to reopen the tabs or browsing session that you closed.

To reopen the tabs you closed during your current browsing session

1. In Internet Explorer, click the New Tab button:

2. On the new tab page, under Reopen closed tabs, find and click the address for the webpage that you want to open:

 Note:

• If you have changed the new tab page to your home page, you can type about:tabs in the Address bar to view the new tab page.
• Internet Explorer only keeps track of history and form data for tabs that you close during your current browsing session. If you close tabs, and then end your browsing session by closing the browser, you won't be able to reopen those tabs. You can reopen that browsing session, but it will only display the tabs that were open when you closed the browser.

To re-open the last browsing session you closed

When you close Internet Explorer and end your browsing session, it keeps track of the web pages that you had open at the time. As a result, when you open a new browsing session, you can reopen the web pages that were open during your previous browsing session. Follow these steps to reopen your last browsing session:

1. In Internet Explorer, click the Tools button.
2. Click Reopen Last Browsing Session. All the web pages that you had open when Internet Explorer was last closed will open in new tabs:

Note:

• You can also reopen the last browsing session from the new tab page:

Well, that’s about it.  As always, we hope this information for was friendly and informative!

Regards,

The IE Team

Hi everyone!

With the release of IE 8, we felt that providing a little more detail around the different Compatibility Modes might be useful, so here goes!

A fundamental problem discussed during each and every Internet Explorer release is balancing new features and functionality with site compatibility for the existing Web. On the one hand, new features and functionality push the Web forward. On the other hand, the Web is a large expanse; requiring every legacy page to support the "latest and greatest" browser version immediately at product launch just isn't feasible.

Internet Explorer 8 addresses this challenge by introducing compatibility modes which gives a way to introduce new features and stricter compliance to standards while enabling it to be backward compliant.

In this post I would like to discuss how compatibility mode can be specified and how IE determines which mode to use in different scenarios.

Rendering Modes

Internet Explorer 8 determines the rendering mode based on the two main factors, value of compatibility mode and value of the !DOCTYPE switch.

Webpage can specify compatibility mode either by using a Meta tag or by sending a http header. Meta tag takes precedence over http header when both are present.

1) META Tag - You can place the following HTML tag in the HEAD element of your web page:

<meta http-equiv=“X-UA-Compatible” content=“IE=7” />

2) HTTP Header - You can configure your server so that the following HTTP Header is sent with each page

X-UA-Compatible: IE=7

Note:The meta tag should be placed in the head section before any script or CSS.

The following table illustrates the possible values for specifying the compatibility mode.

Table 1: Compatibility Mode Values

* These Compatibility Modes do not depend on the DOCTYPE in determining the rendering mode to use.

You can also specify multiple modes and highest known mode will be used

<meta http-equiv=“X-UA-Compatible” content=“IE=7; IE=8” />

The following table summarizes the rendering modes. Compatibility Mode Value is the value you set using either meta tag or by sending a http header.

Table 2: Compatibility Mode Values

* For Intranet pages, 7 (IE 7 Standards) rendering mode is used by default and can be changed

Compatibility Lists (“Emulate IE7” mode)

A Compatibility List lists all sites (domains) that it should display using Internet Explorer 7 Emulation mode (aka “Emulate IE7” mode).  Internet Explorer 8 maintains two Compatibility Lists.

- Compatibility View List (user defined)

- Microsoft Maintained Site Compatibility List (Microsoft maintained)

Emulate IE7 mode causes IE8 to do three things:

1) Use IE 7 Standards mode for standards mode document

2) Send the IE7 User agent string

3) Sets the right internal parameters to process conditional comments as IE 7 would.

As you can see, it does more than just setting the HTML document’s compatibility-mode.

User Defined List

User can maintain a custom compatibility list by using the Compatibility View button (Figure1, icon next to address bar displays a broken page image) or by adding the site to the compatibility view list (Tools menu -> Compatibility View Settings, Figure 2).

Figure 1:

Figure 2:

You will see that on the Compatibility View Settings dialog an option to use Compatibility View for all Intranet sites. This option is enabled by default. A large number of internal business web sites are optimized for Internet Explorer 7 so this default exception preserves that compatibility.

On this dialog you can also choose to display all website in compatibility view.

Local machine zone pages by default emulate IE8.

Again if a Meta tag or http header is used to set a compatibility mode to the document it will override these settings.

Removing from the List:

Web sites that are late in adopting to IE 8 Standards need a way to be easily removed from user’s Compatibility View Lists. IE 8 has several ways in which a site can be removed from this list:

1) Deselecting the “Emulate IE7” button

2) Directly editing the compatibility list

3) Deleting the browsing history

4) Overriding from the site

Overriding from the site can successfully remove the entry from the list if the following conditions are met:

- The META tag or HTTP header that results in IE8 Standards mode

- The top level domain is in the compatibility list (when it is not there in the list , no need to remove it)

- The presence of the \IEStandards.xml file on the server (note it’s in the root directory)

- IEStandards.xml file contains a tag labeled “IE8StandardsMode”.

Note: IE8 checks for the presence of IEStandards.xml file only if it hasn’t been requested in the last 30 days for that domain.

These conditions ensure that the top level domain can be removed if you’re visiting a sub domain. For instance, if foo.com was on the list and you visit mail.foo.com, that sub domain may be updated, but we need additional checks to sure that the entire foo.com can be removed by looking for the IEStandards.xml file.

Microsoft Maintained Site Compatibility List

Microsoft maintains a site compatibility list to minimize user involvement when sites don’t display properly. This list is maintained in a binary file and is updated automatically via Windows Update.

More information about this can be found here.

Web Browser Control Hosts:

By default, all web browser control hosts run in Internet Explorer 7 Emulation mode. Web browser control hosts may opt-in to Internet Explorer 8 Standards behavior via the feature control key, FEATURE_BROWSER_EMULATION.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]

“iexplore.exe” = dword:8

(possible values of 7 or 8)

More information:

A Compatibility View list update that is dated March 19, 2009 is available for Windows Internet Explorer 8 (KB968220)

This blog was provided by Bhasker Konakanchi. A Senior Support Escalation Engineer on the IE Support Team.

Regards,

The IE Support Team

Hi everyone!

I am sure you have noticed Internet Explorer’s Compatibility View button, located on the address bar next to the ‘stop’ and ‘refresh’ buttons.

As we discussed in the blog Introducing Compatibility View, the Compatibility View button only appears when it makes sense to do so.   For example, if the page’s Document Compatibility Mode is not set and if the page is trying to display in standards mode. 

So, when a site uses the X-UA-Compatible<META> tag or HTTP header to set the Compatibility mode, IE8’s Compatibility View button should not display. However, we have uncovered a small problem where it still does display if the ultimate document mode of the page turns out to be Quirks Mode.

If you go to http://office.live.com/ you will notice this behavior. Here is also a simple page that demonstrates the problem:

<html>

   <head>

  <!-- Mimic Internet Explorer 7 -->

      <title>My Web Page</title>

      <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

   </head>

   <body>

      <p>Content goes here.</p>

   </body>

</html>   

Note: Having no DOCTYPE switches you to quirks mode.

Even though the Compatibility View button displays, the page functionality continues to work correctly. Therefore, the impact of this behavior is minimal.

Regards,

The IE Support team

Hi, Axel from the IE Escalation team again with a quick note on how to use a Microsoft Fix IT to remove IE 8 silently.

First, I would like to thank the “Fix IT” team for quickly answering my questions about the tools functionality!

When I first learned of the Microsoft Fix ITs being available, I wondered if they could be run silently.  The ability to use the tool silently can be a great advantage and appeals to a large IT community allowing these fixes to run without requiring user intervention - in other words, no prompts.  Luckily for us, Fix ITs are .MSI packages and so we can take advantage of the command line arguments available to accomplish our task!

I tested my theory using the IE Fix IT package that uninstalls IE8, and it works just fine!

You can download the IE 8 Uninstall Fix IT tool from KB957700!

Steps:

1. Open a cmd and change directory to %windir%\system32
2. Then type “msiexec /i uninstallie8.msi /quiet”

Note:  Please remember to remove the quotes from the command line above.  When executing from Vista, you should open the cmd window using elevated privileges! 

MSIEXEC Switches

  NOTE:  You can get the list by typing msiexec /? from command window!

More MSIEXEC Documentation:

Standard Installer Command-Line Options

• http://msdn.microsoft.com/en-us/library/aa372024(VS.85).aspx

Related Article:

• How to solve Internet Explorer 8 installation problems

Enjoy!

The IE Support Team

Hi Team,

when creating an automatic proxy-configuration script (PAC-filer or also known as wpad.dat), questions arrive on how these could be optimized in order to speed up their performance

The functions which can be used in order to evaluate an address (URL and hostname) are explained in the following article:
JavaScript or JScript Auto-Proxy Example Files
http://technet.microsoft.com/library/Dd361950

As mentioned in that article, the functions  isInNet(), isResolvable() and dnsResolve() initiate queries to the DNS-subsystem.
Therefore the usage of these functions should be avoided, when possible or at least reduced.

1. Query for NetBIOS-names
NetBIOS-names (servernames with no dot in their name) no are typically used in the intranet only and are therefore not routed through the proxy.
  if (isPlainHostName(host))
    return "DIRECT";

2. Query for internal DNS-suffixes
Internally used DNS-zones are normally routed directly. The easiest way to determine such hosts is done by using the function dnsDomainis:
  if (dnsDomainIs (host, ".dns.company.com"))
    return "DIRECT";

The faster method for the same result can be done by using ShExMatch(), which performs a string compare. So the same result with the function above, where the “*”-character is then used as wildcard:
  if (shExpMatch(host, "*.dns.company.com"))
    return "DIRECT";

3.  Query for IP-ranges
The idea for that rule is to check, if the IP-address of the host belongs to the local intranet, regardless to the name of the webserver, which should bypass the proxy in order to navigate directly to the it.

In case, that the IP-address had been entered directly in the address-bar there is no need to resolve it again. You can use the following code in order to check, if the host has already the format of an IP-address :
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  ret = isIpV4Addr.test (host);
This routine checks if the variable host contains 3 numbers which are followed by a dot, and if another number is followed- The result of this check is then passed to the variable ret, which is true in case of an IP, and false – if otherwise.

This would be be the codesnip where the variable hostIP will contain the IP-address for additional checks later:
  var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  if (isIpV4Addr.test (host))
    hostIP=host;
  else
    hostIP=dnsResolve (host);

When a non-existing host had been passed to the function (e.g. cause the user entered something wrong in the address bar), the result in hostIP might be 0. Any additional errorhandling could be done by the proxy:
  if (hostIP==0)
    return "PROXY myproxy:80";

Now, as we have the IP-address of the host, the checks for the internal IP-ranges needs to be done.
When possible, use the shExpMatch-function instead of isInNet. The following two codesnips have the identical result, while shExpMatch is faster in execution:
  if (isInNet (hostIP, "95.53.0.0", "255.255.0.0"))
    return "DIRECT";
  if (shExpMatch (hostIP, "95.53.*))
    return "DIRECT";

4. Javascript is case-sensitive
The proxyscript uses the language javascript, which is case-sensitve. Therefore an if-clause where upper characters are used will never turn true, while the other parameter is using lowercase.
Internet Explorer itself converts the variables host and url into lowercase before the function  FindProxyForURL is called.
This is not true for WinHTTP, which passes the hoist and the url directly to the function.
Therefore the parameters, which are checked within the PAC-file should be converted within the PAC befotre they are evaluated. Here is the call for the convert:
    host = host.toLowerCase();

5. Use of IPv6
In case that you want to use and handle IPv6-addresses, Internet Explorer supports them since IE7 on every OS-Version (and WinHTTP since Windows Vista), but you then need to use “Ex“-functions (like isInNetEx ()) as mentioned in the following Blogpost:

WinINet and WinHTTP IPv6 Support in Web Proxy Auto-Discovery (WPAD) scripts enabled in Windows Vista
http://blogs.msdn.com/b/wndp/archive/2006/07/18/ipv6-wpad-for-winhttp-and-wininet.aspx

One example, where the implementation of myIpAddressEx was very useful is also mentioned in the KB-article http://support.microsoft.com/kb/2839111/en-us

6. Testing of a PAC-file
In case that the script contains any syntax-error (e.g. a missing ‘)’-character in an if-statement, the script is no more executed. In order to minimize such errors, you may consider the usage of a script-editor which performs syntax-checking on the fly. When using Visual Studio, you can just rename the extension of your PAC-file to JS when editing.

After this, you can test it by configuring it in IE as a local PAC-file. For the local C:-drive the syntax in order to configure IE would be file://c:\test.pac 
With IE11, the usage of a PAC-file through the file-protocol is no more possible, unless you add the following registry-key

[HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
(DWORD)"EnableLegacyAutoProxyFeatures"=1

More information to the usage of local PAC-files is available in the following Blogpost:

• Understanding Web Proxy Configuration
  http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

When debugging and testing the PAC-file, you can add statements as extraline which will initiate a popup, when the line is hit:
alert ("We are now here and host is: " + host);

Of course, alert ()-statements should never be active within the production environment.

6.1 Testing with autoprox.exe [ DOWNLOAD AUTOPROXY ]
Sometimes you need just to test your PAC-file, if the expected route is returned, although you have no access to the website in question. For such testing you can use the (attached) command line-utility tool autoprox.exe, which my colleague Pierre-Louis Coll created.
When starting it in a CMD without additional parameter the usage is displayed:

C:\temp>autoprox
Version : 2.1.0.0
Written by pierrelc@microsoft.com
Usage : AUTOPROX -s  (calling DetectAutoProxyUrl and saving wpad.dat file in temporary file)
Usage : AUTOPROX  [-h] url [Path to autoproxy file]
       -h: calls InternetInitializeAutoProxyDll with helper functions implemented in AUTOPROX
AUTOPROX url: calling DetectAutoProxyUrl and using WPAD.DAT logic to find the proxy for the url
AUTOPROX url path: using the autoproxy file from the path to find proxy for the url
Example: autoprox -s
Example: autoprox http://www.microsoft.com
Example: autoprox -h http://www.microsoft.com c:\inetpub\wwwroot\wpad.dat
Example: autoprox http://www.microsoft.comhttp://proxy/wpad.dat

Here is the output with our sample:

C:\temp>autoprox http://us.msn.com c:\temp\sample.pac
The Winsock 2.2 dll was found okay
url: http://us.msn.com
autoproxy file path is : c:\temp\sample.pac
Calling InternetInitializeAutoProxyDll with c:\temp\sample.pac
        Calling InternetGetProxyInfo with url http://us.msn.com and host us.msn.com
        Proxy returned for url http://us.msn.com is:
PROXY myproxy:80;

When you want to see which DNS-related functions have been called, you can use the parameter “-h” in addition: 
Here the output, when this is used:

C:\temp>autoprox -h http://us.msn.com c:\temp\sample.pac
The Winsock 2.2 dll was found okay
Will call InternetInitializeAutoProxyDll with helper functions
url: http://us.msn.com
autoproxy file path is : c:\temp\sample.pac
Calling InternetInitializeAutoProxyDll with c:\temp\sample.pac
        Calling InternetGetProxyInfo with url http://us.msn.com and host us.msn.com
ResolveHostByName called with lpszHostName: us.msn.com
ResolveHostByName returning lpszIPAddress: 65.55.206.229
        Proxy returned for url http://us.msn.com is:
PROXY myproxy:80;

Error-Handling in autoprox.exe:
a) When you specify a non-existing PAC-file (e.g. typo in the command-line), the result from autoprox.exe will be:
  ERROR: InternetInitializeAutoProxyDll failed with error number 0x6 6.

b) When the Pac-file contains syntax-errors, you typically receive the following message displayed:
  ERROR: InternetGetProxyInfo failed with error number 0x3eb 1003.

After finishing the local test, the PAC-file should be copied to the webserver where it will be accessed through http-protocol.

Here would be the complete sample, as discussed above:

function FindProxyForURL(url,host)
{
  // NetBIOS-names
  if (isPlainHostName(host))
    return "DIRECT";
  // change to lower case – if not already been done
  host = host.toLowerCase();
  // internal DNS-suffixes
  if (shExpMatch(host, "*.corp.company.com") ||
      shExpMatch(host, "*.dns.company.com"))
    return "DIRECT";
  // Save the IP-address to variable hostIP
  var hostIP;
  var isIpV4Addr = /^(\d+.){3}\d+$/;
  if (isIpV4Addr.test (host))
    hostIP=host;
  else
    hostIP=dnsResolve (host);
  // IP could not be determined -> go to proxy
  if (hostIP==0)
    return "PROXY myproxy:80";
  // These 3 scopes are used only internally
  if (shExpMatch (hostIP, "95.53.*") ||
      shExpMatch (hostIP, "192.168.*") ||
      shExpMatch (hostIP, "127.0.0.1"))
    return "DIRECT";
  // Eveything else goes through the proxy
  return "PROXY myproxy:80;";
}

Here is a known issue:

• Internet Explorer 9 can't access the web or a corporate network when you try to connect through a different network – Hotfix !
• http://support.microsoft.com/kb/2815802

Good Blog Article:

• Understanding Web Proxy Configuration
• http://blogs.msdn.com/b/ieinternals/archive/2013/10/11/web-proxy-configuration-and-ie11-changes.aspx

This blog has been provided to you by another one of our Escalation Engineers for Internet Explorer, Heiko Mayer.

Want to share a scenario I worked on recently that may help others understand what could cause Enterprise Mode not show in GPMC.

Condition:

• You want to manage IE11 Enterprise Mode GPO from a Central location using your Central Store Group Policies configuration
• You have already installed IE11 on the machine you are using to manage these group policies
• You have already install the require IE Cumulative update that introduces Enterprise Mode MS14-018

When you open GPMC on your Domain controller you do not see the 2 new Enterprise Mode Group Policy entries:

• Let Users turn on and use Enterprise Mode from the Tools menu
• Use the Enterprise Mode IE website list

Reason:

• You have not copied the new IE11 Enterprise Mode ADMX templates on your Sysvol Policies PolicyDefinitions  directory
• You had GPMC opened when copying the files

Actions taken to get your IE 11 Enterprise Mode GPO settings show in GPMC when using Central Store Group Policy Configuration

• Make sure GPMC is close!
• Copy both the new IE11 Templates into its respective policy folders.
• Copy inetres.admx from C:\Windows\PolicyDefinitions  to  the Domain Sysvol\Domain\policies\PolicyDefinitions folder.
• Copy inetres.adml  from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions\en-US policy folder.

NOTE: Verify, the new files have the new EMIE entries present.

• Open GPMC to confirm the new IE11 Enterprise Mode GPOs are present

The key to this scenario was to make sure that GPMC console was closed and validate the new files were copied successfully to the Central Store!

Here are the EMIE entries we need to have in the templates. You can search for it.

Inetres.adm entries:EnterpriseModeEnable and EnterpriseModeSiteList

 <policy name="EnterpriseModeEnable" class="Both" displayName="$(string.EnterpriseModeEnable)" explainText="$(string.IE_ExplainEnterpriseModeEnable)" presentation="$(presentation.EnterpriseModeEnable_1)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <elements>
        <text id="EnterReportBackPrompt" valueName="Enable" />
      </elements>
    </policy>

<policy name="EnterpriseModeSiteList" class="Both" displayName="$(string.EnterpriseModeSiteList)" explainText="$(string.IE_ExplainEnterpriseModeSiteList)" presentation="$(presentation.EnterpriseModeSiteList_1)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode">
      <parentCategory ref="InternetExplorer" />
      <supportedOn ref="SUPPORTED_IE11" />
      <elements>
        <text id="EnterSiteListPrompt" valueName="SiteList" required="true" />
      </elements>
    </policy> 

Inetres.adml entries: EnterpriseModeEnable and EnterpriseModeSiteList

If you disable or do not configure this policy setting, users can pin sites.</string>
      <string id="EnterpriseModeEnable">Let users turn on and use Enterprise Mode from the Tools menu</string>
      <string id="IE_ExplainEnterpriseModeEnable">This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.</string>
      <string id="EnterpriseModeSiteList">Use the Enterprise Mode IE website list</string>
      <string id="IE_ExplainEnterpriseModeSiteList">This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

<presentation id="EnterpriseModeEnable_1">
        <textBox refId="EnterReportBackPrompt">
          <label>Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode</label>
        </textBox>
      </presentation>
      <presentation id="EnterpriseModeSiteList_1">
        <textBox refId="EnterSiteListPrompt">
          <label>Type the location (URL) of your Enterprise Mode IE website list</label>
        </textBox>
      </presentation>

This blog has been provided to you by the IE Support Team.

Hello,

This blog post is about the notification, which users receive one time after the installation of the last cumulative IE-Update in June MS14-035.

For IE10 on Windows 7, the following webpage is displayed: http://windows.microsoft.com/en-us/internet-explorer/ie-10-welcome-upgrade1

For IE9 on Windows 7 or on Windows Vista, the following webpage is displayed as a 2^nd tab: http://windows.microsoft.com/en-us/internet-explorer/products/ie-9/welcome-upgrade3

Both pages look contain the title "Your browser has been  upgraded", Check out Internet Explorer 10 (or 9) and then at the bottom the following text:

The reason why I wanted to blog about this is the expectation, that in corporate environments welcome-messages etc. are never been displayed to the user. Therefore the Admin may have configured the following policy, which does not apply to that change:

This means, that in case an Administrator wants to suppress the appearance of this Welcome-tab, he should deploy the following registry-key, which is also created when the page had been opened:

Alternate solution is to use Group Policy Preference Registry to push the registry to your clients.

Create a GPP registry item under User configuration \ Preferences \ Registry Items

Configured your GPP Registry with the following attributes:

Action: Replace
Hive: HKEY_CURRENT_USER
Key Path: Software\Microsoft\Internet Explorer\Main
Value name: PrivacyPolicyShown
Value type: dword
Value data: 1

Screenshot:

Apply and Okay and you are done. Now, have to validate your Settings are pushed to your clients.

This blog has been provided to you by , Heiko Mayer 

In this quick blog post, we are sharing the administrative group policy settings and registry location included in the August 2014 IE cumulative update, that will help you better prepare and manage the new "blocking out-of-date ActiveX controls" feature.

For more information on the new changes, please read the original post by the IE Product Team: "Internet Explorer begins blocking out-of-date ActiveX controls"

Below are some key notes from the Blog post http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx introducing the new changes.

Out-of-date ActiveX control blocking lets you:

• Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
• Interact with other parts of the Web page that aren’t affected by the outdated control.
• Update the outdated control, so that it’s up-to-date and safer to use.
• Inventory the ActiveX controls your organization is using.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

• Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
• Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
• Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
• This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

Today, the August IE Cumulative for August was released. Details of changes are also included in the kb2976627. 

• MS14-051: Cumulative security update for Internet Explorer: August 12, 2014 - http://support.microsoft.com//kb/2976627

HOW TO GET THE NEW ADMIN TEMPLATES?

• Install the August IE Cumulative Update: Microsoft Security Bulletin MS14-051 - Critical https://technet.microsoft.com/en-us/library/security/MS14-051
• For older OS you can download it from our Download center
• Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
• Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.

Windows Server 2003:

1. Copy inetres.adm into %WINDIR%\inf\
2. Open the Group Policy Editor

• Click Start, click Run, type gpedit.msc, and then click OK.
• Expand Local Computer Policy, expand Computer Configuration.
• Right click on Administrative Templates. If you see Inetres template on this list, click Remove, and then click Close.
• Right click on Administrative Templates and click on Add/Remove Templates. Click Add and locate inetres.adm in %WINDIR%\inf\ and click Open to add it again. Then click Close.

Windows Server 2012 R2:

The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed with the August Cumulative update!.

Windows Server 2008 R2 SP1:

1. If you install Internet Explorer 11, the Administrative Template files (interes.admx and inetres.adml) will be installed automatically with the August IE Cumulative update!
2. Follow the instructions as described in the following article: http://technet.microsoft.com/en-us/library/cc709647.aspx

Windows Server 2008 and Windows Server 2008 R2:

Follow the instructions as described in the following article: http://technet.microsoft.com/en-us/library/cc709647.aspx. Again, if you install the August IE cumulative update it will include the new admin templates!

GPO LOCATION:

Category Path:User or Machine Configuration \ Administrative Templates \ Windows Components \ Internet Explorer \ Security Features \ Add-on Management

Policies:

SCREENSHOT:

You can also use the Central Store Group Policy by following these steps:

• Make sure GPMC is close!
• Copy the new IE11 Templates into its respective policy folders.
• Copy inetres.admx from C:\Windows\PolicyDefinitions  to  the Domain Sysvol\Domain\policies\PolicyDefinitions folder.
• Copy inetres.adml  from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions\en-US policy folder.

NOTE: Verify, the new files have the new blocking out-of-date ActiveX controls entries present. Example: open the inetres.admx and .adml file and search for the registry key value, like VersionCheckEnabled if present, you have confirmed you have the updated ADMX.

• Open GPMC to confirm the new TEMPLATES are present

Hope this quick GPO introduction for this impactful change helps you better prepare you and get your environment ready for what is ahead!

This blog has been provided to you by the IE Support team!

On the previous blog "How to manage the new "blocking out-of-date ActiveX controls"  feature in IE?" we showed you the location and settings for the new out-of-date ActiveX controls feature and on this one, we are outlining the step by step instructions covered in article KB2991000 | Update to block out-of-date ActiveX controls in Internet Explorer under the section "Testing the out-of-date ActiveX controls feature" to get your testing started and better prepare you for the upcoming changes.

Testing Guidance

If your organization has a dependency on an outdated version of Java, you can run the following test to mirror the end-user experience on September 9, 2014.

1. On a test computer, install the August cumulative update for Internet Explorer
         (http://vkbexternal.partners.extranet.microsoft.com/VKBWebService/ViewContent.aspx?scid=KB;EN-US;2976627)    
   .
2. Set a registry key to stop downloading updated versions of the VersionList.xml file. To do this, run the following command: 
   reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f
   Important: After testing, you must delete this registry key or this computer will stop receiving an updated VersionList.xml file that lists the out-of-date ActiveX controls. We do not recommend ever setting this registry key on an in-production computer. 
3. Copy the current VersionList.xml file from hereor direct link (https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlist.xml)    to the following location: 
   %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml
   Note: If you are asked, overwrite the existing file. 
4. To start blocking out-of-date versions of Java, open the VersionList.xml file and delete the first occurrence of latestgroup="1" (the bolded portion below):
   
   < groupentries>
   < groupentry groupname="Java(TM)" fwdlink="https://go.microsoft.com/fwlink/?LinkID=401352" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.4.2_43" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.5.0_71" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.6.0_81" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.7.0_65" fwdlink="http://" latestgroup="1"/>
   < groupentry groupname="Java(TM) 1.8.0_11" fwdlink="http://" latestgroup="1"/>
   < /groupentries>   
5. Restart Internet Explorer. You should see that websites that attempt to load out-of-date Java ActiveX controls will now display the out-of-date ActiveX control blocking notification.

If your organization needs more time to mitigate dependencies on out-of-date Java controls, you have the following two options:

• Turn off the feature completely: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer Group Policy setting (or corresponding registry key)
   Note  This is the less secure option.
• Turn off the feature for a specific domain: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains Group Policy setting (or corresponding registry key). This setting allows you to turn off the feature on the specific domains on which your enterprise has an out-of-date Java dependency.

This blog has been provided to you by the IE Support team!

In order to play HTML5 videos in the Internet Zone, you need to use the default settings or make sure the following registry key value 2701 under Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 is set to 0.

• The default value is 0 = Allow
• If set to 3 = Disallow

This key is read by the URL Action Flag that can be taken in a URL Security Zones.

Reference for URLACTION_ALLOW_AUDIO_VIDEO: http://msdn.microsoft.com/en-us/library/ie/ms537178(v=vs.85).aspx

" The key is for URLACTION_ALLOW_AUDIO_VIDEO 0x00002701. Internet Explorer 9. Determines whether media elements (audio and video) are allowed. For the element to appear, both the security zone of the host webpage and the media source must allow media. By default, this URLAction permits playback of resources from all zones except the Restricted Sites zone. This means that pages in the restricted zone cannot play media from anywhere, and that pages in other zones do not permit media that is loaded from restricted sites. "

There is no individual UI Setting to manage this action. These are per Zone settings and depending on what the zone is set, you will see this value change.

Example: Change the Internet Zone to High, which will set the registry Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2701 value to 3

Here is what the registry key will look like:

The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):

   Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone

Reference:

• Internet Explorer security zones registry entries for advanced users / http://support.microsoft.com/kb/182569

You can use Group Policy Preferences to manage these settings. GPP Registry should be fairly easy to use.

This blog has been provided to you by the IE Support team!

In this quick post, we will cover the options we have to manage the IE TABs on a controlled environment.

I would like to first clarify that there is not a single GPO to just hide TABS in IE11. There is however a way you can enforce IE in Full View Mode which by default will remove the TABS and Address bar via a GPO.

The GPO  you can use to enforce the Full-Screen view is available on both Computer and User configuration policy. Below is the gpo location path in group policy editor console.

• GPO NAME: Enforce full-screen mode
• LOCATION: Computer or User configuration - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
• KEY LOCATION: Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

SCREENSHOT: GPO CONSOLE

 SCREENSHOT: REGISTRY LOCATION WITH VALUES

The gpo and keys will cause the browser to open in full view with no address bar or tabs

If you want to use a different alternative to force a Full View with Address bar, you will need to consider using Group Policy Preference / Registry gpo and push the following registry keys:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
"NoNavBar"=dword:00000000
"NoCommandBar"=dword:00000001

 SCREENSHOT USING THE KEYS ABOVE:

This blog has been provided to you by the IE Support team!

In this blog, we will provide the steps you need to take to configure Internet Explorer 10 or 11 Automatic Configuration / Use automatic configuration script settings using Group Policy Preference (GPP).

As you know, the IE Maintenance GPO famously used to configure this and other IE Settings was first deprecated in IE10 in favor of Administrative Templates and Group Policy Preferences and it is important to familiarize yourself with GPP to make your Administrative work a little easier. 

NOTE: Please read the article [http://technet.microsoft.com/en-us/library/jj890998.aspx] for more detailed information about the changes and other policies!

Objective: To configure Internet Explorer with a Proxy Pac file using Group Policy Preferences options.

                 We currently have 2 different options using GPP to configure Proxy Settings!

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

USING GPP REGISTRY:

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
• Right Click on the Registry object from the left hand pane and select New> registry Item

• From New Registry Properties, you can fill in the following settings:
• For Hive: HKEY_CURRENT_USER
• For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings
• For Value name: AutoConfigURL
• For Value Type: REG_SZ
• For Value data: http://mysite/proxy.pac

Screenshot:

• Apply and OK to complete this GPP Configuration

USING GPP INTERNET EXPLORE:

Here are the steps using GPP Control Panel / Internet Explore GPO which offers the User Interface convenience

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Control Panel Settings / Internet Settings
• Right Click on the Internet Settings object and select Internet Explore 10 [note: this Group Policy will also apply to IE11 clients. See kb https://support.microsoft.com/en-us/kb/2898604]
• From the New Internet Explore 10 Properties Dialog click on Connections Tab / LAN settings button 

• From the Local Area Network (LAN) settings dialog, hit the F6 key on your keyboard to active the GPO (It should go from Red to Green) and add the PAC file URL and click OK to continue

• Click on and OK to commit the changes
• The GPO should now be configured and ready for testing

HOW DO I KNOW THE GPO IS WORKING?

• The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings and verify the AutoConfigURL entry exist and have the defined PAC file URL on the targeted client machines

END RESULT:

 This blog has been provided to you by the IE Support team!

Hi everyone!

Just a quick blog about another feature of Loosely Coupled IE (LCIE)…

When using IE8, you may notice that a tab process does not exit right away when you close the Tab window or when IE navigates away from it (due to changing Mandatory Integrity Control (MIC) levels, for example). For performance reasons, an unused tab will live for 60 seconds before shutting down.  There is, however, a registry key available to control how the unused tab process will wait before it is destroyed.

Registry key details: 

HKCU\Software\Microsoft\Internet Explorer\Main - TabShutdownDelay

Setting this DWORD value key to 0 will force the tab process to be destroyed as soon as IE navigates away from it. The value is in milliseconds.  Keep in mind that if you want 60 seconds, you need to put in 60000 as a decimal value, not a hex unless you do the math first.

Note: If all of IE windows are closed then all the iexplore.exe processes will exit immediately.

RELATED BLOG POST:

• HOW TO CONFIGURE TabShutdownDelay USING GROUP POLICY PREFERENCES (GPP) REGISTRY
• http://blogs.msdn.com/b/askie/archive/2015/07/23/how-to-configure-tabshutdowndelay-using-group-policy-preferences-gpp-registry.aspx

Regards,

The IE Support Team

In this example, we are using Computer Configuration GPO to target the Internet Explorer TabShutdownDelay registry setting. However, you can perform the same steps at the User Configuration setting from the GPMC console! 

Objective: To change the TabShutdownDelay registry key for the computer Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS 1

Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / WindowsSettings and Right Click on the Registry object and select New> CollectionItem

NOTE: The Collection Item will allow you to better organize the Registry Item Configuration!

STEP 2

Rename the Collection Item to: TabShutdownDelay. Right click and select rename!

STEP 3

Right Click on the newly renamed item and select New >Registry Item

STEP 4

From the New Registry Properties Dialog, mirror the following settings:

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN

Value Name: TabShutdownDelay

Value type: REG_DWORD

Value data: 0

SCREENSHOT:

Apply and OK to configure the policy!

NEXT: Test your GPO

The best way to test the GPO is to go to the client and run the GPUpdate /Force Command and check the Registry key location for changes.[YOU MAY HAVE TO RUN THIS COMMAND USING AN ELEVATED COMMAND PROMPT!]

You should expect to see the following registry entry:

REGISTRY: HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main

NAME: TabShutdownDelay

VALUE: 0 (DECIMAL)

RELATED BLOG POST: 

• Closing an IE 8 TAB does not immediately close the spawned iexplore.exe process
• http://blogs.msdn.com/b/askie/archive/2009/03/16/closing-an-ie-8-tab-does-not-immediately-close-the-spawned-iexplore-exe-process.aspx

This blog has been provided to you by the IE Support team!

In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.

By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.

Other scenarios, the user cannot see the items in the trusted site zone settings.

Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.

Scenarios:

• You are working out of a Terminal Server
• Your Trusted Sites Zone settings may be gray out and unable to see the entries
• You are using Site To Zone Assignment list and appears not to be working
• Zone GPO not showing in Local Intranet Zone or Trusted Site

STEPS:

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
• Right Click on the Registry object from the left hand pane and select New > registry Item

• From New Registry Properties, you can fill in the following settings:
• For Hive: HKEY_CURRENT_USER
• For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• For Value name: IEHarden
• For Value Type: REG_DWORD
• For Value data: 0 OR 00000000

Screenshot:

• Apply and OK to complete this GPP Configuration

NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!

• HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.

Examples

TO HELP SET THE IEHARDEN VALUE TO 0

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f

TO COMPLETELY DELETE THE KEY USING A BATCH FILE:

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Deletes the IE Harden for users
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”  /v “IEHarden” /f
REG DELETE “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
REG DELETE “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f

HOW DO I KNOW THE GPO IS WORKING?

• The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.

Other Related Blog Post:

• How to troubleshoot IE Enhanced Security warning “Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration” ?
• http://blogs.msdn.com/b/askie/archive/2012/09/11/disable-ie-enhanced-security-does-not-work-in-windows-2003-and-2008-remote-desktop-services-terminal-services-host.aspx
• How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
• http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

This blog has been provided to you by the IE Support team!

In this example, we are using Computer Configuration GPO to target the Internet Explorer TabShutdownDelay registry setting. However, you can perform the same steps at the User Configuration setting from the GPMC console! 

OBJECTIVE: To change the TabShutdownDelay registry key for the computer Group Policy Preferences Registry configuration.

REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS 1

Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / Windows Settings and Right Click on the Registry object and select New > Collection Item

NOTE: The Collection Item will allow you to better organize the Registry Item Configuration!

STEP 2

Rename the Collection Item to: TabShutdownDelay. Right click and select rename!

STEP 3

Right Click on the newly renamed item and select New > Registry Item

STEP 4

From the New Registry Properties Dialog, mirror the following settings:

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN

Value Name: TabShutdownDelay

Value type: REG_DWORD

Value data: 0

IMPORTANT: Please note that on 64-Bit Operating Systems, Internet Explorer also uses x86-processes. Therefore you should also include the  Wow6432Node registry-key!

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN

Value Name: TabShutdownDelay

Value type: REG_DWORD

Value data: 0

SCREENSHOT:

Apply and OK to configure the policy!

NEXT: Test your GPO

The best way to test the GPO is to go to the client and run the GPUpdate /Force Command and check the Registry key location for changes.[YOU MAY HAVE TO RUN THIS COMMAND USING AN ELEVATED COMMAND PROMPT!]

You should expect to see the following registry entry:

REGISTRY: HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main

NAME: TabShutdownDelay

VALUE: 0 (DECIMAL)

RELATED BLOG POST: 

• Closing an IE 8 TAB does not immediately close the spawned iexplore.exe process
• http://blogs.msdn.com/b/askie/archive/2009/03/16/closing-an-ie-8-tab-does-not-immediately-close-the-spawned-iexplore-exe-process.aspx

This blog has been provided to you by the IE Support team!

In this blog, I will share one scenario where we the IE11 installation failed with Error 9c59 error.

SCENARIO:

• Windows 7 x64 with Internet Explore 9 + MS15-065 KB3065822 is installed.
• During the installation process of Internet Explorer 11, you may receive the 9C59 error.
• Error details: Code 9C59
• Error can be found in IE main.log (c:\Windows directory)
• IE11 shows to be installed in Add Removed / Turn Windows Features on or off console but IE9 version shows under the Internet Explore 9 Help and About Internet Explorer menu

NOTE: This error are more often seeing out of Managed Windows Client machines (Windows client machines built out of a master image used in VDI or desktop imaged environments) were prerequisites and or language packs for IE11 do not exist or corrupt exist.

Here are some steps you can take to resolved the 9c59 error:

• From an elevated Command Windows, run the following Command to help removed IE11
• FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c “cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart”
• Open APPWIZ.CPL(Add Removed Programs) from command window to see if IE9 shows in the Turn Windows Features on or off console. If it does, is a good indicator we are making progress
• Run the IExplore setup using the /update-no switch from an Administrator account elevated Command Windows. This will required a reboot!
• Example: IE11-Windows6.1-x64-en-us.exe /update-no
• After the reboot, Open Internet Explore and hit the ALT Key on your keyboard to display the Help menu(if not visible) and click on the Help / About Internet Explore menu. Here you should see that Internet Explore 11 is installed with kb2841134 https://support.microsoft.com/en-us/kb/2841134.
• Now, lets make sure you have the latest Internet Explorer Cumulative update by using Windows Update which for the month of July 2015 is KB3065822 – https://support.microsoft.com/en-us/kb/3065822 MS15-065 Bulleting
• You can manually download it and install it if you like or use any other deployment method you may have on your environment!
• Reboot the client and double-checked the IE11 Installation and verified the Help and about Internet explorer shows KB 3065822
• IE11 + Latest IE Cumulative should be installed !

NOTE: If the steps above did not help resolved your scenario, you should consider the related article below for other possible steps you could take.

RELATED ARTICLE:

• 2872074 Troubleshooting a failed installation of Internet Explorer 11
  http://support.microsoft.com/kb/2872074/en-US
• Command line options available to uninstall Internet Explorer
  http://blogs.msdn.com/b/askie/archive/2014/03/28/command-line-options-available-to-uninstall-internet-explorer.aspx

This blog has been provided to you by the IE Support team!

Today we release a new article on How to create an all-inclusive deployment package for Internet Explore 11, including the all the prerequisite updates, language packs, and spelling dictionaries plus the latest cumulative security updates in a single restart. This is a great help for business that are looking for guidance on implementing such solution and move to IE11 considering that only the most recent version of Internet Explorer available for supported OS will receive technical support and security updates after January 12, 2016. see the Microsoft Support Lifecycle site for more details regarding support timelines on Windows and Windows Embedded systems.

Kudos to the Microsoft Support Engineers that collaborated in producing the article and share it with everybody!

• How to create an all-inclusive deployment package for Internet Explorer 11
• https://support.microsoft.com/en-us/kb/3061428

NOTE:

One issue we saw before with the SCCM deployment had to do with the Package path for x64 OS [%systemroot%\SysNative\] which someone had written a batch file for it and included below:
 
x64 Batch:
 
@ECHO OFF
REM ECHO Installing IE 11 prerequisite: KB2834140
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2834140-v2-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2670838
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2670838-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2533623
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2533623-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2731771
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2731771-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2729094
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2729094-v2-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2786081
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2786081-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 Main Application
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE-Win7.cab /quiet /norestart
 
REM ECHO Installing IE cumulative security update
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE11-Windows6.1-KB3093983-x64.cab /quiet /norestart
 
exit
 

This blog has been provided to you by the IE Support team!

Hi everybody!, in this blog we are covering most if not all of the available options you have today  to manage your Proxy configuration settings using Group Policies. We hope this blog be helpful for your Internet Explorer 11 migration!.

As you know, the IE Maintenance used to configure proxy and other IE Settings was first deprecated in IE10 in favor of Administrative Templates and Group Policy Preferences. Any machine with IE10 and higher will NOT be able to use the IEM policies. IEM is still available for IE9 and lower.

NOTE: Please read the article [http://technet.microsoft.com/en-us/library/jj890998.aspx] for more detailed information about the changes and other policies!

We are presenting different case scenarios to provided clarity on the options you have today, once you upgrade to IE11!

Case 1: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher we will notice that IEM is not available in GPO.

Windows Server 2008R2 DC with IE9 or lower 

Windows Server 2008R2 DC with IE10 and higher – Noticed, IE Maintenance is gone!

Case 2: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher and trying to use GPP User Interface, but notice that you can see only to Internet Explorer 8 but IE10 is missing.

Goal: How to configure proxy settings for IE10 and higher.

We have 2 ways we can achieve the desired outcome:

1) Using GPP [Group Policy Preferences] User Interface

In order to reach what do we require, we need one of the following machines added in the Domain:

• Windows Server 2012
• Windows Server 2012 R2
• Windows 8.0 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=28972
• Windows 8.1 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=39296

After installing the Group Policy Management Feature, ensure the following updates are installed:

• On Windows 8.1 or Windows Server 2012 R2 – https://support.microsoft.com/en-us/kb/2919355
• On Windows 8 or on Windows Server 2012 – https://support.microsoft.com/en-us/kb/2928422

               
A) Considering you have chosen any of the above machines, just open the Group Policy Management Console (required Administrator rights to edit policies)

From START/RUN window, Type GPMC.MSC to open the console.

B) Then you need to choose the group policy item in which you create settings and go to the following path:

User Configuration / Preferences / Control Panel Settings / Internet Settings / New /  choose Internet Explorer 10 (Right-Click or Double-click to open the settings)

Note: You need to select the option of Internet Explorer 10 in Group Policy Preference (GPP) to apply the settings for Internet Explorer 11 as the same settings apply to Internet Explorer 11.

REF: How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2 – https://support.microsoft.com/en-us/kb/2898604

NEXT: From the properties, click on the Connections Tab / LAN Settings 

C) Reaching the LAN Settings, we notice that is similar to the Internet Control Panel.

We have the same options to create a proxy configuration:

• Automatically detect settings 
• Use automatic configuration script
• Proxy Server

D) The first thing we notice is that we have red underline settings:

Settings which are underlined in red are not configured at the target machine, while settings underlined in green are configured at the target machine.
In order to change the underlining, use the following function keys:

F5 – Enable all settings on the current tab
F6 – Enable the currently selected setting
F7 – Disable the currently selected setting
F8 – Disable all settings on the current tab

Article reference: http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

E) Configuring each setting in particular.

I would encourage pressing a F8 to disable all before configuring anything as the recommended scenario is to configure only the settings you want to apply.

Automatically detect settings, with the option checked:

Use an Automatic Configuration Script (AutoConfigURL) example [Remember to use F6 to enable this entry!]

Static Proxy Server configuration example [Remember to use F6 to enable this entry!]

2) The alternative way of configuring the Proxy Setting is deploying the registries keys directly.

Key path / location for the registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

• Automatically detect settings

Registry key: “AutoDetect”
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

The key AutoDetect is only visible before you start IE10 (or IE11) on the machine, as IE will interpret it immediately and then delete the key right after. By that, the option will have its preference nature.

• Use automatic configuration script

Registry Key: “AutoConfigURL”
Value Type: REG_SZ
Value Data: “http://<servername|host>/my_proxy.pac”

• Proxy Server

To configure this,  you may need up to 3 registry keys:

“ProxyEnable” checkbox for “Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connection)”              
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

“ProxyServer”
Value Type: REG_SZ
Value Data: “ProxyServerName:Port”

“ProxyOverride”
Value Type: REG_SZ
Value Data: “list_of_exclusion”

Value Data: “list_of_exclusion;<local>”
<local> value represents the check: “Bypass proxy server for local addresses”
The value is added automatically when enabling the check box in the GPP User Interface (UI).
When deploying through the registry key is required.

You have different ways you can deploy the registry keys. The only important aspect is to deploy correctly the registry keys provided above.
But in this article I will present how it can be done via GPP Registry Item:

Location of the policy: User Configuration / Preferences / Windows Settings / Registry / Right Click + New + Registry Item

RELATED ARTICLES:

• How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP) ?

• How to use GPP Registry to uncheck automatically detect settings? 

• HOW TO CONFIGURE A PROXY SERVER URL AND PORT USING GPP REGISTRY ?

This blog has been provided to you by Adrian Guta and Heiko Mayer.

Tips for making sure your “Top sites” display your frequently visited sites over time:

1. Make sure you visit the same website address often: They should appear after approximately 10 visits.
2. We identify your frequently visited sites multiple times per day. Depending on your browsing habits, you may need to wait for up to a day before you see it in your Top sites.
3. Removing a Top site tile will exclude that website forever. To clear the list of excluded websites, please run “Clear browsing history” (Be sure to check the “Browsing history” checkbox)

​

This blog has been provided to you by the IE Support team!