Tag Archives: internet explorer

Citrix – XenApp/Desktop integrate Internet Explorer 11 Enterprise Mode – Issue and workaround

Published / by Rens Hollanders / 6 Comments on Citrix – XenApp/Desktop integrate Internet Explorer 11 Enterprise Mode – Issue and workaround

Working in real life production environments beats concept and test environments each and every time when it comes to debugging and optimizing the environment for your care-free šŸ˜‰ end-users.

No matter how much you have tested up front, If you think you’ve got it covered for 99,9 % there’s always that 0,01 % that comes knocking at your door. This time it’s Internet Explorer 11 Enterprise Mode, in combination with Citrix XenApp 7.5 / 7.6 that causes a malfunction of the so called EMIE feature.

First some more details about Internet Explorer Enterprise Mode or EMIE:

A lot has been written about EMIE and one of the founding father’s I believe is Microsoft Architect Chris Jackson, who was so kind to at least hear me out after I contacted him on twitter FTW!

EMIE operates as an alternative to Internet Explorer’s Compatibility View. It’s a feature that needs to be enabled trough Group Policy Objects to reveal itself to the user. The benefit of using EMIE above Compatibility View is that EMIE allows us to specify individual websites to run EMIE even when the parenting website should not run EMIE. Opposed to Compatibility View, which allows you to only run entire domains in compatibility view, not excluding or including sub-domainsĀ orĀ sub-sites.

If EMIE would have been enabled on your machine, you would have found it here:

figure 1.1: Internet Explorer Tools


Since it’s not there we need to make it visible, start GPEDIT.MSC and go to: “Computer Configuration \ Administrative Templates \ Windows Components \ Internet Explorer” and enable “Let users turn on and use Enterprise Mode from the Tools menu“. Next, perform a GPUPDATE /FORCE to force the policy to become active.

figure 1.2:Ā Group Policy Objects – Configure EMIE


This causes you to put websites in Enterprise Mode for the length of your current browser session. When you close your session, Enterprise Mode for this particular website isn’t active anymore when the website is revisited.

Since we configured the Group Policy Object, we can now see EMIE in Internet Explorer 11:

figure 1.3: Internet Explorer Tools – EMIE visible


Microsoft has come up with a solution to provideĀ a list of websites that forces Internet Explorer 11 to always render those particular websites in Enterprise Mode. Therefore the following Group Policy Object is configured:Ā “Computer Configuration \ Administrative Templates \ Windows Components \ Use the Enterprise Mode IE website listĀ “. This allows you to generate a website list XML file, which contains which websites should run Enterprise Mode and which shouldn’t.

It looks like this, and is best managed and generated with the Enterprise Mode Site List Manager:

figure 1.4: EMIE Site List Manager


figure 1.5: EMIE Site List Manager – Add new website


If for example the website: www.google.com was to run in Enterprise Mode, it would look like this:

figure 1.6: Google running EMIE


EMIE can be easily identified, when looking at the address bar, in front of it you should see a blue square with a white office building logo. This represents EMIE is enabledĀ for this particular website.

The problem:

In this particular case we have setup EMIE, to use the Sitelist.xml hosted on a file server. It’s also possible to host the file on either a webserver or local file path.

If we look at EMIE and it’s behavior in the registry, we can conclude the following information is necessary to configure EMIE for users.

In HKLM we encounter the following key and registry values: “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode” -NameĀ “Enable” -value “blank” -type “REG_SZ”

And -NameĀ “SiteList” -value “path to xml file” -type “REG_SZ”

figure 1.7: Regedit – HKLM


And in HKCU we encounter the following key and registry value: “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\EnterpriseMode” -stringĀ “Currentversion” -value “1” -type “REG_SZ”

The currentversion value, checks if the Sitelist.xml has been updated between the previous and current session. If this is the case, EMIE will retrieve the new Sitelist.xml from the designated target location. This procedure also causes EMIE to malfunction in cases where the list has not been updated, but the list itself not being retrieved. The solution to this is to either delete the CurrentVersion value each time from the users registry, or to increase the version number within the Sitelist.xml. I choose another option: Use mandatory profiles! Since mandatory profiles is already in place within our environment, each time the user log’s out everything that is not preserved with RES Workspace Manager Zero Profile technology will be deleted. For more information about this particular ‘error’, please visit this social.technet thread.

What we encountered in our environment was that when logging in to a Citrix connected session the Enterprise Mode was not configured, opposed to when we logged in from an Remote Desktop Session. This has come forward during troubleshooting the issue. At first we looked with ProcMon to find if any other process was interfering with our Group Policy Object and RES Workspace Manager, which we use to configure HKCU Group Policy Objects and registry settings with, but we couldn’t find a direct lead to the problem.

The behavior prior to resolving the issue was, that when using a Citrix connected session. The “EnterpriseMode” key was not and could not be created in the user’s registry for the length of the session. Strangely enough we could create registry value’s under .\Internet Explorer\Main, but not key’s. Regedit threw an error stating:

figure 1.8: Regedit – Error


Unfortunately the screenshot is in Dutch, but it states: Cannot create key: an error has occurred when trying to write to the registry

The workaround:

While troubleshooting, I’ve submitted a ticket with Microsoft Support, but they were unable to find anything concerning either Server 2012 R2, Internet Explorer and EMIE in particular. Which pointed me to Citrix. I received a tip from a Citrix partner to create a registry placeholder through Group Policy Object, which is what I did:

figure 1.9: Group Policy Objects – User Configuration registry placeholder


figure 1.10: Group Policy Objects – User Configuration registry placeholderemie009
figure 1.11: Group Policy Objects – User Configuration registry placeholder

This finally ‘resolved’ my issue, and made it able to use EMIE within a Citrix XenApp 7.5 / 7.6 environment. However it’s still unclear what causes to hijack the “.\Internet Explorer\MAIN” key, due to the placeholder it’s now possible to create keys underneath MAIN which was necessary for EMIE to function properly.

Although this workaround works for now. I’m convinced the error lies within Citrix, and they should at least examine the root cause of this incident. Since Server 2012 R2 and Citrix XenApp is becoming common ground in Server Based Computing land, and I think it’s highly unlikely that no one else will encounter the sameĀ issue.

In the mean time, this should have to do the trick and I hope this can be useful for anyone encountering the same issue.

Don’t agree? Or got a better idea? -As always comments and contribution’s in the comment section are greatly appreciated.

Cheers! -Rens

RES Workspace Manager – Save IE and Windows Credentials

Published / by Rens Hollanders / 13 Comments on RES Workspace Manager – Save IE and Windows Credentials

Just a quick post to inform everyone who is interested where to find and preserve the Internet Explorer and Windows Credentials used to log in to SharePoint websites, web-portals and other websites.

Normally you would find these settings within Windows, at the following place: “Control Panel \ All Control Panel Items \ Credential Manager”

figure 1.1: Credential Manager

Credential Manager

The folder location where these files can be found on your own computerĀ for these three folders and it’s place in the registry are:

  1. C:\Users\<username>\AppData\Local\Microsoft\Credentials
  2. C:\Users\<username>\AppData\Roaming\Microsoft\Credentials
  3. C:\Users\<username>\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  4. HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

If we take a look into the “Credentials”Ā folders you will not see anything unless you uncheck: “Hide protected operating system files (Recommended)” in the folder options:

figure 1.2: Folder options


Once this has been done, have a look into your .\Credentials folders to find files like these:

figure 1.3: Credentials


Now if we want to preserve the information for this section with RES Workspace Manager, since you might have configuredĀ mandatory profiles with RES Zero Profile technology. Just add the following fourĀ paths to your “User Setting template” for Internet Explorer 11. (Alternatively you may want to create a dedicated User Setting for these credentials)

  1. Folder tree:Ā %LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
  2. Folder tree: %LOCALAPPDATA%\Microsoft\Credentials
  3. Folder tree: %APPDATA%\Microsoft Credentials
  4. Registry tree: HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2

Remarkably, the first path needs to be added into RES Workspace Manager including the GUID folder:Ā 4BF4C442-9B8A-41A0-B380-DD4A704DDB28

To learn more about the credentials Vault present in Windows, please visit this excellent blog written by “Derek Melber”:Ā Saving Credentials on Windows Computers

figure 1.6: RES Workspace Manager – Edit User Setting

RES WM  - User Settings2

Click OK, and you are good to go! Now passwords entered on websites will be preserved in between user sessions.

Again any comments or contributions are valued!

Cheers! šŸ™‚

MDT – Automating IE Blocker for Windows

Published / by Rens Hollanders / Leave a Comment

Today I was at a client which had a question among others about blocking the automatic installation of Internet Explorer 11.0 on clients which needed to run on Internet Explorer 8.0 only.

I was there integrating some new things in MDT when the question came from the person responsible for deploying the machines at their site. Since the company was not running WSUS and had not configured GPO’s to regulate Windows Updates. I needed to find another solution to prevent the automatic installation of any Internet Explorer version higher then 8.0.

While already made a regshot of a machine where I chose to hide the installation of Internet Explorer 9.0, 10.0 and 11.0, I struck a Microsoft link which referred to:Ā Toolkit to Disable Automatic Delivery of Internet Explorer ##

It appears Microsoft has a toolkit, or set of scripts and files to do just that! šŸ˜€

You can find the toolkits for each version here:

Internet Explorer 7.0
Internet Explorer 8.0
Internet Explorer 9.0
Internet Explorer 10.0
Internet Explorer 11.0

Basically each ‘Toolkit’, exists out of the following set of files:

  • IE##_Blocker.adm
    which holds the GPO template to regulate the exact same thing via GPO
  • IE##_Blocker.cmd
    which is an command line tool which writes specific values to the registry of the machine on which it is being executed
  • IE##_BlockerHelp.htm
    which is the help file where you may find usefull information on how to use this tool
figure 1.1: the containing files of theĀ IE##_BlockerToolkit.exe


Now to prevent the installation of any unwanted version of Internet Explorer during your deployment process (when your machine is already running Windows and is connected to the internet, the polling for new updates starts right away). Just incorporate the IE##_Blocker.cmd as an application with source files into MDT.

figure 1.2: General application properties of the Microsoft Internet Explorer Blocker ##


figure 1.3: Detailed application properties of the Microsoft Internet Explorer Blocker ##


Basically all that needs to be specified in the command line is the following: cmd /c IE##_Blocker.cmd %OSDComputerName% /B

cmd /c makes sure, that a command line is executed, IE##_Blocker.cmd speaks for itself, and since the variable %OSDComputerName% is known for the length of the deployment it can be used instead of the real hostname, and the /B switch tells the CMD to make a registry key into the registry to block the automatic installation of Internet Explorer.

When the machine is finished, a simple verification if the tool has been executed correctly will suffice:

figure 1.4: Registry key written that blocks the automatic installation of Internet Explorer


As you can see for each version of Internet Explorer a DWORD “DoNotAllowIE##” will be written with a value of “1” under: HKLM:Software\Microsoft\Internet Explorer\Setup\##.#\

Alternatively you may choose to write this regkey yourself, automated via a script, command line etc. do it via GPO, or implement Windows Server Update Services.

Hope you find this blog usefull, and if there is anything that you would like to ask or contribute, as always don’t hesitate to leave something in the comment section. šŸ™‚