How to setup Internet Explorer 11 Enterprise Mode Logging

IE9answerIn my recent blog post about Internet Explorer 11 I explain how you can enable Enterprise Mode via Group Policy. The option “Let users turn on and use Enterprise Mode from the Tools menu” as the name suggest allows users to enable the option form the Tools menu in Internet Explorer.

But as the description of this also mentions:

Optionally, this policy also lets you specify where to get reports about the websites for which users turn on Enterprise Mode using the Tools menu.

This is like Crowd Sourcing the list of internal web sites you have that need to be configured in IE Enterprise Mode for them to work.  You can then use this information and build your own IE Enterprise Mode site list using the Enterprise Mode Site List Manager tool and deploy your own Enterprise Mode XML list so that the other users do not need to explicitly need to do something to make their browsers work.

To setup this option on the client just following the TechNet article  Turn on local control and logging for Enterprise Mode (see example below).

Note: In the example below have used a custom HTTP port 81. I recommend you do this for your logging web server.

image

But it the TechNet article says:

To turn on logging, you must include a valid URL that points to a server that can be listened to for updates in your registry key

This unfortunately does not explain how to setup an end point server to listed for these incoming POST messages that are sent whenever a user toggles the Enterprise Mode button in the Menu.

Being curious I then cracked open Fiddler to see what exactly the payload was that was being submitted as a POST form. As you can see it submits two parameters in the form of a POST form submission. As a side note I also noticed that the User-Agent string is different in the browser as it switches between modes.

image

image

But as you can see by the error messages on the right I did not have a server setup to accept these incoming POST messages.

Therefore I next installed IIS the DC01 server with ASP component so that I could setup an ASP form to accept this incoming information.

image

I then edited the binding of the web site to port 81 to match the custom port I configured in the Group Policy setting. The reason I created a custom port is so that I could have a dedicated site that was only for this incoming information. This is important as I am logging the information to the web sites log file and any other traffic would make it much harder to find the incoming Enterprise Mode Logging  information.

image

I then modified the logging of the web site to only include Date,Client IP,User Name and URI Query. I did this to keep the log file as simple as possible. If you really wanted to you could just select the URI Query option. But I found the date, client IP useful for discovering who was having issues.

image

I then placed the ASP file called “ieem.asp” (see code below) which  in the root of the web server. The name of this file again has to match the name you specified in the Group Policy above.

<% @ LANGUAGE=javascript %>

<%

Response.AppendToLog(” ;” + Request.Form(“URL”) + ” ;” + Request.Form(“EnterpriseMode”));

%>

The ASP information above simple logs the POST fields to the IIS log file that you can then simply extract the date you need (example highlighted below)..

IIS Log File Output

image

Internet Explorer 11 Enterprise mode is now rolling out automatically as part of Windows 8.1 Update and the recent Windows 7 internet Explorer 11 security update KB2929437. This means that this functionality is probably already starting to deploy in your organisation if you are using IE11 so why not start taking advantage of your users to Crowed Source what internal web sites have compatibility issues.

Credit: Thanks to Adam Kim and Chris Jackson from Microsoft for the ASP code and point me on the right direction to get this working.

How to use Group Policy to enable or disable the Power Button on Touch (a.k.a Slate) devices for Windows 8.1 Update

imageIf you have updated your touch/slate device to Windows 8.1 Update you will have noticed that the Search button has appeared on your start menu but not the power button. If you were wondering how to enable this button then unfortunately there is no easy way to do this as it is dictated by the type of hardware that you are running the device on (see http://blogs.technet.com/b/askds/archive/2014/04/07/options-for-managing-go-to-desktop-or-start-after-sign-in-in-windows-8-1.aspx ). Meaning if your device is a classified as a touch “slate” device then the Power Button will not be visible.

But as discovered by @teroalhonen there is a registry key that can be configured to override this setting:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher\

DWORD  Launcher_ShowPowerButtonOnStartScreen

Value 1 = Button Enabled

Value 0 = Button Disabled

As this is as simple as a registry key then you can easily implemented it as a Group Policy Preferences Registry Extension setting.

To do this open a Group Policy Object that targets the users that you want to enable/disable the power button for and then navigate to User Configuration > Preferences > Windows Settings  then right click Registry and go to New > Registry Item (see below)

image

Then type in “Software\Microsoft\Windows\CurrentVersion\ImmersiveShell\Launcher\” into the Key Path field and “Launcher_ShowPowerButtonOnStartScreen” into the Value Name box. After that Select REG_DWORD and value “1″ (enable) or “0″ (disable) to configured the power button.

image

Once done you need to wait for a Group Policy Update and then the user to log off and back on for the power button to appear or disappear.

image

image

Source @teroalhonen (Via  http://winsupersite.com/windows-8/windows-81-update-1-tip-toggle-power-button )

Internet Explorer Enterprise Mode via Group Policy

imageWith the release of Windows 8.1 Update Microsoft has introduced a new feature Internet Explorer Enterprise Mode. This allows admins to assign via Group Policy a way to force web site to render using specific browser modes.

Internet Explorer has has a long heritage and each new version of the browser shipped has had the rendering engine of the previous installed for compatibility. This option can be invoked by a user by pressing the F12 and then selecting the Document Mode they want to render the page with (see below).

image

The problem is how IE determine what browsing mode the browser mode should use (See http://blogs.msdn.com/b/ie/archive/2010/03/02/how-ie8-determines-document-mode.aspx) is never an exacting science and it sometimes gets it wrong.

One way was for the web site authors update a meta tag or the host header of the web site to tell the browser to use a particular rendering mode (see http://blogs.msdn.com/b/ie/archive/2010/06/16/ie-s-compatibility-features-for-site-developers.aspx).  However many organisation have had web sites created internally where the authors have long gone. Therefore Internet Explorer by default will render any intranet web site in the “Intranet Zone” as using the IE7 rendering engine. But buy displaying all the “Intranet Zone” pages as IE7 this means that the pages are being rendered with an older (and MUCH SLOWER) JavaScript engine. So while the browser is capable of cutting edge performance it some time limits it self to much slower performance for the sake of backwards compatibility. If you want more information on this check out myself and Chris Jackson talk about this feature in my recent TechEd presentation The Browser You Loved to Hate

To help address this performance issue and to make it easier for enterprise view internal website using newer rendering engines Microsoft has introduced an new option call Internet Explore Enterprise Mode. This gives administrators more configuration power over what web sites are configured using older and newer rendering engines.

How to enable Internet Explorer Enterprise Mode

Internet Explorer Enterprise mode is not visible to the users out of the box. To enable this feature you need to enable the “Let users turn on and use Enterprise Mode from the Tools menu”.

image

Once enabled user can toggle the “Enterprise Mode” option from the Internet Explorer menu.

image

But if the organisation want to specify the location of the Enterprise Mode IE List you can specify the path via the “Use the Enterprise Mode IE website list” group policy.

image

image

Update: Managing the Internet Explorer Enterprise Mode Site List

The URL that you specify in the above mentioned setting is an XML tool called the Enterprise Mode Site List Manager (not yet available). This tool will allow you to create you own custom corporate XML file that allow you to granularly specify what web site to render in IE Enterprise Mode.

Enterprise_Mode_Site_List_Manager

Once you save the file you publish it to the URL configured via Group Policy and the user will pull down the updated compatibility view list.

Correction: If you have downloading the EMSL tool you can use a text file to bulk import sites in the tool to generate the XML file. As the tools is not out yet you still need to hand craft the XML file.

microsoft.com, bing.com, bing.com/images

or

microsoft.com
bing.com
bing.com/images

Source: http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx

Source #2: http://technet.microsoft.com/en-us/library/dn640696.aspx

Updated: Enterprise Mode Site List Manager Download  - http://www.microsoft.com/en-us/download/details.aspx?id=42501

How to use Group Policy to configure “Always switch to new tabs when they are created” in Internet Explorer

IE9answerThere is a setting in Internet Explorer that is called “Always switch to new tabs when they are created” which as the name suggests controls how tabs in the browser are created. This setting can of course be controlled via Group Policy so that tabs will either appear in the background or foreground in the browser when a user opens a new tab (e.g. Middle click on a link)

image

However it’s somewhat confusing as the group policy that controls this option has a totally different name called “Prevent the configuration of new tab creation”.

image

Just to make it more confusing this policy can also be know as “Turn off configuration of default behaviour of new tab creation” depending on the version of ADMX/ADML files you are running in your environment.

image

Having policies that have multiple names depending is somewhat common as this is dependent on the version of ADMX/ADML files you have deployed. This is another advantage of using a Central Store for you ADMX/ADML files as it means that the names of the Group Policy will be consistent in your organisation.

TIP: But if you are trying to find a setting that you knew existed before but might have changed name the best place to start looking is in the original location in the GPO as this does not normally change.

Another example of a Group Policy Object being renamed based on the version of ADMX/ADML files that you have deployed in your environment (e.g. “Verbose vs normal status messages” is now called Display highly detailed status messages). But rest assure that the is only a cosmetic change that that you will find that the actual settings and its configured values are still the same.

How to target Group Policy to Virtual Computers

microsoft-hyper-v-logoFellow Australian and Microsoft Hyper-V Program Manager Ben Armstrong (a.k.a. Virtual PC Guy) has just published a blog explaining how you can deploy group policy object to be only targeting to virtual servers (see Targeting Group Policy at Hyper-V VMs).

To do this he explains that you can create a WMI query filter that means the Group Policy object will only apply to Hyper-V guests.

SELECT * FROM Win32_ComputerSystem WHERE Model = “Virtual Machine”

But what if you do not have Hyper-V guests deployed? Then you can running the following command on the virtual platform of choice to discover the model value to query.

wmic computersystems get model

Untitled (2)

In the example above you can see that this returns the vendor specific value of “VMWare Virtual Platform” (if you happen to be using VMWare). You can then take this model value to target the virtual platform of your choice (Hyper-V is of course the only valid choice).

SELECT * FROM Win32_ComputerSystem WHERE Model = “VMWare Virtual Platform”

TIP: You can also use the same method to target Group Policy object to specific hardware models of servers and workstations.