You can use Group Policies (GPOs) to configure proxy server settings on Windows devices in an Active Directory domain. These proxy server settings are used by all modern browsers, including Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox.
Table of Contents
How to Set Proxy Settings with Group Policy Preferences?
The Group Policy Preferences (GPP) can be used to manage the Windows proxy server settings on users’ computers.
- Open Group Policy Management Console (gpmc.msc);
- Right-click on the Active Directory OU containing the user accounts to which you want to apply the new proxy settings and select Create a GPO in this domain and link it here;
- Specify a policy name (for example, CA_Proxy), right-click your new GPO, and select Edit;
- Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings. Right-click and select New > Internet Explorer 10;
- You will see a standard Internet Properties form, similar to the one in the Windows Control Panel. Go to the Connections tab and press the LAN Settings button;
- Tick the checkbox “Use a proxy server for your LAN” and specify the Address and Port of your proxy server (for example, 192.168.1.11, port 3128). Use the function keys to enable or disable options on this form.
F6 — activate selected option (the underline for an enabled GPO option changes color from red to green)
F7 — disable a specific policy setting press (disable the option “Automatic detect settings” this way)
F5 — enable all settings on the current tab
F8 — disable all policies on this tab press
Tip. The Bypass Proxy Server for Local Addresses option allows certain local resources to be accessed directly, rather than through a proxy server. Windows automatically recognizes all URLs without a domain suffix as local address (for example, http://theitbros). When accessing such an address, the browser will bypass the proxy. Note that addresses of the format http://forum.theitbros.local or http://192.168.0.50 are not recognized by the Windows as local addresses;
- You can specify a list of address exceptions to bypass the proxy in Advanced > Do not use proxy servers for addresses beginning with. The exclusion list is a simple string containing a list of DNS names and/or IP addresses (separated by semicolons). You can use the wildcards in the proxy exception list. For example:
- Press OK twice to save the GPO settings.
Check that the proxy policy is being applied to client computers (run the gpupdate /force command to immediately apply new GPO settings to the computer). You can check your current proxy settings in Windows under Settings > Network and Internet > Proxy.
With GPP Item Level Targeting, you can apply proxy server settings to users based on the security group or IP subnet in which their devices are located. In the policy settings, go to the Common tab and check the Item-Level Targeting option. Click on the Targeting button.
Select New Item > IP address ranges. Specify the range of IP addresses in your subnet for which you want to apply proxy settings.
Save the settings. Similarly, create multiple GPP items with proxy settings for different IP subnets.
The result is that users’ proxy settings are applied in accordance with their IP network (office). (It can be convenient for mobile workers with laptops.
Configuring Proxy Setting on Windows Through Registry
You can apply proxy server settings directly to a user through the registry.
Note. Learn about how to add, edit, and remove registry keys with GPO.
Create a new GPO and go to User Configuration > Preferences > Registry. Create 3 registry parameters in the registry hive HKEY_CURRENT_USER in SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key:
- ProxyEnable (REG_DWORD) = 00000001;
- ProxyServer (REG_SZ) = 192.168.1.11:3128;
- ProxyOverride (REG_SZ) = 192.*;*.theitbros.com.
After applying the GPO settings to the computer, check the proxy server settings in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings key.
How to Prevent Users from Changing Proxy Settings in Windows
After applying a proxy settings policy, the user can manually change any proxy settings using both IE options in the classic Control Panel and the modern Settings pane (the next GPO update will overwrite these settings.).
Administrator can prevent users from changing proxy settings in Windows using the GPO option “Prevent changing proxy settings”. This parameter is present in both the user and computer GPO sections.
- Computer Configuration > Policies > Administrative Templates > Windows Components – Internet Explorer
- User Configuration > Policies > Administrative Templates > Windows Components Internet Explorer
After you enable this GPO option, the fields with the proxy settings will be blocked in Windows, and the caption will appear:
Some of these settings are hidden or managed by your system organization.
Set Proxy Settings Per Machine Instead of Per User with GPO
By default, Windows proxy settings are per-user. However, you can apply proxy settings to all users of the computer. To do this, enable the policy Make proxy settings per-machine (rather than per user) under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
To apply settings to computer objects, also enable the policy Configure user Group Policy loopback processing mode under the Computer Configuration > Policies > Administrative Templates > System > Group Policy. Select the Merge mode in the policy settings.
How to Apply WinHTTP Proxy Settings via GPO
Above, we looked at how to apply proxy settings to users. However, this will not change the WinHTTP proxy settings (also known as a device proxy or system proxy). This means that some applications (including .NET Core apps) and system services (such as the Windows Update service) won’t be able to use a proxy to access the Internet.
Check current WinHTTP proxy settings with the command:
netsh.exe winhttp show proxy
Current WinHTTP proxy settings: Direct access (no proxy server).
There is no separate Group Policy option that allows you to configure the WinHTTP proxy. To enable WinHTTP proxy for a computer through a GPO, you must configure a special registry parameter.
First, you need to configure a proxy for WinHTTP on the reference computer. The easiest way is to import the proxy settings from the current user:
netsh winhttp import proxy source=ie
These settings will be saved in the WinHttpSettings REG_BINARY parameter under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.
Now open your proxy GPO and go to Computer Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard.
Select Local computer and specify the full path to the WinHttpSettings parameter.
Now click Finish, update the policy on client computer, and check if WinHTTP proxy settings are applied successfully.
In this article, we looked at how to configure proxy settings in Windows using the GPO. All modern browsers (Edge, Chrome, Mozilla Firefox) will use your Windows proxy settings if you enable the “Use system proxy settings” option in them.