The Enterprise Eightfold Path

Disabling the Internet Explorer “Automatically detect settings” checkbox using AppSense DesktopNow

The Enterprise Eightfold Path

Disabling the Internet Explorer “Automatically detect settings” checkbox using AppSense DesktopNow

By James Rankin   |     Monday 1 September 2014

Tags:

I worked at a client recently where the presence of a check in the “Automatically detect settings” box in the Connections | LAN Settings part of Internet Explorer Options appeared to cause no end of problems. Long delays loading websites and poor logon performance of published applications were the primary issues observed. There’s probably some network-based reason behind this, but given that when the box was unchecked everything worked fine (because we’d deployed all the proxy server settings and the like through Environment Manager), the obvious answer seemed to find some way to uncheck the box for all users, and everything would be fine.

However, getting the check out of the darned box didn’t seem to be as easy as we first anticipated.

The check box of evil

Most of you are probably sitting there and thinking “easy, just use the Group Policy Internet Explorer Maintenance options”. That’s a good point – but deploying Internet Explorer settings through the mechanisms available in Group Policy soon becomes murky.

You’ve got three distinct sets of settings. Those in Internet Explorer Maintenance (which incidentally have been deprecated from Server 2012/IE 10 onwards anyway), those in Windows Components | Internet Explorer, and those in Preferences | Control Panel | Internet Settings. Unfortunately, all three of these have different sets of available options, and some of them interact differently – some overwrite, some merge, some do both. It soon becomes a nightmare to maintain, particularly if you’ve got multiple browser versions.

My normal stance on this is to transfer as much as possible into AppSense Environment Manager by deploying the Registry settings directly. I’m going to do an article with a sample configuration soon, because you have to use Registry Actions directly for a lot of the stuff you used to see in Internet Explorer Maintenance, as there is no ADM/ADMX support.

For the problem in question, though, there appeared to be no easy way to deploy this option so it was unchecked by default. Group Policy Preferences don’t allow it to be deployed through Internet Options. Internet Explorer Maintenance was unworkable due to the way it interacted with other settings, and as mentioned earlier, is slated for removal anyway. The base Internet Explorer GPOs in Windows Components | Internet Explorer don’t seem to have a setting for manipulating this either. It might have been an option to set the default profile up with the box unchecked and then let users build their settings from there, but that seemed unsatisfactory given that a lot of users were already using the new environment. Besides, if the setting ever needed to be changed back, we would be back to square one again.

Hunting the Internet for Registry settings that controlled this seemed to be the only option. Eventually, we discovered a setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections called DefaultConnectionSettings that seemed to control this.

However, the value is a REG_BINARY, which straight away complicates matters. Manipulating binary values with either regedit.exe from the command line, AppSense EM Registry Actions or even Group Policy Preferences can be tricky, especially when it turns out – as in this case – that we need to change one particular bit of the binary value in order to uncheck the setting. As usual, there’s only one surefire way to do this without taking the risk of wiping out the whole value – a touch of scripted goodness.

I was looking to do this in PowerShell, but I managed to find a VBScript that did the job nicely – handy that Environment Manager supports both equally well! As in my last post, I must apologize to the author of the script for not remembering where I pulled this from – feel free to get in touch and I will credit you for it.

Let’s look at our test user before we put the script in place. We’ve configured a proxy server, proxy port and various other browser settings through Registry Actions in Environment Manager, so we want to make sure that we leave these settings intact.

Next we will add the script to Environment Manager. Interestingly, I’ve started putting Internet Explorer settings into the Logon trigger rather than the Process Started one recently, because I’m coming across more and more applications that interact with Internet Explorer settings (such as the proxy server and port). Of course, this makes Personalization a tad trickier too – but this is something to be discussed in a different article, probably the one I alluded to earlier about IE settings.

Set up a Custom Action, set the scripting type to VBScript, and insert the following code

Option Explicit
On Error Resume Next
‘Create a constant for the HKEY_CURRENT_USER object
Const HKCU = &H80000001
‘Define variables
Dim strComputer
Dim strRegistryKey
Dim objRegistry
Dim strRegistryValue
Dim binValue
strComputer = “.”
strRegistryKey = “Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections”
strRegistryValue = “DefaultConnectionSettings”
‘Connect to the Registry
Set objRegistry = GetObject(“winmgmts:\\” & strComputer & “\root\default:StdRegProv”)
‘Retrieve the current settings.
objRegistry.GetBinaryValue HKCU, strRegistryKey, strRegistryValue, binValue
‘Change the ‘Automatically detect settings’ box to unticked
binValue(8) = 03
‘binValue(8) = 13 – Enable this line to check the box instead of uncheck
‘Save the changes

objRegistry.SetBinaryValue HKCU, strRegistryKey, strRegistryValue, binValue

There is, rather helpfully, a commented-out line you can use should you want to check the box again, for whatever reason.

To stop users from being able to change the setting once you’ve unchecked it, also set the following Registry value

So now your configuration items should look like this

Now we need to save the configuration into the Management Center and deploy it out. Once it has deployed out, let’s log on and see what our settings look like now!

Of course, as we expected, they look exactly as we want them to 🙂

The box is unchecked, our proxy server settings are intact – and best of all, the user can’t mess with the settings that were giving us such a problem!

As I mentioned previously, there’s probably an underlying issue which is the reason why the “Automatically detect settings” option caused such a problem. But if turning it off made those problems go away, and didn’t cause any other adverse effects, then it stands to reason that disabling it is a good thing. This does, however, bring us to the mish-mash of settings that Microsoft provide us with to manage the Internet Explorer browser, and it is high time I did an article with a sample configuration that shows AppSense admins how to manage it more quickly and easily. That is a subject I will hopefully visit over the next few weeks.

Comments

17 responses to “Disabling the Internet Explorer “Automatically detect settings” checkbox using AppSense DesktopNow”

  1. Vanilla Bean Vanilla Bean says:

    Great write up James, we use something similar, I cant remember where we got the code from now so I cant give credit to the coder (sorry).

    'Example use of IEautomaticallydetect
    IEautomaticallydetect "pac"
    wscript.quit

    SUB IEautomaticallydetect (status)

    DIM sKey,sValue,binaryVal
    Dim oReg
    Set oReg=GetObject( "winmgmts:{impersonationLevel=impersonate}!\.rootdefault:StdRegProv") 'For registry operations througout

    Const HKCU=&H80000001

    sKey = "SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections"
    sValue = "DefaultConnectionSettings"

    oReg.GetBinaryValue HKCU, sKey, sValue, binaryVal

    '09 when only 'Automatically detect settings' is enabled
    '03 when only 'Use a proxy server for your LAN' is enabled
    '0B when both are enabled
    '05 when only 'Use automatic configuration script' is enabled
    '0D when 'Automatically detect settings' and 'Use automatic configuration script' are enabled
    '07 when 'Use a proxy server for your LAN' and 'Use automatic configuration script' are enabled
    '0F when all the three are enabled.
    '01 when none of them are enabled.

    select case lcase(status)
    case "proxy" binaryVal(8) = 03 'Force Autodetect on
    case "pac" binaryVal(8) = 05 'Force Autodetect off
    end select

    if lcase(status)="proxy" or lcase(status)="pac" then oReg.SetBinaryValue HKCU, sKey, sValue, binaryVal

    end sub

  2. Vanilla Bean Vanilla Bean says:

    Thanks Ben, good info on the various values, that complements the rest of the article nicely!

    Cheers,

    JR

  3. Vanilla Bean Vanilla Bean says:

    Hi James, another way to control this setting is by using an undocumented registry key AutoDetect=0. See blog post for more information: http://blog.raido.be/?p=426

  4. Vanilla Bean Vanilla Bean says:

    Hi Frank

    I did try that but got no joy. However, the environment I am working in does display some odd and aberrant behaviour, so it's possible that it may work – the AD is a bit of a mess where I am at the moment so it could be that is why I had no luck with the setting. It is certainly worth others giving it a try.

    Cheers,

    JR

  5. Vanilla Bean Vanilla Bean says:

    What are your thoughts on setting this with a mandatory profile? e.g the mandatory profile has empty strings for DefaultConnectionSettings. When IE is run it updates these strings with a value including the dreaded 09. This happens after EM has tried to set it back so it doesn't work. I tried importing a string into the key at logon but IE seems to regenerate a new one at first load…

  6. Vanilla Bean Vanilla Bean says:

    Interesting….I suppose you could try importing the values into it at IE Process Started, rather than logon? Is that any better at overwriting the default that IE tries to put in?

    Cheers,

    JR

  7. Vanilla Bean Vanilla Bean says:

    Thanks, what seems to work is this:

    Process started rule for IE
    Run once per session – set the value of the keys
    Run every time – Set 09 to 01 using PS version of your script

    What happens is you run IE, it gets set to the string we import, it then changes back to a string with 09 in, then we reset it back to 01. Interestingly if we don't import our values first it does not get set back correctly, I guess this might just be a timing issue so need to perform more testing…

  8. Vanilla Bean Vanilla Bean says:

    Another possibility might be actually to pre-populate the mandatory profile strings….might help you avoid the IE "first-run" stuff. Or even log on and get the first-run settings out of the way, then create the mandatory profile from thereon in.

    Cheers,

    JR

  9. Vanilla Bean Vanilla Bean says:

    Update – actually not so simple, even loading Word (before IE is executed in a session) will update the DefaultConnectionSettings to include 09 when it goes off to sign you in. Quite why the DefaultConnectionSettings gets overwritten from the imported value with 01 in when you load anything which uses IE settings I cannot explain..

  10. Vanilla Bean Vanilla Bean says:

    This may well be a "first-run" setting that gets overwritten the first time you run IE. Especially if it is Personalized. I would see if you can capture the "first-run" settings and import them into the mandatory profile. A bit fiddly but may prove more effective long-term.

  11. Vanilla Bean Vanilla Bean says:

    PS this is in an 2008 R2 RDS environment, I think the issue may lie there as it works as expected on a Win 7 desktop

  12. Vanilla Bean Vanilla Bean says:

    A new solution – using a condition to check for RDS, set the key to the desired value and then use self healing on the key. This works just fine and although it isn't ideal it is only for a small RDS farm…

  13. Vanilla Bean Vanilla Bean says:

    That's what I like about AppSense – there are other ways of doing things when you get stuck. I forgot all about Self-Heal. Glad you got it sorted 🙂

  14. Vanilla Bean Vanilla Bean says:

    Tried this, but still not working, but some people said the value is working with their environments, so …….

  15. Vanilla Bean Vanilla Bean says:

    I have been checking for that particular setting for 2 days straight – managed to find how to set the rest (enabling proxy / set proxy servers / set exceptions / enable bypass proxy servers / etc ) in registry, but not this particular setting. so yea, I think I have to utilize script to do this.

    Cheers!

  16. Manthan says:

    This is not working for me.
    OS : WIndows 10
    Any suggestions?

Leave a Reply

Your email address will not be published. Required fields are marked *

Join our mailing list

Sign up for our newsletter today and we'll send you exclusive content including free guides and articles. We promise not to send you spam and we don't share your details with anybody else.

Contact us

Howell Technology Group
One Trinity Green
Eldon Street
South Shields
NE33 1SA

T. 0191 4813446

Email us

Cookies policy

The HTG website uses cookies to store information on your computer. By continuing to browse this website you are agreeing to our use of cookies. Learn more

Accept

Thank you - you've accepted our cookies policy.