On the previous blog "How to manage the new "blocking out-of-date ActiveX controls"  feature in IE?" we showed you the location and settings for the new out-of-date ActiveX controls feature and on this one, we are outlining the step by step instructions covered in article KB2991000 | Update to block out-of-date ActiveX controls in Internet Explorer under the section "Testing the out-of-date ActiveX controls feature" to get your testing started and better prepare you for the upcoming changes.

Testing Guidance 

PLEASE FOLLOW THE STEPS OUTLINED IN THE ARTCILE:https://support.microsoft.com/kb/2991000 under, Testing the out-of-date ActiveX controls feature

 Turn on AuditMode 

• Enabled the “Turn on ActiveX logging in Internet Explorer” GPO

Registry Location:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext]
"AuditModeEnabled"=dword:00000001

START TESTING

Restart Internet Explorer. You should see that websites that attempt to load out-of-date Java ActiveX controls will now display the out-of-date ActiveX control blocking notification.

 Example: http://javatester.org/version.html

To see the Audit Log, open the %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode folder and review the VersionAuditLog.CSV file. You should see the Audit items listed.

If your organization needs more time to mitigate dependencies on out-of-date Java controls, you have the following two options:

• Turn off the feature completely: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer Group Policy setting (or corresponding registry key)
   Note  This is the less secure option.
• Turn off the feature for a specific domain: Use the Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains Group Policy setting (or corresponding registry key). This setting allows you to turn off the feature on the specific domains on which your enterprise has an out-of-date Java dependency.

RELATED ARTICLES:

• Internet Explorer begins blocking out-of-date ActiveX controls
• http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx
• How to manage the new "blocking out-of-date ActiveX controls" feature in IE?
• http://blogs.msdn.com/b/askie/archive/2014/08/12/how-to-manage-the-new-quot-blocking-out-of-date-activex-controls-quot-feature-in-ie.aspx
• Out-of-date ActiveX control blocking
• http://technet.microsoft.com/en-us/library/dn761713.aspx
• Internet Explorer begins blocking out-of-date ActiveX controls
• http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

This blog has been provided to you by the IE Support team!

If you are looking for the GPO Only use the ActiveX Installer Service for installation of ActiveX controls in a Windows 7 running IE9 or above  you may not find it.

The reason is that the GPO was renamed to Specify use of ActiveX Installer Service for installation of ActiveX controls  was introduced in IE9 and above.

GPO Location: User Configuration\Administrative Templates\Windows Components\Internet Explorer\

Registry location: Software\Policies\Microsoft\Windows\AxInstaller

Value: OnlyUseAXISForActiveXInstall

Description:

This policy setting allows you to specify how ActiveX controls are installed.

If you enable this policy setting, ActiveX controls will only install if the ActiveX Installer Service is present and has been configured to allow ActiveX controls to be installed.

If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, will be installed using the standard installation process.

The Policy Applies to: Windows 7, Windows 2008, Windows 2008 R2, Windows 8 and 8.1 and Windows 2012.

Screenshot:

GPO Search Location:  

• User Configuration: http://gpsearch.azurewebsites.net/#1778
• Computer Configuration: http://gpsearch.azurewebsites.net/#1779

This blog has been provided to you by the IE Support team!

In this blog post I am sharing a few options to get page-break-after: always; property used in InfoPath web forms working when printing or using print preview in Internet Explorer 10 and Internet Explorer 11 out of SharePoint web sites.

The behavior in IE10 and IE11 have changed where the custom header is used instead and will override the Compatible View Settings previously used in the Intranet.  If you are using a component that needs to load in the IE specific legacy modes, you can use the suggestions presented in this blog post.

Previously, when a site is loaded in the Local Intranet by default, Internet Explorer will load in IE7 Compatible View document Mode. This is true even if you have configure your site to use a custom compatible header, such as<meta http-equiv="X-UA-Compatible" content="IE=10" /> via Embeded TAG or from the Web Sever configuration.

SUGGESTION I:

Use Enterprise Mode site list and designate the InfoPath url to load in Internet Explorer 7 document mode.

PREREQUISITES: Have Internet Explorer 11 install with latest IE cumulative update[MS14-080-https://technet.microsoft.com/en-us/library/security/ms14-080.aspx]

Here are the steps: Only applicable to IE11 !

• Download and install the Enterprise Mode Site List Manager tool from http://www.microsoft.com/en-us/download/details.aspx?id=42501
• Run the tool from C:\Program Files (x86)\Enterprise Mode Site List Manager\EMIESiteListManager.exe

• Click on the Add button
• Type the url you are loading the InfoPath web form from. Designate the document mode you want the url to load in. In this case, we want it to load in IE7 document mode as these functionality are legacy and work best in this document mode.

• Click on Save and yes for any dialog you may receive.
• in the above example, you will end up 2 URLs, one for the top domain that will load in Enterprise Mode and the second one for the path to the page you want it to load in IE7 Document mode
• Now, lets save the file to be use on your network by. From the File menu / save to XML or use the Ctrl+S short cut from your keyboard.

• In this demo, I will save it as infopathsitelist.xml and click on save

•  Copy the xml site to be accessible via the http or https protocol for easier access. Example: http://yoursharepointsite.com/EMIE/infopathsitelist.xml

Now that you have the sitelist xml file, you need to configure the Group Policy that will be using the xml file to signal the client which mode the page needs to be on. Lets get started!

• Open your Group Policy Management console. In this case, we are using a local gpo, so we use GPEDIT.MSC
• From Group Policy Editor, go to: User Configuration\Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list
• Enable this policy and add the website list URL location here. Like the example given above: http://yoursharepointsite.com/EMIE/infopathsitelist.xml and then, click OK to complete the configuration.
• Now, you can run GPUPDATE /FORCE from command line to update the group policy and then test loading your site. The url should load in IE7 document mode and the print and print preview should show your page break used in your InfoPath document.
• Below are some screenshots of what you would expect to see:

Here I am using Developer Tools to show you the document mode the page is loading, which is IE7. This is using the SiteList XML I defined in GPO. This page is loading in this mode regardless if I am loading in the Local Intranet Zone in Compatibility View Settings or if I am using the Compatibility Meta TAG <meta http-equiv="X-UA-Compatible"content="IE=edge"/>

In this other screenshot, We can see the Print Preview showing the Page Break. We see there are 5 pages in the document, which these are defined in the InfoPath document with page breaks.

As you can see, the Enterprise Mode GPO and SiteList is a great way to get the old legacy component working in IE11 which is todays prefer browser.

SUGGESTION II: Applicable to Older IE versions [ie8/9/10]

If you decide Not to upgrade to IE11 then you can consider the following. This option would be applicable for IE10, since Enterprise Mode is only available in IE11.

1. Setup the SharePoint page that loads the InfoPath page with  <meta http-equiv="X-UA-Compatible" content="IE=7" /> instead of  <meta http-equiv="X-UA-Compatible" content="IE=10" /> for SharePoint 2013 or  <meta http-equiv="X-UA-Compatible" content="IE=8" /> that comes with SharePoint 2010.
2. Simply, remove the compatible header from the page <meta http-equiv="X-UA-Compatible" content="IE=10" /> will also work, for sites that loads in the internal (local and trusted site zones) network.

As you can see the above 2 options may not be valid options for most Enterprises, so to me there is no better option than to use IE11 and Enterprise Mode GPO with the SiteList.

Some references:

• IE10. According to Internet Explorer’s current documentation supporting CSS 2.1 Section 13.3.1, the page-break-after property does not support line break or header elements. See the remarks in this link: http://msdn.microsoft.com/en-us/library/ie/ms530842.

In order to play HTML5 videos in the Internet Zone, you need to use the default settings or make sure the following registry key value 2701 under Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 is set to 0.

• The default value is 0 = Allow
• If set to 3 = Disallow

This key is read by the URL Action Flag that can be taken in a URL Security Zones.

Reference for URLACTION_ALLOW_AUDIO_VIDEO: http://msdn.microsoft.com/en-us/library/ie/ms537178(v=vs.85).aspx

" The key is for URLACTION_ALLOW_AUDIO_VIDEO 0x00002701. Internet Explorer 9. Determines whether media elements (audio and video) are allowed. For the element to appear, both the security zone of the host webpage and the media source must allow media. By default, this URLAction permits playback of resources from all zones except the Restricted Sites zone. This means that pages in the restricted zone cannot play media from anywhere, and that pages in other zones do not permit media that is loaded from restricted sites. "

There is no individual UI Setting to manage this action. These are per Zone settings and depending on what the zone is set, you will see this value change.

Example: Change the Internet Zone to High, which will set the registry Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 2701 value to 3

Here is what the registry key will look like:

The Zones key contains keys that represent each security zone that is defined for the computer. By default, the following five zones are defined (numbered zero through four):

   Value    Setting
   ------------------------------
   0        My Computer
   1        Local Intranet Zone
   2        Trusted sites Zone
   3        Internet Zone
   4        Restricted Sites Zone

Reference:

• Internet Explorer security zones registry entries for advanced users / http://support.microsoft.com/kb/182569

You can use Group Policy Preferences to manage these settings. GPP Registry should be fairly easy to use.

This blog has been provided to you by the IE Support team!

Hello everyone!

My name is Vinod and I am a Support Engineer on the IE Support Team. I wanted to share with you a very interesting issue I worked on recently.

A user installs an ActiveX control from a web site. The web site is updated with a newer version of the control. When the user navigates to the updated web site, he is prompted to install the updated control as expected.

The user then clicks the "Install" button - installation yields no errors.  The ActiveX control appears to load and work fine. But on every subsequent visit to the web site, user is prompted to install the ActiveX control again.

This can happens if the VerCache registry key fails to be updated during the upgrade of the control:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D7D5ACA4-4C57-4C75-8D68-BC185E924B4C}] "VerCache"

But how can such a thing happen?

This can happen if the old and new versions of the control have the same “Created” date time stamp, “Modified” date time stamp and the file size, for example:

Here in the above mentioned screenshots they both are having same file date time stamps and that Causes the VerCache registry key to not get updated.

To resolve this , ensure that at least one of these parameters - “Created” date time stamp, “Modified” date time stamp or the file size, on the updated control is different from the old version of the control and you should be GTG!

Regards,

The IE Support Team

In this quick post, we will cover the options we have to manage the IE TABs on a controlled environment.

I would like to first clarify that there is not a single GPO to just hide TABS in IE11. There is however a way you can enforce IE in Full View Mode which by default will remove the TABS and Address bar via a GPO.

The GPO  you can use to enforce the Full-Screen view is available on both Computer and User configuration policy. Below is the gpo location path in group policy editor console.

• GPO NAME: Enforce full-screen mode
• LOCATION: Computer or User configuration - Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
• KEY LOCATION: Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions

SCREENSHOT: GPO CONSOLE

 SCREENSHOT: REGISTRY LOCATION WITH VALUES

The gpo and keys will cause the browser to open in full view with no address bar or tabs

If you want to use a different alternative to force a Full View with Address bar, you will need to consider using Group Policy Preference / Registry gpo and push the following registry keys:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions]
"NoNavBar"=dword:00000000
"NoCommandBar"=dword:00000001

 SCREENSHOT USING THE KEYS ABOVE:

This blog has been provided to you by the IE Support team!

In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.

By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.

Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS:

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
• Right Click on the Registry object from the left hand pane and select New> registry Item

• From New Registry Properties, you can fill in the following settings:
• For Hive: HKEY_CURRENT_USER
• For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• For Value name: IEHarden
• For Value Type: REG_DWORD
• For Value data: 0 OR 00000000

Screenshot:

• Apply and OK to complete this GPP Configuration

NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!

• HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.

Examples

TO HELP SET THE IEHARDEN VALUE TO 0

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

::Disables IE Harden for user if set to 1 which is enabled
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f
REG ADD "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /t REG_DWORD /d 0 /f

TO COMPLETELY DELETE THE KEY USING A BATCH FILE:

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003 and 2008(including R2)
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Deletes the IE Harden for users
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"  /v "IEHarden" /f
REG DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f
REG DELETE "HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap" /v "IEHarden" /f

HOW DO I KNOW THE GPO IS WORKING?

• The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.

Other Related Blog Post:

• How to troubleshoot IE Enhanced Security warning "Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration" ?
• http://blogs.msdn.com/b/askie/archive/2012/09/11/disable-ie-enhanced-security-does-not-work-in-windows-2003-and-2008-remote-desktop-services-terminal-services-host.aspx
• How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
• http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

This blog has been provided to you by the IE Support team!

In this blog, I will share one scenario where we the IE11 installation failed with Error 9c59 error.

SCENARIO:

• Windows 7 x64 with Internet Explore 9 + MS15-065 KB3065822 is installed.
• During the installation process of InternetExplorer 11, you may receive the 9C59 error.
• Error details: Code 9C59
• Error can be found in IE main.log (c:\Windows directory)
• IE11 shows to be installed in Add Removed / Turn Windows Features on or off console but IE9 version shows under the Internet Explore 9 Help and About Internet Explorer menu

NOTE: This error are more often seeing out of Managed Windows Client machines (Windows client machines built out of a master image used in VDI or desktop imaged environments) were prerequisites and or language packs for IE11 do not exist or corrupt exist.

Here are some steps you can take to resolved the 9c59 error:

• From an elevated Command Windows, run the following Command to help removed IE11
• FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c "cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart"
• Open APPWIZ.CPL(Add Removed Programs) from command window to see if IE9 shows in the Turn Windows Features on or off console. If it does, is a good indicator we are making progress
• Run the IExplore setup using the /update-no switch from an Administrator account elevated Command Windows. This will required a reboot!
• Example: IE11-Windows6.1-x64-en-us.exe /update-no
• After the reboot, Open Internet Explore and hit the ALT Key on your keyboard to display the Help menu(if not visible) and click on the Help / About Internet Explore menu. Here you should see that Internet Explore 11 is installed with kb2841134 https://support.microsoft.com/en-us/kb/2841134.
• Now, lets make sure you have the latest Internet Explorer Cumulative update by using Windows Update which for the month of July 2015 is KB3065822 - https://support.microsoft.com/en-us/kb/3065822 MS15-065 Bulleting
• You can manually download it and install it if you like or use any other deployment method you may have on your environment!
• Reboot the client and double-checked the IE11 Installation and verified the Help and about Internet explorer shows KB 3065822
• IE11 + Latest IE Cumulative should be installed !

NOTE: If the steps above did not help resolved your scenario, you should consider the related article below for other possible steps you could take.

RELATED ARTICLE:

• 2872074 Troubleshooting a failed installation of Internet Explorer 11
  http://support.microsoft.com/kb/2872074/en-US
• Command line options available to uninstall Internet Explorer
  http://blogs.msdn.com/b/askie/archive/2014/03/28/command-line-options-available-to-uninstall-internet-explorer.aspx

This blog has been provided to you by the IE Support team!

Today we release a new article on How to create an all-inclusive deployment package for Internet Explore 11, including the all the prerequisite updates, language packs, and spelling dictionaries plus the latest cumulative security updates in a single restart. This is a great help for business that are looking for guidance on implementing such solution and move to IE11 considering that only the most recent version of Internet Explorer available for supported OS will receive technical support and security updates after January 12, 2016. see the Microsoft Support Lifecycle site for more details regarding support timelines on Windows and Windows Embedded systems.

Kudos to the Microsoft Support Engineers that collaborated in producing the article and share it with everybody!

• How to create an all-inclusive deployment package for Internet Explorer 11
• https://support.microsoft.com/en-us/kb/3061428

This blog has been provided to you by the IE Support team!

We are seeing an increase interest in updating to Internet Explorer 11 due to the upcoming changes in support outlined in the blog below:

Stay up-to-date with Internet Explorer - http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

"After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site."

In this quick blog post, we are including a link to a TechNet article "Internet Explorer 11 - FAQ for IT Pros" where in one of the Q/A, we outline the requirements for IE11.

What operating system does IE11 run on?

• Windows 10

• Windows 8.1

• Windows Server 2012 R2

• Windows 7 with Service Pack 1 (SP1)

• Windows Server 2008 R2 with Service Pack 1 (SP1)

Here are other resources you can used to help you prepare the IE11 deployment.

Creating an all-inclusive deployment package for Internet Explorer 11

• http://blogs.msdn.com/b/askie/archive/2015/07/28/creating-an-all-inclusive-deployment-package-for-internet-explorer-11.aspx

Tool to Scan your site for out of date libraries, layout issues and accessibility:

• http://dev.modern.ie/tools/staticscan/

Here are other resources available that may be useful:

• Internet Explorer 11 (IE11) - Deployment Guide for IT Pros
  • https://technet.microsoft.com/en-us/library/dn338135.aspx
• Install and Deploy Internet Explorer 11 (IE11)
  • https://technet.microsoft.com/en-us/library/mt269905.aspx
• Internet Explorer 11 - FAQ for IT Pros
  • https://technet.microsoft.com/en-us/library/dn268945.aspx
• IEAK 11 - Internet Explorer Administration Kit 11 Users Guide
  • https://technet.microsoft.com/en-us/library/dn454924.aspx

This blog has been provided to you by the IE Support team!

Here are some quick steps you can take to implement the Feature Control Key mentioned in the recently release article 3123303 "The new "End of Life" upgrade notification for Internet Explorer" which is designed to alert users of the End of life for legacy Internet Explorer versions (IE10 and below).

In this example, we are using Computer Configuration GPO to target the Internet Explorer registry setting.  

OBJECTIVE: To implement the FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION registry key for the computer Group Policy Preferences Registry configuration.

REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS

• Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / WindowsSettings and Right Click on the Registry object and select New> CollectionItem

• Right click on the Collection Item, select rename and give it a friendly name, example: KB3123303_FCK

• Right click on the KB3123303_FCK and select NEW / Registry Item

• Match the following entries:

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path:SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION
Value name: iexplore.exe
Value type: REG_DWORD
Value data: 1

• From the common TAB, you can set this GPO to Apply once and do not reapply if this meet your needs

Option:

ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will add the keys ad value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::x86
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f
::x64
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f

ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will removed the value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::Delete the entries
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f

In this blog, I am sharing the steps taken to help change the IEHarden setting that may affect users working out of a Terminal Server configuration.

By default, IE Enhanced Security is enabled in Windows and this setting could impact some web applications. In this case scenario, it affected a script from executing for Standard users.

Other scenarios, the user cannot see the items in the trusted site zone settings.

Objective: To change the IEHarden registry key for the users using Group Policy Preferences Registry configuration.

Requirements: Be familiar with GPMC.MSC console and Group Policy Preferences.

Applies To: Windows 2000, Windows 2003, Windows 2008, Windows 2012 Servers running Terminal server configuration. Including R2 versions.

Scenarios:

• You are working out of a Terminal Server
• Your Trusted Sites Zone settings may be gray out and unable to see the entries
• You are using Site To Zone Assignment list and appears not to be working
• Zone GPO not showing in Local Intranet Zone or Trusted Site

STEPS:

• Open your GMPC.MSC console and navigate to User Configuration / Preferences / Windows Settings
• Right Click on the Registry object from the left hand pane and select New > registry Item

• From New Registry Properties, you can fill in the following settings:
• For Hive: HKEY_CURRENT_USER
• For Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• For Value name: IEHarden
• For Value Type: REG_DWORD
• For Value data: 0 OR 00000000

Screenshot:

• Apply and OK to complete this GPP Configuration

NOTE: You may also want to check the following registry keys if this value alone does not help resolved your case scenario. In most cases, this is not needed!

• HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
• HEKY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Another way to get the key change is using a batch file, you can easily use the REG.exe to change the settings.

Examples

TO HELP SET THE IEHARDEN VALUE TO 0

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

::Disables IE Harden for user if set to 1 which is enabled
REG ADD “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f
REG ADD “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /t REG_DWORD /d 0 /f

TO COMPLETELY DELETE THE KEY USING A BATCH FILE:

ECHO OFF
REM  IEHarden Removal  For Users
REM  HasVersionInfo: Yes
REM  Author: Axelr
REM  Productname: Remove IE Enhanced Security for users
REM  Comments: Helps remove the IE Enhanced Security Component of Windows 2003, Windows 2008, Windows 2012 running terminal server configuration
REM  IEHarden End
ECHO ON
::Related Article
::933991 Standard users cannot turn off the Internet Explorer Enhanced Security feature on a Windows Server 2003-based terminal server
::http://support.microsoft.com/default.aspx?scid=kb;EN-US;933991

:: Deletes the IE Harden for users
REG DELETE “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap”  /v “IEHarden” /f
REG DELETE “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f
REG DELETE “HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap” /v “IEHarden” /f

HOW DO I KNOW THE GPO IS WORKING?

• The best way to validate the gpo is working is to become familiar with the registry location being affected by this setting. So, simply navigate to the HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap and verify the IEHarden entry exist with REG_DWORD value set to 0 for the logon user account.

Other Related Blog Post:

• How to troubleshoot IE Enhanced Security warning “Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration” ?
• http://blogs.msdn.com/b/askie/archive/2012/09/11/disable-ie-enhanced-security-does-not-work-in-windows-2003-and-2008-remote-desktop-services-terminal-services-host.aspx
• How to disable IE Enhanced Security on Windows 2003 & Windows 2008 Server silently?
• http://blogs.msdn.com/b/askie/archive/2009/06/23/how-to-disable-ie-enhanced-security-on-windows-2003-server-silently.aspx

This blog has been provided to you by the IE Support team!

In this example, we are using Computer Configuration GPO to target the Internet Explorer TabShutdownDelay registry setting. However, you can perform the same steps at the User Configuration setting from the GPMC console! 

OBJECTIVE: To change the TabShutdownDelay registry key for the computer Group Policy Preferences Registry configuration.

REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS 1

Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / Windows Settings and Right Click on the Registry object and select New > Collection Item

NOTE: The Collection Item will allow you to better organize the Registry Item Configuration!

STEP 2

Rename the Collection Item to: TabShutdownDelay. Right click and select rename!

STEP 3

Right Click on the newly renamed item and select New > Registry Item

STEP 4

From the New Registry Properties Dialog, mirror the following settings:

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Microsoft\Internet Explorer\MAIN

Value Name: TabShutdownDelay

Value type: REG_DWORD

Value data: 0

IMPORTANT: Please note that on 64-Bit Operating Systems, Internet Explorer also uses x86-processes. Therefore you should also include the  Wow6432Node registry-key!

Action: Update

Hive: HKEY_LOCAL_MACHINE

Key Path: SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN

Value Name: TabShutdownDelay

Value type: REG_DWORD

Value data: 0

SCREENSHOT:

Apply and OK to configure the policy!

NEXT: Test your GPO

The best way to test the GPO is to go to the client and run the GPUpdate /Force Command and check the Registry key location for changes.[YOU MAY HAVE TO RUN THIS COMMAND USING AN ELEVATED COMMAND PROMPT!]

You should expect to see the following registry entry:

REGISTRY: HKEY_LOCAL_MACHINE\Software\Microsoft\InternetExplorer\Main

NAME: TabShutdownDelay

VALUE: 0 (DECIMAL)

RELATED BLOG POST: 

• Closing an IE 8 TAB does not immediately close the spawned iexplore.exe process
• http://blogs.msdn.com/b/askie/archive/2009/03/16/closing-an-ie-8-tab-does-not-immediately-close-the-spawned-iexplore-exe-process.aspx

This blog has been provided to you by the IE Support team!

In this blog, I will share one scenario where we the IE11 installation failed with Error 9c59 error.

SCENARIO:

• Windows 7 x64 with Internet Explore 9 + MS15-065 KB3065822 is installed.
• During the installation process of Internet Explorer 11, you may receive the 9C59 error.
• Error details: Code 9C59
• Error can be found in IE main.log (c:\Windows directory)
• IE11 shows to be installed in Add Removed / Turn Windows Features on or off console but IE9 version shows under the Internet Explore 9 Help and About Internet Explorer menu

NOTE: This error are more often seeing out of Managed Windows Client machines (Windows client machines built out of a master image used in VDI or desktop imaged environments) were prerequisites and or language packs for IE11 do not exist or corrupt exist.

Here are some steps you can take to resolved the 9c59 error:

• From an elevated Command Windows, run the following Command to help removed IE11
• FORFILES /P %WINDIR%\servicing\Packages /M Microsoft-Windows-InternetExplorer-*11.*.mum /c “cmd /c echo Uninstalling package @fname && start /w pkgmgr /up:@fname /norestart”
• Open APPWIZ.CPL(Add Removed Programs) from command window to see if IE9 shows in the Turn Windows Features on or off console. If it does, is a good indicator we are making progress
• Run the IExplore setup using the /update-no switch from an Administrator account elevated Command Windows. This will required a reboot!
• Example: IE11-Windows6.1-x64-en-us.exe /update-no
• After the reboot, Open Internet Explore and hit the ALT Key on your keyboard to display the Help menu(if not visible) and click on the Help / About Internet Explore menu. Here you should see that Internet Explore 11 is installed with kb2841134 https://support.microsoft.com/en-us/kb/2841134.
• Now, lets make sure you have the latest Internet Explorer Cumulative update by using Windows Update which for the month of July 2015 is KB3065822 – https://support.microsoft.com/en-us/kb/3065822 MS15-065 Bulleting
• You can manually download it and install it if you like or use any other deployment method you may have on your environment!
• Reboot the client and double-checked the IE11 Installation and verified the Help and about Internet explorer shows KB 3065822
• IE11 + Latest IE Cumulative should be installed !

NOTE: If the steps above did not help resolved your scenario, you should consider the related article below for other possible steps you could take.

RELATED ARTICLE:

• 2872074 Troubleshooting a failed installation of Internet Explorer 11
  http://support.microsoft.com/kb/2872074/en-US
• Command line options available to uninstall Internet Explorer
  http://blogs.msdn.com/b/askie/archive/2014/03/28/command-line-options-available-to-uninstall-internet-explorer.aspx

This blog has been provided to you by the IE Support team!

Today we release a new article on How to create an all-inclusive deployment package for Internet Explore 11, including the all the prerequisite updates, language packs, and spelling dictionaries plus the latest cumulative security updates in a single restart. This is a great help for business that are looking for guidance on implementing such solution and move to IE11 considering that only the most recent version of Internet Explorer available for supported OS will receive technical support and security updates after January 12, 2016. see the Microsoft Support Lifecycle site for more details regarding support timelines on Windows and Windows Embedded systems.

Kudos to the Microsoft Support Engineers that collaborated in producing the article and share it with everybody!

• How to create an all-inclusive deployment package for Internet Explorer 11
• https://support.microsoft.com/en-us/kb/3061428

NOTE:

One issue we saw before with the SCCM deployment had to do with the Package path for x64 OS [%systemroot%\SysNative\] which someone had written a batch file for it and included below:
 
x64 Batch:
 
@ECHO OFF
REM ECHO Installing IE 11 prerequisite: KB2834140
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2834140-v2-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2670838
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2670838-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2533623
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2533623-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2731771
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2731771-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2729094
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2729094-v2-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 prerequisite: KB2786081
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0Windows6.1-KB2786081-x64.cab /quiet /norestart
 
REM ECHO Installing IE 11 Main Application
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE-Win7.cab /quiet /norestart
 
REM ECHO Installing IE cumulative security update
%systemroot%\SysNative\dism.exe /online /add-package /packagepath:%~dp0IE11-Windows6.1-KB3093983-x64.cab /quiet /norestart
 
exit
 

This blog has been provided to you by the IE Support team!

Hi everybody!, in this blog we are covering most if not all of the available options you have today  to manage your Proxy configuration settings using Group Policies. We hope this blog be helpful for your Internet Explorer 11 migration!.

As you know, the IE Maintenance used to configure proxy and other IE Settings was first deprecated in IE10 in favor of Administrative Templates and Group Policy Preferences. Any machine with IE10 and higher will NOT be able to use the IEM policies. IEM is still available for IE9 and lower.

NOTE: Please read the article [http://technet.microsoft.com/en-us/library/jj890998.aspx] for more detailed information about the changes and other policies!

We are presenting different case scenarios to provided clarity on the options you have today, once you upgrade to IE11!

Case 1: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher we will notice that IEM is not available in GPO.

Windows Server 2008R2 DC with IE9 or lower 

Windows Server 2008R2 DC with IE10 and higher – Noticed, IE Maintenance is gone!

Case 2: Considering that we are using a Windows Server 2008R2 DC to which we installed IE10 or higher and trying to use GPP User Interface, but notice that you can see only to Internet Explorer 8 but IE10 is missing.

Goal: How to configure proxy settings for IE10 and higher.

We have 2 ways we can achieve the desired outcome:

1) Using GPP [Group Policy Preferences] User Interface

In order to reach what do we require, we need one of the following machines added in the Domain:

• Windows Server 2012
• Windows Server 2012 R2
• Windows 8.0 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=28972
• Windows 8.1 machine + RSAT Tools: http://www.microsoft.com/en-us/download/details.aspx?id=39296

After installing the Group Policy Management Feature, ensure the following updates are installed:

• On Windows 8.1 or Windows Server 2012 R2 – https://support.microsoft.com/en-us/kb/2919355
• On Windows 8 or on Windows Server 2012 – https://support.microsoft.com/en-us/kb/2928422

               
A) Considering you have chosen any of the above machines, just open the Group Policy Management Console (required Administrator rights to edit policies)

From START/RUN window, Type GPMC.MSC to open the console.

B) Then you need to choose the group policy item in which you create settings and go to the following path:

User Configuration / Preferences / Control Panel Settings / Internet Settings / New /  choose Internet Explorer 10 (Right-Click or Double-click to open the settings)

Note: You need to select the option of Internet Explorer 10 in Group Policy Preference (GPP) to apply the settings for Internet Explorer 11 as the same settings apply to Internet Explorer 11.

REF: How to configure Group Policy Preference settings for Internet Explorer 11 in Windows 8.1 or Windows Server 2012 R2 – https://support.microsoft.com/en-us/kb/2898604

NEXT: From the properties, click on the Connections Tab / LAN Settings 

C) Reaching the LAN Settings, we notice that is similar to the Internet Control Panel.

We have the same options to create a proxy configuration:

• Automatically detect settings 
• Use automatic configuration script
• Proxy Server

D) The first thing we notice is that we have red underline settings:

Settings which are underlined in red are not configured at the target machine, while settings underlined in green are configured at the target machine.
In order to change the underlining, use the following function keys:

F5 – Enable all settings on the current tab
F6 – Enable the currently selected setting
F7 – Disable the currently selected setting
F8 – Disable all settings on the current tab

Article reference: http://blogs.technet.com/b/grouppolicy/archive/2008/10/13/red-green-gp-preferences-doesn-t-work-even-though-the-policy-applied-and-after-gpupdate-force.aspx

E) Configuring each setting in particular.

I would encourage pressing a F8 to disable all before configuring anything as the recommended scenario is to configure only the settings you want to apply.

Automatically detect settings, with the option checked:

Use an Automatic Configuration Script (AutoConfigURL) example [Remember to use F6 to enable this entry!]

Static Proxy Server configuration example [Remember to use F6 to enable this entry!]

2) The alternative way of configuring the Proxy Setting is deploying the registries keys directly.

Key path / location for the registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

• Automatically detect settings

Registry key: “AutoDetect”
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

The key AutoDetect is only visible before you start IE10 (or IE11) on the machine, as IE will interpret it immediately and then delete the key right after. By that, the option will have its preference nature.

• Use automatic configuration script

Registry Key: “AutoConfigURL”
Value Type: REG_SZ
Value Data: “http://<servername|host>/my_proxy.pac”

• Proxy Server

To configure this,  you may need up to 3 registry keys:

“ProxyEnable” checkbox for “Use a proxy server for your LAN (these settings will not apply to dial-up or VPN connection)”              
Value Type: REG_DWORD
Value Data:
0 = Disable
1 = Enable

“ProxyServer”
Value Type: REG_SZ
Value Data: “ProxyServerName:Port”

“ProxyOverride”
Value Type: REG_SZ
Value Data: “list_of_exclusion”

Value Data: “list_of_exclusion;<local>”
<local> value represents the check: “Bypass proxy server for local addresses”
The value is added automatically when enabling the check box in the GPP User Interface (UI).
When deploying through the registry key is required.

You have different ways you can deploy the registry keys. The only important aspect is to deploy correctly the registry keys provided above.
But in this article I will present how it can be done via GPP Registry Item:

Location of the policy: User Configuration / Preferences / Windows Settings / Registry / Right Click + New + Registry Item

RELATED ARTICLES:

• How can I configure Proxy AutoConfigURL Setting using Group Policy Preference (GPP) ?

• How to use GPP Registry to uncheck automatically detect settings? 

• HOW TO CONFIGURE A PROXY SERVER URL AND PORT USING GPP REGISTRY ?

This blog has been provided to you by Adrian Guta and Heiko Mayer.

Tips for making sure your “Top sites” display your frequently visited sites over time:

1. Make sure you visit the same website address often: They should appear after approximately 10 visits.
2. We identify your frequently visited sites multiple times per day. Depending on your browsing habits, you may need to wait for up to a day before you see it in your Top sites.
3. Removing a Top site tile will exclude that website forever. To clear the list of excluded websites, please run “Clear browsing history” (Be sure to check the “Browsing history” checkbox)

​

This blog has been provided to you by the IE Support team!

We are seeing an increase interest in updating to Internet Explorer 11 due to the upcoming changes in support outlined in the blog below:

Stay up-to-date with Internet Explorer – http://blogs.msdn.com/b/ie/archive/2014/08/07/stay-up-to-date-with-internet-explorer.aspx

“After January 12, 2016, only the most recent version of Internet Explorer available for a supported operating system will receive technical support and security updates. For example, customers using Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 on Windows 7 SP1 should migrate to Internet Explorer 11 to continue receiving security updates and technical support. For more details regarding support timelines on Windows and Windows Embedded, see the Microsoft Support Lifecycle site.”

In this quick blog post, we are including a link to a TechNet article “Internet Explorer 11 – FAQ for IT Pros” where in one of the Q/A, we outline the requirements for IE11.

What operating system does IE11 run on?

• Windows 10

• Windows 8.1

• Windows Server 2012 R2

• Windows 7 with Service Pack 1 (SP1)

• Windows Server 2008 R2 with Service Pack 1 (SP1)

Here are other resources you can used to help you prepare the IE11 deployment.

Creating an all-inclusive deployment package for Internet Explorer 11

• http://blogs.msdn.com/b/askie/archive/2015/07/28/creating-an-all-inclusive-deployment-package-for-internet-explorer-11.aspx

Tool to Scan your site for out of date libraries, layout issues and accessibility:

• http://dev.modern.ie/tools/staticscan/

Here are other resources available that may be useful:

• Internet Explorer 11 (IE11) – Deployment Guide for IT Pros
  • https://technet.microsoft.com/en-us/library/dn338135.aspx
• Install and Deploy Internet Explorer 11 (IE11)
  • https://technet.microsoft.com/en-us/library/mt269905.aspx
• Internet Explorer 11 – FAQ for IT Pros
  • https://technet.microsoft.com/en-us/library/dn268945.aspx
• IEAK 11 – Internet Explorer Administration Kit 11 Users Guide
  • https://technet.microsoft.com/en-us/library/dn454924.aspx

This blog has been provided to you by the IE Support team!

In this quick post, we are sharing a scenario you may encounter and how you could fix it.

When installing Internet Explorer 11 on the Windows 2008 R2 Master image build that is normally used for their Citrix Farm, the installation rolls-back after a reboot.

The same behavior was observed when the prerequisite KB2670838 was installed. After a reboot, this was also triggering the roll-back behavior.

TROUBLESHOOT

The CBS.LOG gave us more information about the failure which indicated an access denied was occurring during the update.

The error code: 0xc0000022 can easily be identify in the below cbs [%windir%\logs\cbs\cbs.log] log sample; Suggesting several attempts by the SPP Installer service[sppsvc ] failing with the access denied:

2015-10-14 14:58:30, Info                  CSI    00000072 Begin executing advanced installer phase 38 (0x00000026) index 234 (0x00000000000000ea) (sequence 273)    Old component: [l:0]””
New component: [ml:308{154},l:306{153}]”Microsoft-Windows-MSMPEG2VDEC, Culture=neutral, Version=7.1.7601.16492, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=amd64, versionScope=NonSxS”
Install mode: install    Installer ID: {1b265fd2-721c-4e59-ad55-9d102a5d1d7f}
   
Installer name: [12]”SppInstaller”2015-10-14 14:58:30, Info    CSI    0000000f@2015/10/14:18:58:30.153 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 0) completed with hr=0xc0000022“

2015-10-14 14:58:30, Info                  CBS    Progress: UI message updated. Operation type: Update. Stage: 1 out of 1. Percent progress: 72.
2015-10-14 14:58:31, Info                  CSI    00000010@2015/10/14:18:58:31.245 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 1) completed with hr=0xc0000022“

2015-10-14 14:58:32, Info                  CSI    00000011@2015/10/14:18:58:32.322 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 2) completed with hr=0xc0000022“

2015-10-14 14:58:33, Info                  CSI    00000012@2015/10/14:18:58:33.414 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 3) completed with hr=0xc0000022“

2015-10-14 14:58:34, Info                  CSI    00000013@2015/10/14:18:58:34.490 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 4) completed with hr=0xc0000022“

2015-10-14 14:58:35, Info                  CSI    00000014@2015/10/14:18:58:35.567 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 5) completed with hr=0xc0000022“

2015-10-14 14:58:36, Info                  CSI    00000015@2015/10/14:18:58:36.643 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 6) completed with hr=0xc0000022“

2015-10-14 14:58:37, Info                  CSI    00000016@2015/10/14:18:58:37.719 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 7) completed with hr=0xc0000022“

2015-10-14 14:58:38, Info                  CSI    00000017@2015/10/14:18:58:38.796 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 8) completed with hr=0xc0000022“

2015-10-14 14:58:39, Info                  CSI    00000018@2015/10/14:18:58:39.872 [94]”SPP Installer: CProcessingContext::Initialize->SLOpen (attempt 9) completed with hr=0xc0000022“

2015-10-14 14:58:40, Info                  CSI    00000019@2015/10/14:18:58:40.886 [155]”SPP Installer: ProcessInstallOrUninstall (amd64_Microsoft-Windows-MSMPEG2VDEC_31bf3856ad364e35_7.1.7601.16492_neutral_b36d391) completed with hr=0xc0000022“

2015-10-14 14:58:40, Error                 CSI    0000001a@2015/10/14:18:58:40.886 (F) CMIADAPTER: Inner Error Message from AI HRESULT = c0000022 [Error,Facility=(0000),Code=34 (0x0022)] [(null)][gle=0x80004005]
2015-10-14 14:58:40, Error                 CSI    0000001b@2015/10/14:18:58:40.886 (F) CMIADAPTER: AI failed. HRESULT = c0000022 [Error,Facility=(0000),Code=34 (0x0022)] Element: [163]”<sppInstaller xmlns=”urn:schemas-microsoft-com:spp:installer” xmlns:manv3=”urn:schemas-microsoft-com:asm.v3″

Here we see the rollback:

2015-10-14
14:58:40, Error      [0x01803c] CSI    00000076 (F) Failed execution of queue item Installer: SppInstaller({1b265fd2-721c-4e59-ad55-9d102a5d1d7f}) with HRESULT c0000022 [Error,Facility=(0000),Code=34 (0x0022)].  Failure will
not be ignored: A rollback will be initiated after all the operations in the installer queue are completed; installer is reliable (2)[gle=0x80004005]

2015-10-14
14:58:40, Info                  CSI    00000077 End executing advanced installer (sequence 273)Completion status: HRESULT_FROM_WIN32(ERROR_ADVANCED_INSTALLER_FAILED)

2015-10-14 14:58:43, Error                 CBS    Startup: Failed to process advanced operation queue, startupPhase: 0.  A rollback transaction will be created. [HRESULT = 0x80004005 – E_FAIL]

The actions to help resolved this particular scenario is to: 

• Make sure the Software Protection Platform service (sppsvc) is started and is not encountering any problems.
• Check the permissions and attributes on files 7B296FB0* in C:\Windows\System32 directory.

Default permissions: SYSTEM:F,Admnistrators:F and Users: (read and execute)

Attributes: No read only” (uncheck read-only)

Here are some quick steps you can take to implement the Feature Control Key mentioned in the recently release article 3123303 “The new “End of Life” upgrade notification for Internet Explorer” which is designed to alert users of the End of life for legacy Internet Explorer versions (IE10 and below).

In this example, we are using Computer Configuration GPO to target the Internet Explorer registry setting.  

OBJECTIVE: To implement the FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION registry key for the computer Group Policy Preferences Registry configuration.

REQUIREMENTS: Be familiar with GPMC.MSC console and Group Policy Preferences.

STEPS

• Open GPMC.MSC console and from the left hand pane, expand: Computer Configuration / Preferences / Windows Settings and Right Click on the Registry object and select New > Collection Item

• Right click on the Collection Item, select rename and give it a friendly name, example: KB3123303_FCK

• Right click on the KB3123303_FCK and select NEW / Registry Item

• Match the following entries:

Action: Create
Hive: HKEY_LOCAL_MACHINE
Key Path:SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION
Value name: iexplore.exe
Value type: REG_DWORD
Value data: 1

• From the common TAB, you can set this GPO to Apply once and do not reapply if this meet your needs

Option:

ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will add the keys ad value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::x86
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f
::x64
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /t REG_DWORD /d 1 /f

ECHO OFF
REM End of Life FCK
REM Author: Axelr
REM Comments: Helps configure the End of Life Feature Control Key outlined kb3123303. This batch will removed the value!
REM End
ECHO ON
::Article
::The new "End of Life" upgrade notification for Internet Explorer
::https://support.microsoft.com/en-us/kb/3123303
::Delete the entries
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_IE11_SECURITY_EOL_NOTIFICATION" /v "iexplore.exe" /f