EMET 5.0 Group Policy Settings Ignored (Probable race condition with Policy application)

Similar Messages

• [svn:fx-trunk] 12795: Resolving race condition with interdependent Group properies alpha and blendMode .

  Revision: 12795
  Revision: 12795
  Author:   [email protected]
  Date:     2009-12-10 09:56:11 -0800 (Thu, 10 Dec 2009)
  Log Message:
  Resolving race condition with interdependent Group properies alpha and blendMode.
  QE notes: None
  Doc notes: None
  Bugs: SDK-24636
  Reviewer: Deepa
  Tests run: Checkin
  Is noteworthy for integration: No
  Ticket Links:
      http://bugs.adobe.com/jira/browse/SDK-24636
  Modified Paths:
      flex/sdk/trunk/frameworks/projects/spark/src/spark/components/Group.as

• Group Policy application frequency even if policy hasnt changed - Server 2012 R2

  Hi,
    I'm aware of the group policy refresh intervals which apply only if the policy has changed. If I remember correctly, Server 2003 applied policies every 16 hours even if they hadnt changed. A sort of "to be sure, to be sure" setting. Does
  this exist on Server 2012 R2 and is there a link with some doco that states this please?
  Thanks
  David Z

  > the policy has changed. If I remember correctly, Server 2003 applied
  > policies every 16 hours even if they hadnt changed. A sort of "to be
  > sure, to be sure" setting. Does this exist on Server 2012 R2 and is
  > there a link with some doco that states this please?
  This is still true, but it applies only to "Security Settings" within
  all GPOs. I'm unaware of current docs on that.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Local group policy application issues

  I'm having some issues with applying local group policies using ZCM 11.2.3a. Basically, not all of the settings I've applied in the GPO are being applied to the PC.
  The setup is this:
  * Applying policies to Windows 7 Enterprise x64
  * User Group Policies are applied first, then Computer policies are applied. User policies seem to be applying correctly.
  * Security settings in the Computer Group Policy are applying correctly (eg, renaming the local administrator and guest account, displaying a message prior to the logon window).
  * The policies list in the ZCM agent properties reports that the policy has been successfully applied.
  * No settings in the 'Administrative Templates' section of the policy are applied to the PC.
  Checking in gpedit.msc, policies show that they're enabled. However if I run rsop.msc, there's no administrative templates section in the computer policy at all. If I run gpupdate /force, I also get errors for the computer configuration - 'The processing of Group Policy failed because of an internal system error'.
  This is a new policy package I've created from scratch within the past week.
  I've just now also gone and created a brand new test policy package, with one setting in admin templates configured, and one in security settings. This one has successfully applied correctly.
  Is anyone else seeing issues like this? It's not the first strange behaviour I've been seeing with ZCM policy application, and not the first policy package we've had that's become corrupted. I'm really starting to lose confidence in policy application via ZCM. Unfortunately, with no AD in our environment, I've got no alternative.

  Originally Posted by thatsnotme
  I'm having some issues with applying local group policies using ZCM 11.2.3a. Basically, not all of the settings I've applied in the GPO are being applied to the PC.
  The setup is this:
  * Applying policies to Windows 7 Enterprise x64
  * User Group Policies are applied first, then Computer policies are applied. User policies seem to be applying correctly.
  * Security settings in the Computer Group Policy are applying correctly (eg, renaming the local administrator and guest account, displaying a message prior to the logon window).
  * The policies list in the ZCM agent properties reports that the policy has been successfully applied.
  * No settings in the 'Administrative Templates' section of the policy are applied to the PC.
  Checking in gpedit.msc, policies show that they're enabled. However if I run rsop.msc, there's no administrative templates section in the computer policy at all. If I run gpupdate /force, I also get errors for the computer configuration - 'The processing of Group Policy failed because of an internal system error'.
  This is a new policy package I've created from scratch within the past week.
  I've just now also gone and created a brand new test policy package, with one setting in admin templates configured, and one in security settings. This one has successfully applied correctly.
  Is anyone else seeing issues like this? It's not the first strange behaviour I've been seeing with ZCM policy application, and not the first policy package we've had that's become corrupted. I'm really starting to lose confidence in policy application via ZCM. Unfortunately, with no AD in our environment, I've got no alternative.
  We have the same problem.
  It does not occur on all clients. Only sporadically. Some settings are applied, some not.
  We also have ZCM 11.2.3a in use.
  Have you already opened a SR on this? Can you let us share the information? Perhaps an SR number so that we can attach ourselves?
  Thanks Stefan

• Group Policy Application Managment

  Hi,
  I am having one DC & ADC both are the virtual machines now one SAP Application is running in the domain and i want to give access only those user's who are in AD.  
  Kindly help me out or let me know the group policy how do i apply that.??? URGENT.
  Regars,
  Ravi Kumar
  Email - [email protected]

  HI
  You need to better post on SAP Forums however belwo are the high level,
  In SAP, you need to configure SSO integration with AD user account.
  Configure Logon PAD with SSO enabled,
  We cannot provide access to SAP via AD GPO and it needs to be done on SAP

• Group Policy Guru? Group Policy and Windows 7 erratic and inconsistant.

  (*If you don't feel like reading everything, skip to the bottom two paragraphs for my questions)
  I've had a premier call open with MS since August. This week I had a Microsoft Technician in-house.  Though we eliminated some possibilities, we're not really closer to a cause or solution.
  Every time we work with an expert, I get a different explanation to describe the situation we are viewing.
  Quick summery of the issue:  We've been using Group Policy to manage most Windows XP and 7 settings for years, but starting the middle of last year, we began having clients with machines where some or all group policies would fail to apply. 
  These could be long assigned policies, new polices, or changes to policies.  It would never affect everyone or even a majority at once, and the resolution is never the same.  Sometimes a GPUDPATE /FORCE sometimes fixed automajically the next day,
  sometimes (but very rarely) longer.
  Troubleshooting History:
  What we found in early troubleshooting, that these machines, had errors in Event Viewer for Netlogon, Time-Sync, and Group Policy.  The other issue we noticed, was that our GPRESULT /H reports were missing security groups and the denied section was
  nothing but SSID's.  The first issue pointed me to:
  Event ID 5719 and event ID 1129 may be logged when a non-Microsoft DHCP Relay Agent is used
  I installed these Hot Fixes.  No change to any of the errors in event viewer, or to our Group Policy problems.
  Initial work with Premier Support found that Netlogon, Time-Sync, and Group Policy, were failing before loading of the network stack.  The suggestion was to apply the group policy setting "Always wait for the network at computer startup and
  logon".  At the time, this seemed not to work.  The policy was set on a test bed of laptops and desktops, and no changes in behavior were seen after 3 days.
  Windows 7 Clients intermittently fail to apply group policy at startup
  For some time after this, we were collecting GPSVC and NetTrace logs for Premeir Support, trying to document and troubleshoot the problem.  Eventually we got fed up and asked our TAM to call in a pro to get this resolved.  We were sent an engineer
  for 3 days.  For three days we banged away on this issue.  We verified AD and replication health, we tried numerous fixes and workarounds.  I learned 3 different desriptions of how Group Policy works, and in the end we thought we had a workaround
  using the "Always wait for the network at computer startup and logon" because of a single success late in the day.  On day 3 we tried replicating this fix, and quickly realized that the same issue we were having preventing other GPOs to apply,
  were also preventing our "fix" GPO from applying.  So we went the route of using a registry entry.  I also had a problem that even though it was making the process more consistant, it was still taking 3 reboots for a Computer Policy, assigned
  to a computer object via Security Group, to fully take affect on a computer.
  I used the registry methods in the above article.  It didn't work, no sign it was having the same affect the GPO had had.
  Our support engineer claimed this was the proper method, but that path wasn't even close in a Windows 7 SP1 registry, and after creating all the keys that were not present, it still didn't work.
  Always wait for the network at computer startup and logon - AzureWeb
  We ran out of time, our engineer returned home.
  I can understand how these errors indicate a problem applying Group Policy at boot.  But to me it doesn't explain why it doesn't correct post boot, and after a GPUDPATE /FORCE and a reboot.
  It also doesn't explain why we were working fine for years, then all of a sudden DHCP is being outrun by background services.  (By the way logging showed DHCP wasn't significantly delayed, out boot process was actually excellent, health wise.) 
  Why all of a sudden is this not behaving optimly?  No changes to network design or function.  No changes to the domain since 2008 R2 was installed in 2011.
  Today I'm reading through all these KB's and articles again, and took some time to read:
  [Forum FAQ] Common steps to start troubleshooting Group Policy
  application and it's links below.
  We ran though all of that before and during the 3-day onsite.  It's not getting us any closer to the cause or a solution.
  I found and begin some deep reading in this link today.  It has some additional information I will try to use next week:
  Group Policy Basics - Part 3: How Clients Process GPOs
  The one unanswered question I have is this.  How is group policy supposed to apply to a computer, when that policy is applied to a AD Security Group, in which the computer object is a member?
  Before we began having this problem, we would assign a computer GPO, then ask the user to reboot.  If it were a user GPO, we'd ask the user to log off, or reboot.  Either way, if we allowed a few minutes for AD and FRS replication, the user would
  log back in with that new policy in affect.  A new imaged machine would boot with all the GPO's linked to that domain and assigned to "Authenticated Users", already in affect.  Admin groups would be present in administrators, proxy settings
  would be set in Internet Explorer, etc.
  Now I'm aked to beleive this was never the case from Premeier Support and Microsoft Engineers.  That those policies require the equilent of a "GPUPDATE /FORCE" that was executed by the Local_System account.  That 3 reboots may
  be nessessary for a group policy to be applied.  One for the AD Security Group to be applied.  One for the Computer Policy to be applied.  And a final one for the policy in the GPO to be applied to Windows.
  Can someone confirm or correct this information please?  It's imperitive to my troubleshootng.
  There's no place like 127.0.0.1

  That key is empty on all of my machines I have checked today.  Working and problematic alike.
  GPRESULT logs, when ran as me, historically would show the group polices applied, denied, and the AD group membership all by name.  About 6 months ago I noticed this changed.
  Now they show the applied GPO's by name, a few of the denied GPO's by name, most by SID, and only 2 to 3 AD groups, though PowerShell shows all the AD groups assigned.  This happens after several AD security and distribution groups are added to the
  machine (Radia software distribution uses Dist groups to assign software).
  A check showed no groups with long legacy Kerberos keys.
  When we make a change to AD Security Group membership, to assign or deny a Group Policy, is usually when we encounter this problem.  It will usually fix itself in 24 hours of the machine being left up and running.  But no amount of GPUPDATE /FORCE
  and rebooting will cause the changes to take affect.
  During this time, the Group Policies will show assigned to the computer in the GPRESULT log.
  Yesterday I began looking into Spanning Tree configuration on our network being a possible cause for the boot up issues.  I'm waiting on responses from our Network group to confirm our configuration.
  There's no place like 127.0.0.1

• Problem Pushing Printer Preferences through Group Policy

  Most of the time, networked printers that we push through group policy preferences show up just fine on our clients (Windows 7). About 1 in 10 computers fail however, and it's driving me up the wall! The computer that fails is not consistent, meaning I can
  reboot a computer and the printer then shows up correctly. It may not, however, a week later. Fairly random. Looking through the application event log, I uncovered this:
  The user 'myprinter' preference item in the 'mygrouppolicy {7EDE8A14-773C-4E43-93AE-050240E0B204}' Group Policy object did not apply because it failed with error code '0x800706ba The RPC server is unavailable.' This error was suppressed.
  Again, this error does not occur all the time, though if I reboot a large group of computers, it will definitely show up on 1 or 2 of them. At this point, I'm looking for any suggestions for a next step. Thanks!
  -Peter

  Hello Modab,
  If you reboot server the printer is redeployed properly. It is possible that when the printer is deployed the network is still not prepared properly so the RPC error
  is popped up.  Please try the following suggestions:
  1. Disable Fast Logon feature
  Enable the
  [Computer Configuration \ Administrative Templates \ System \ Logon \ Always wait for the network at computer startup and logon]
  group policy.
  Logon Optimization
  http://msdn.microsoft.com/en-us/library/aa374350(VS.85).aspx
  Description of the Windows XP Professional Fast Logon Optimization feature
  http://support.microsoft.com/kb/305293/en-us
  2. Group policy application issue may occur because of Gigabit NIC. Please try the suggestions in the following steps and KB.
  a.      
  To prevent your network adapter from detecting the link state(For Windows Vista/7):
  Run the following commands one by one:
  netsh interface ipv4 set global dhcpmediasense=disabled
  netsh interface ipv6 set global dhcpmediasense=disabled
  For Windows XP, you can see
  http://support.microsoft.com/kb/239924
  b.     
  Contact the vendor of the network card or visit their web site to obtain updated drivers for the Gigabit NIC.
  Examples of NICs known to exhibit this issue:
  - Broadcom Gigabit Adapter
  - Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
  - Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
  - Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
  - Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC
  c.      
  A sever may have a Dual Port NIC or multiple NIC's with one port or NIC set to Disabled. The disabled port or NIC should not be at the top of the binding order in the Network
  Advance Properties.
  1.      
  Click Start, point to Settings, and then click "Network and Dial-up Connection".
  2.      
  On the Advanced menu, click "Advanced Settings".
  3.      
  On the "Adapters and Bindings" tab, in the connections list, select the NIC that the clients use to connect to the server and move it to the top of the list.
  d.     
  Turning off STP can cause issues in your network if a loop ever develops. If you are running a Cisco Series switch or any other switch that runs Spanning Tree, it is best to
  leave spanning tree turned on, but enable PORTFAST on all the ports except uplink and fiber trunks.
  326152 Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;326152
  3.
   Remove all of 3rd-party software such as firewall software.
  4.  Set a registry value to delay the application of Group Policy.
  http://support.microsoft.com/kb/2421599
        http://support.microsoft.com/kb/840669
  Brent Hu,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• How to configure group policy for emet via a command line

  I have been tasked with installing emet on 50 servers that I only have access to with our patching server (so I can't remote in and open the gpedit gui). I can get it to install, but now the problem that I'm facing is I need to enable 6 of the group policies
  for emet. Is there a way to do this while installing it? or a way to do it after the install?

  cmd line you need to deal with is in the C:\Program Files (x86)\EMET 4.1 folder
  specifically emet_conf --refresh would tell the systems to pull in the settings from a GPO they have already applied.
  In a non - SCCM environment I would probably recommend using group policy preferences and create a task scheduler item on your servers that runs emet_conf --import
  \\fileserver\settingsfile.xml on some sort of automated basis. Then you can just configure a client like you need and run the emet_conf --export
  \\fileserver\settingsfile.xml whenever you need to change a mitigation etc and the clients will pick up on the change on their next run of the task scheduler item.
  In general installing on servers isn't a great idea and is not the intended use case for emet however if you are DoD/Gov then DISA has mandated it so won't argue there.  There's also the people that still have Internet access from servers so then it
  would make sense in that environment as well.
  CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response/FOPE) Check out my blog http://blogs.technet.com/kfalde or better yet check out http://technet.com/wiki and start contributing :)

• Manual client deployment not picking up Group Policy provided registry settings

  We are having an issue with some laptops and machines that are turned off overnight not downloading necessary items for the SCCM 2012 client install.  We are going through the upgrade from 2007 to 2012 and are manually installing the client
  through the SCCM console.  Now that we have gotten the majority of our clients up to the 2012 version, we are planning to push the client going forward through WSUS.  Unfortunately, BITS is not allowing the update to come down in the time that some
  machines are on the network. 
  After some digging, we have concerns that the Group Policy setting for the command line properties are being ignored.
  We have the Group policy set as follows:
  /mp:oursccmserver.domain.com / service / forceinstall / BITSPriority:FOREGROUND SMSSITECODE=PRISITE FSP=OURFSP.domain.com
  However, the command line entry in the ccmsetup.log file on machines that have received the client as well as those not installing is showing the following:
  - Ccmsetup command line: "C\Windows\ccmsetup\ccmsetup.exe" /runservice /config:MobileClient.tcf
  - Command line parameters for ccmsetup have been specified. No registry lookup for command line parameters is required.
  Can someone tell me why it is not picking up the settings in the registry?  we have verified the settings are hitting the machines from GP, just does not seem to be using them which is why we thing it is allowing BITS to throttle the download of the
  pre-reqs.
  Thanks in advance for any suggesstions/help.

  Sorry for not updating this...
  After digging for days on this and contemplating calling MSFT support, I happened to check the Client Push installation properties and found the Install properties had been removed from each of our sites (1 primary and 2 secondary's).
  Although we do not have Client Push enabled for a variety of reasons, the properties have to be set for the manual push of the client from the console.  Once we re-entered the command line options for the Push install properties, manual installation
  from the console is working as expected.

• EMET group policy preference "application configuration" vs "default protection for popular software"

  Hello,
  Trying to implement EMET 4.1 update 1 in a VDI environment using group policy. When all default protections are enabled (IE, recommended and popular) EMET is blocking the startup of windows media player within citrix session as caller
  mitigation. At this time I wanted to use the GPO "Application Configuration" to specify an exception as "wmplayer.exe -Caller". Even tried "*\Windows Media Player\wmplayer.exe -Caller" but startup would still get blocked. When
  using emet_conf --list I would see three entries for wmplayer and the only way to remove Caller is to disable policy "default protection for popular software". Shouldn't settings in Application Configuration take priority as being the exception to
  the rule? Alternative is to turn off the "default protection for popular software and list all of them one by one (or use XML file)
  here is part of the output of emet_conf --list
  all policies:
  wmplayer.exe           *\Windows Media Player       DEP SEHOP NullPage HeapSpray
   EAF MandatoryASLR BottomUpASLR LoadLib MemProt SimExecFlow StackPivot
  wmplayer.exe                                        DEP SEHOP
  NullPage HeapSpray
   EAF MandatoryASLR BottomUpASLR LoadLib MemProt SimExecFlow StackPivot
  wmplayer.exe           *\Windows Media Player       DEP NullPage HeapSpray Botto
  mUpASLR LoadLib MemProt Caller SimExecFlow StackPivot
  without "default protection for popular software" (much less applications listed)
  wmplayer.exe                           DEP SEHOP NullPage HeapSpray EAF Mandator
  yASLR BottomUpASLR LoadLib MemProt SimExecFlow StackPivot
  wmplayer.exe  *\Windows Media Player   DEP SEHOP NullPage HeapSpray EAF Mandator
  yASLR BottomUpASLR LoadLib MemProt SimExecFlow StackPivot
  Thank you

  if I understood correctly from talking to EMET feedback team last time, they said  App Config settings don't actually override any the default app or popular or IE protection profiles. (it really seems like App config settings override the other profiles
  from the manual, hey? I thought so as well) 
  Sooo, it sounded like we'd need to extract the recommended or popular app list, convert it to the path + mitigation not included format for the app config GPO and then just use app config to manage it. 
  Needless to say it sounded surprising and laborious and not management by exception at all. 
  Rinse repeat for new versions of emet and XML policy files . 
  p.s what would be really helpful in the admin guide is some real world examples of contoso.local where they apply the recommended apps + a few exceptions for all + custom exceptions for a separate class of  machines or groups of users. hmeh.

• Backup & Restore non-administrators Group Policy Settings

  Hi,
  I'm trying to setup a few reference images of Windows 7 which will be deployed to our client computers. The baseline Group Policies are configured through Local Group Policies set in the image. I've setup a Master GPO machine on which to build the policies
  and test them.
  The Local Group Policies have been set for Local Computer Configuration, Local User Configuration and for Local Non-Administrators Configuration. The thinking is that members of the local Administrators group on the computer are unrestricted and still have
  the ability to do most things. Users which log onto the computer abide by the more restrictive Non-Administrators Group Policy settings.
  Using the "LocalGPO.wsf" script I'm able to backup and restore Computer and User Configuration which affects all users of the machine but it does not backup the Non-Administrators Policies. Is this possible?
  After some digging around in the "GPOPack.wsf" files I've found that the Machine & All Users Policies are restored by the "LocalPol.exe" file. This utility has command line switches for '-m' machine and '-u' user. So I'm guessing
  that it's not possible to restore the Non-Administrators Policies?
  For what it was worth I've tried copying the "Registry.pol" file from "%windir%\System32\GroupPolicyUsers\S-1-5-32-545\User" folder on the GPO Master machine and placed the file in the same location on target computer. A test which had
  one value set worked on the reference computer but when the policies were copied form the GPO Master machine, the target computer ignored all the settings.
  Any ideas how to backup/restore Local Machine Non-Administrator Group Polices?
  Thanks!

  Not entirely sure of the specific policies you're dealing with, but you would typically use the Microsoft Security Compliance Manager to create GPO packs that you would then apply using the Apply Local GPO Package task sequence step in MDT.
  I'd encourage you to look over the Applying Group Policy Object Packs section of the
  Using the Microsoft Deployment Toolkit.docx file in the MDT 2013 documentation for more details.
  MDT 2013 documentation can be downloaded here: LINK

• Skype History Settings using group policy

  Hello,
  How to disable Skype keep History for (Forever, 1months, no History) settings using Group Policy Settings.
  Regards,
  Yatin

  It's all in the Skype admin guide:
  https://support.skype.com/en/doc/DO5/skype-it-administrators-guide
  If you have Skype-specific questions, you'll probably get better help with your questions on the Skype site.
  Don't retire TechNet! -
  (Don't give up yet - 12,420+ strong and growing)

• Windows 8 and IE10 not accepting Proxy Settings via Group Policy

  We have recently introduced a couple of Windows 8 computers in our network, and we are having issues applying the Internet Explorer Proxy Server settings.
  We use a Microsoft TMG 2010 server as our proxy server for accessing the internet.
   We have been using a GPO with the following settings to automatically configure our Windows 7 computers running IE9 with the appropriate Proxy settings:
  User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\Connection/Proxy Settings
  “Enable Proxy Settings” : Checked
  “Address of proxy” : server.domain.local
  “Port” : 8080
  “Use the same proxy server for all addresses” : Checked
  “Exceptions” : Here we have a list of several internal or partner sites that should not be proxied.
  This GPO has worked beautifully for our Windows XP and Windows 7 users with IE 7, 8 and 9.
   Now with Windows 8 and IE10, this no longer works. 
  I’ve therefore added a Windows Server 2012 Domain Controller to the network, and using GPMC on that new DC, I created a new GPO with the following settings:
  User Configuration\Preferences\Control Panel Settings\Internet Settings\Internet Explorer 10
  Now, seeing as these are preferences, it’s a little different.  But, I’ve “checked off” the option “Use a proxy server for your LAN” as well as “Bypass proxy server for local addresses”. 
  Then I click on “Advanced” and setup all my proxy settings the way I would like them, including the proxy server name, port and exceptions list.
  When this new group policy gets applied to my Windows 8 PC, the only setting that gets applied is the “Use a proxy server for your LAN”. 
  It does not configure the name or port of the proxy server nor does it configure the exceptions list. 
  If I go back to the GPMC, and edit the new GPO, the settings are all there. 
  However, if I just view the settings from the main GPMC screen (without opening the GPO itself), 
  I don’t see all of those settings (again, only the one “Use a proxy server…”)
  What am I missing???

  Hi All, - (Revised Answer by myself)<o:p></o:p>
  I banged my head against the keyboard on this one for some time trying to get this group policy to apply.  I
  did every thing that was suggested, learning about the F6 and F7 keys to Green underline and Red underline the options required and not required.  I even gave in and used the registry settings and it still did not work.  It turned out that I had
  2 issues.  The first one is obvious and the second not so obvious, this is how it is setup:
  I have a 2012 R2 Standard DC with Windows 8.1 clients/workstations and IE 11.  As you are aware you must make
  sure that the following are underlined in green:
  Automatically detect settings - (but not ticked)<o:p></o:p>
  Use proxy server for your LAN<o:p></o:p>
  Bypass Proxy for local address<o:p></o:p>
  Next I made sure that the following had red dotted lines:
  Address<o:p></o:p>
  This still didn't work, so I went through my 'Do Not use proxy servers for addresses beginning with' removed all
  of these and then re-added one by one until the problem materialized.  The first issue was when using wildcards I had added an entry with the following:
  http://domain.subdomain.com/*
  Then caused my proxy fields not to be applied, I re-added this just with:<o:p></o:p>
  http://domain.subdomain.com/
  <o:p>This next one is IMPORTANT.</o:p>
  I had these entries in a Word document of which I had copied and pasted from the entry box for 'Do
  Not use proxy servers for addresses beginning with'.  As shown in the screen shot above provided by SVEN_BURGER I had very similar entries:
  http://domain.subdomain.com/;10.*.*.*;172.27.*.*;http://172.27.*.*
  Each time I copied and pasted the line (+ more) above the proxy field on the Windows 8.1 client
  be blank after using 'gpupdate /force' I then noticed that in my Word document the whole string was being seen as 1 URL due to the http part at the beginning, so I changed my entry to look like this:
  10.*.*.*;172.27.*.*;http://172.27.*.*;http://domain.subdomain.com/
  I again noticed that this section:
  http://172.27.*.*;http://domain.subdomain.com/
  Was being seen as one URL in my Word document.  To resolve this I had to add the URL's individually and
  apply and OK these before going back in and making the next entry.  So I ended up adding them all individually after separating the
  URL's in my Word document.
  I hope this helps.

• How to install Windows Updates on a 2012 Domain Controller w/Group Policy Settings

  Hello All,
  I'm having an issue installing Windows Updates on my Windows Server 2012 Standard with AD DS role, acting as a backup DC.
  I have Group Policies setup for the Domain Controllers to download updates from my WSUS server but not to install them. When I go to my Windows Server 2003 R2 Domain Controller, I can install updates via the "Install Updates and Shutdown". That
  option doesn't show up on the 2012 server. I can see from my WSUS server and the event viewer that the updates are being downloaded to the 2012 server........just no option for me to install the updates.
  Am I just missing something or will I need to change the way my Group Policy is setup to allow installs and/or downloads? Any help would be greatly appreciated!
  Tony

  So I've totally removed the GPO settings for configuring updates on the Default Domain Controllers OU and I can get the Windows Server 2003 Server to get updates from Windows Updates, but the 2012 Server still won't show me how to download or install any
  updates. It just states on the log-in screen that there are "Windows Updates Sign in and install important updates".
  Well guess what Microsoft! I've signed in and still don't see where I can install updates!!!
  I guess because you've set AU=3.
  There doesn't seem to be much documented in depth about AU/WUAgent (not in the history of forever), but Lawrence and others in the WSUS forum do cover a lot of related question about the agent and also GP settings.
  Lawrence has blogged a lot of detail about the registry settings which are available for AU/WU, and how some of those settings are not practically of any use since WinXP.
  So, even though your question isn't about WSUS, the WSUS forum is a great place to visit for help for WUAgent etc.
  Anyway, "where can I install updates?" :
  on the Start screen, Search for "Windows Update"
  or
  Settings charm
  Change PC Settings
  Update and Recovery
  Windows Update
  or
  Control Panel\System and Security\Windows Update
  Some further (light) discussion on the "new" behaviour:
  http://blogs.msdn.com/b/b8/archive/2011/11/14/minimizing-restarts-after-automatic-updating-in-windows-update.aspx
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Windows 8 and IE10 and 11 not accepting Proxy Settings via Group Policy from windows server 2003

  Hi
  We are still running Windows Server 2003 with a Win7 and Win8 desktop environment. I can control Win7 IE9 settings,
  But Win8 systems are running IE10. We have an internal proxy server.
  Is there any way to force the proxy settings to the Win8/IE10 or 11 systems .
  i have tried with The IE 10 .adm template and applied gpo,but does not have any proxy settings for ie10 and no changes were applies
  please can anyone help me regarding this
  i want to apply GPO from windows server 2003  to windows 8 ie10/11
  Thanks
  KNC

  Hi,   
  I agree with Zanderol24, we can install RSAT on a windows8 client, and then we can use Group Policy Management to manage group policy from the client.
  For more information about RSAT, we can refer to the following link:
  Remote Server Administration Tools (RSAT) for Windows Client and Windows Server (dsforum2wiki)
  http://social.technet.microsoft.com/wiki/contents/articles/2202.remote-server-administration-tools-rsat-for-windows-client-and-windows-server-dsforum2wiki.aspx
  For more detailed information about how to use GPP to configure the proxy setting for ie10 and ie11, we can refer to the following link:
  How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2
  http://support.microsoft.com/kb/2898604
  When we use GPPs you need to be aware of the F5-F8 keys:
  Red / Green: GP Preferences doesn’t work even though the policy applied and after gpupdate \force
  http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx
  Besides, aside from using group policy to manage IE, IEAK can also be used to do this.
  For IEAK, the following article can be referred to for more information.
  Internet Explorer Administration Kit (IEAK) Information and Downloads
  http://technet.microsoft.com/en-in/ie/bb219517.aspx
  Best Regards,
  Erin