Case of the Proxy Failing To Apply By Group Policy

A colleague had an issue with a Windows 7 deployment: every single user group policy deployed correctly, EXCEPT the proxy pac file setting, despite other objects in the exact same group policy object applying correctly.

A gpresult /h on the affected machine showed the policy setting had applied to user:

image

However despite these settings Automatically detect configuration was “ticked” in IE on new deployments, for new users logging on, causing internet access to fail.

My colleague took a ProcMon log of launching IE. I set the filter to Path contains AutoConfigURL which is the name of the key this Auto-Proxy URL is set:

I could see the key was set correctly

image

With this item selected I then hit “reset filter” on ProcMon. We can now clearly see our culprit. Notice MigrateProxy is set to 1 (We can see the value of the reg key following word Data)

image

By clearly I mean, clearly if you know the quirks of how Windows works Smile

Through trial and error you can prove:

  • If MigrateProxy is set to 0 and Automatically Detect Settings is Disabled then on launching IE MigrateProxy is set to 1 and Automatically Detect Settings gets re-enabled
  • If Automatically Detect settings is not disabled, MigrateProxy seems to do nothing.

In this case the theory was proved by mounting \Users\Default\ntuser.dat and setting MigrateProxy to 1.

After doing this new users logging onto the machine did not experience the issue

You could deploy this setting via Group Policy to all machines if required.

This is documented in MS KB article http://support.microsoft.com/kb/2587595 and is actually not a bug, but by bad … ahem … confusing design.

Be warned though…The MigrateProxy can be important … because if migration does not occur you may not get Dial-Up (if you use it) or VPN connection settings replicated as expected. If you apply the reg key hack make sure you test any dial-up (if used) or VPN connections that appear in Internet Options Connections tab, to ensure they continue to work.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Group Policy, Internet Explorer and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s