Failed to apply Proxy Setting through GPO

  • Article

 

We often got customer service requests about Proxy Setting not applying via GPO. Usually customer might deploy LAN setting through GPO IEM. I summarized several symptoms and solutions from my support experience in case you might get similar issue: 

 

1. Check if there is invalid entry in Exception List 

You may take a look below article for Proxy Bypass Lists entry rule.  

Using Proxy Selection and Proxy Bypass Lists

https://technet.microsoft.com/en-us/library/dd361953.aspx 

This issue can be easily reproduced in IE UI. As a result, proxy setting cannot be saved if there is invalid entry in Proxy Bypass Lists in Internet Options\Connections\LAN Settings 

In one of my cases, customer had resembling Exception List setting in IEM Connection Settings as below, the yellow highlight one is invalid entry.

smtp.mstest.com.au;mail.mstest.com.au; remote.mstest.biz;https://ms-sql;https://ms-sql/Reports/Pages/Report.aspx?ItemPath=%2fDashboards%2fAXS_SalesDashboard

 

After remove invalid entry, the GPO Proxy Setting successfully applies to users. 

Moreover, if we capture Process Monitor log when running gpupdate /force on client machine, we can notice there is no RegSetValue action to Internet Settings.  

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer  

If we check brndlog.bak or brndlog.txt under  

C:\Users\%user%\AppData\Local\Microsoft\Internet Explorer\ in Win7 machine, it indicates that the Processing stopped after exception list setting, as below. 

02/25/2013 17:00:57 Processing proxy settings from the ins file…

02/25/2013 17:00:57 "Flags" is set to 0xB.

02/25/2013 17:00:57 "ProxyServer" is set to "192.168.10.21:8080".

02/25/2013 17:00:57 "ProxyBypass" is set to " smtp.mstest.com.au;mail.mstest.com.au; remote.mstest.biz;https://ms-sql;https://ms-sql/Reports/Pages/Report.aspx?ItemPath=%2fDashboards%2fAXS_SalesDashboard;<local>".

02/25/2013 17:00:57 ! Processing of this Wininet.dll connection settings failed.

02/25/2013 17:00:57 Done.

02/25/2013 17:00:57 Done.

 

2. User with administrator permission get proxy setting applied but normal users not  

We captured process monitor log when normal user login and run gpupdate /force

It shows it actually writes values to HKLM\Software\Microsoft\CurrentVersion\Internet Settings\ 

Since normal user don’t have permission to set value to HKLM key, it returns “Access Denied”. 

 

By default, IE and Winlogon usually query value from HKCU or HKU\[SID] but if GPO enable Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Make proxy settings per-machine (rather than per user) that Applies proxy settings to all users of the same computer proxy setting will write to HKLM machine level path.

 

In this case, we found customer had this setting configured on another GPO which is applied at the OU level and set to merge with the Default Domain Policy. 

 

3. Proxy setting not applied for users (random issue) during the peak hours

 

You may enable the Internet explorer policy processing as per the article

https://technet.microsoft.com/en-us/library/cc978526.aspx

 

The two options you can follow in this article: 

Allow processing across a slow network connection

Process even if the Group Policy objects have not changed

 

In future, I will fill in more scenarios and hope it is helpful. Enjoy!!! 

 

Reference

========

Entries in the proxy exception list are not shown in the Internet Explorer 7 Advanced Proxy Settings dialog box

https://support.microsoft.com/kb/968847

Regards,

 

Anik from APGC DSI Team