Configuring Proxy Settings via GPO on Windows

The article shows how to use Active Directory Group Policies (GPOs) to configure proxy server settings on domain-joined computers running Windows 10/11 and Windows Server 2022/2019/2016/2012R2. These proxy server settings are used by all modern browsers, including Internet Explorer 11 (reached end of support on June 2022), Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox (with the option Use system proxy settings enabled by default).

How to Set Proxy Settings via Group Policy?

To manage the browser’s proxy server settings on a Windows computer, you can use Group Policy Preferences (GPP) or Internet Explorer Administration Kit 11 (IEAK 11). In order to set proxy settings via GPO on users’ computers in the AD domain, perform the following actions:

  1. Open Group Policy Management Console (gpmc.msc);
  2. Select the Active Directory organization unit (OU) for which you want to apply the new proxy settings. In this example, we want to apply a proxy settings policy to user OU (OU=Users,OU=California,OU=USA,DC=theitbros,DC=com);
  3. Right-click on OU and select Create a GPO in this domain and link it here;
    gpo proxy settings
  4. Specify a policy name, for example, CA_Proxy;
    gpo proxy
  5. Click on the policy and select Edit;
    group policy proxy settings
  6. Expand the following section: User Configuration > Preferences > Control Panel Settings > Internet Settings. Right-click and select New > Internet Explorer 10 (this policy will also be applied for the IE 11);

    Note
    . In previous versions of Internet Explorer (6, 7, and 9) to configure Internet Explorer settings you needed to use the following section in the Group Policy Editor console: User configuration > Policies > Windows Settings > Internet Explorer Maintenance. However, in Internet Explorer 10 (which firstly appeared on Windows Server 2012 and Windows 8) the Internet Explorer Maintenance (IEM) section was removed from GPO Editor. Moreover, this section also disappeared in Windows 7/Windows Server 2008 R2 after Internet Explorer 10 or 11 was installed. If you try to apply the IEM policy to a computer with IE 10 or 11, it won’t work;
    proxy settings gpo
  7. On the standard window with the Internet Explorer settings, go to the Connections tab and press the LAN Settings button;
    proxy gpo
  8. Tick the checkbox “Use a proxy server for your LAN” and specify the Address and Port of your proxy server (for example, 192.168.1.11, port 3128). To enable this option, press the F6 button (underline for that setting will change the color from red to green). To disable a specific policy setting press F7 (disable the option “Automatic detect settings” this way).Tip. The green underscore for the IE parameter means this setting is enabled and will be applied through Group Policy. Red underlining means the setting is configured, but disabled. To enable all settings on the current tab, press F5. To disable all policies on this tab use the F8 key. Note the Bypass Proxy Server for Local Addresses option. When this policy setting is enabled, local resources are always accessed directly, not through a proxy server. Windows automatically recognizes the address of the format http://theitbros as local and IE when accessing them bypasses the proxy (Local addresses are all URLs without a domain suffix). However, it is important to note that the addresses of the format http://forum.theitbros.local or http://192.168.0.50 can’t be recognized by the system as a local. In order to avoid using a proxy to access such resources, you need to configure exceptions for them using the policy Do not use proxy servers for addresses beginning with (see below);
    gpo proxy settings windows 10
  9. If you need to specify the list of address exceptions, click Advanced. In the field Do not use proxy servers for addresses beginning with specify the list of IP addresses or domains (this option allows you to bypass the proxy for the specified domains/IP addresses). You can use the wildcards in proxy exception list. The exclusion list is a simple string with the list of DNS names and/or IP addresses (values in the list must be separated by a semicolon). For example:
    192.*;*.theitbros.com

    gpo set proxy

  10. Press OK twice to save settings.

Note. This rule only works for Internet Explorer 10 and Internet Explorer 11. For earlier IE versions, you need to create separate rules.

It remains to update group policy settings on client computers (with the command: gpupdate /force), and check proxy settings in IE (Control Panel > Network and Internet > Internet Options > Connections > LAN Settings).

gpo proxy windows 10

If you want the proxy server settings to be applied to users based on the IP subnet where their devices are located, you can use the GPP Item Level-Targeting. To do this, switch to the Common tab in the policy settings and check the Item-Level Targeting option. Click on the Targeting button.

windows 10 proxy gpo

Select New Item > IP address ranges. Specify the range of IP addresses in your subnet for which you want to apply proxy settings.

group policy proxy settings windows 10

Save the policy settings. Similarly, create several IE policies with proxy settings for different IP subnets.

windows 10 gpo proxy settings

As a result, the proxy settings for the users will be applied depending on the IP network (office) in which they work (convenient for mobile employees with laptops).

Tip. To configure the new IE policy from Windows Server 2008/R2, you need to download Administrative Templates for Internet Explorer, and copy files Inetres.admx and Inetres.adml to the folder %SYSTEMROOT%\PolicyDefinitions.

When a policy with proxy server settings is applied to a user computer, it changes the values of the registry settings under the following key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.

group policy proxy

Accordingly, you can directly configure the IE proxy settings in registry. In order to configure proxy setting for a current user on your computer, you can use the following PowerShell script:

$proxyregkey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

Set-ItemProperty -Path $proxyregkey -Name ProxyEnable -Value 1

Set-ItemProperty -Path $proxyregkey -Name ProxyServer -Value "192.168.1.11:3128"

Set-ItemProperty -Path $proxyregkey -Name ProxyOverride -Value '10.*;192.168.*;*.theitbros.com;<local>'

Set-ItemProperty -Path $proxyregkey-Name AutoDetect -Value 0

set proxy gpo

This means that you can deploy the same registry settings with your proxy configuration to domain-joined computers using GPO (Group Policy Preferences, to be more precise).

Create a new GPO and expand the GPP section User Configuration > Preferences > Registry and create 3 registry parameters in the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]:

  • ProxyEnable (REG_DWORD) = 00000001;
  • ProxyServer (REG_SZ) = 192.168.1.11:3128;
  • ProxyOverride (REG_SZ) = 192.*;*.theitbros.com.

proxy group policy

Proxy Settings for Computers in Group Policy

By default, IE proxy settings are per user. However, you can use the different GPO to apply proxy settings to all users of the computer. To do this, go to the following section in the GPO Editor console: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer. Enable the policy Make proxy settings per-machine (rather than per user).

Note. The same setting can be enabled through the registry:

$proxyregkey = "HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings"
New-ItemProperty -Path $proxyregkey -Name ProxySettingsPerUser  -Value 0

set proxy via gpo

To apply settings to computer objects, also enable the policy Configure user Group Policy loopback processing mode under the Computer Configuration > Policies > Administrative Templates > System > Group Policy. Select the Merge mode in the policy settings.

How to Apply WinHTTP Proxy Settings via GPO?

By default, the WinHTTP service does not use the proxy settings configured in Internet Explorer. As a result, some system services (including the Windows Update service: Wususerv) won’t be able to access the Internet.

Check current WinHTTP proxy settings with the command:

netsh.exe winhttp show proxy
windows 10 proxy settings gpo
Current WinHTTP proxy settings: Direct access (no proxy server).

To enable WinHTTP proxy for a computer through a GPO, you must configure a special registry parameter.

First, you need to configure a proxy for WinHTTP on the reference computer. The easiest way is to import proxy settings from IE:

netsh winhttp import proxy source=ie

gpo edge proxy settings

These settings will be saved in the WinHttpSettings parameter under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.

gpo for proxy settings

Now open your proxy GPO and go to Computer Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard.

Select Local computer and specify the full path to the WinHttpSettings parameter.

internet explorer proxy settings gpo

It remains to click Finish, update the policy on computers, and make sure the WinHTTP proxy settings are applied successfully.

How to Prevent Users from Changing Proxy Settings in Browsers?

By default, if you configure the proxy server settings in Windows through the GPO, computer users can change the proxy settings themselves.

Note that proxy settings in Windows can be edited using both IE options and the modern Settings control panel.

windows gpo proxy settings

You can prevent users from changing proxy settings in Windows using the “Prevent changing proxy settings” additional GPO option. This parameter is present in both the user and computer GPO sections.

  • Computer Configuration > Policies > Administrative Templates > Windows Components – Internet Explorer
  • User Configuration > Policies > Administrative Templates > Windows Components Internet Explorer

configure proxy gpo

If you enable this policy and apply it to the domain computer, then the fields with proxy settings in Windows will be blocked, and the caption will appear below: Some settings are managed by your system administrator.

apply proxy settings to computer gpo

Hint. Settings in the Computer Configuration section take precedence over user settings.

Typically, you want to use a more flexible way of granting permissions to change proxy settings on computers. For example, you can restrict proxy settings for all users except members of the ca_workstation_admins domain security group.

  1. Create a new GPO with proxy settings (or edit an existing one);
  2. Go to Group Policy Preferences (User Configuration > Preferences > Windows Settings > Registry) and create two registry values:

The first parameter prohibits changing proxy settings:

Hive: HKEY_CURRENT_USER

Key Path: Software\Policies\Microsoft\Internet Explorer\Control Panel

Value name: Proxy

Value type: REG_DWORD

Value data: 00000001

The second parameter blocks the launch of the IE window with proxy settings:

Hive: HKEY_CURRENT_USER

Key Path: Software\Policies\Microsoft\Internet Explorer\Restrictions

Value name: NoBrowserOptions

Value type: REG_DWORD

Value data: 00000001
  1. These policies will apply to all computer users;
  2. To prevent policies from applying to a specific security group, you need to copy these two parameters, set a larger Order, and change their values to 00000000;
  3. Then open the properties of each of these two registry settings, go to Common > Item level targeting > Targeting;
  4. Create a new targeting rule: New > Security Group > provide a group name (ca_workstation_admins);
    proxy server gpo
  5. Create a similar targeting rule for the second registry parameter;
  6. As a result, if a user from the specified group logs on to the computer, the proxy settings for him won’t be locked.

It is also worth noting that for .NET Core 3.0 applications (including PowerShell Core 7.x) you can set proxy server settings using the following Windows environment variables:

  • HTTP_PROXY:
  • HTTPS_PROXY
  • ALL_PROXY
  • NO_PROXY

You can create and distribute these environment variables to domain user computers using GPP. Just create the required environment variables under Computer Configuration > Preferences > Windows Settings > Environment.

gpedit proxy settings

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

13 comments

  1. Once applied, is it possible to remove the connections tab ? I don’t see a point changing the proxy address if users can then go in and change it ?

    1. Hey, Daniel!

      To lock tab with proxy setting you must enable the policy User Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Prevent changing proxy settings.

      1. Awesome thanks – I will test this today. I have IE 11 on Windows 10 so I’m trying to avoid using registry changes, using the following
        User Configuration -> Preferences -> Control Panel Settings -> Internet Settings . Right click and select New-> Internet Explorer 10

  2. Hi,
    we have the issue that we have setup GPP Internet Explorer 10 settings (proxy server, exceptions….) and the settings are applied – we see them in the registry but IE does not show these settings. IE settings are empty.
    Any idea?

      1. Hey there,

        WHat was the bad entry as im experiencing the exact same issue! i can set all other Internet options but anything to do with LAN settings arent being applied in IE11… although i can see them clearly being altered in IE’s Registry. i’m pulling my hair out and not sure whats causing the issue.

        Any help would be great

        Thanks
        James

  3. hi , If i configure the proxy through Group policy , it will work for desktop users. in case the laptop user want to connect the home network it will ask to remove the proxy to connect the internet. how to solve this issue?

  4. I’ve been wrestling with getting the proxy to actually apply to client computers. This article and especially your tips about enabling and disabling settings within the Connections tab are what I needed to get my GPO to actually filter.

    A thousand thank yous :-)

  5. OMG!!! The Red and Green underline thing was driving us bonkers.
    I don’t believe I saw another article where that part was explained until I saw this website.

    That single handedly got it working so THANK YOU VERY MUCH!!!!!

  6. My issue is that it is applying everything except the exceptions list. I have a couple websites listed using a wildcard since our Maintenance request system is web/cloud based. I made exceptions to http://ourmaintenancesite.com/*;https://ourmaintenancesite.com/* for example. But going to the site, it is still being block by proxy and bypass for local addresses is checked and underlined in green. Only exceptions is not working. Any ideas????

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.