group policy

Configuring Proxy Settings via GPO on Windows 10/Windows Server 2016


The article shows how to use Active Directory Group Policies features to configure proxy settings on domain-joined computers running Windows 10 and Windows Server 2019/2016/2012R2. These proxy server settings are used by all modern browsers, including Internet Explorer 11, Google Chrome, new Chromium-based Edge, Opera and Mozilla Firefox (with the option Use system proxy settings enabled by default).

How to Set Proxy Settings via Group Policy?

To manage browser’s proxy server settings on Windows 10/Windows Server 2016/2019 computer you can use Group Policy Preferences (GPP) or Internet Explorer Administration Kit 11 (IEAK 11). In order to set proxy settings via GPO on user computers in AD domain, perform the following actions

  1. Open Group Policy Management Console (gpmc.msc) on a computer running Windows 10 or Windows Server 2016;
  2. Select the Active Directory organization unit (OU) for which you want to apply the new proxy settings. In this example, we want to apply a proxy settings policy to user OU (OU=Users,OU=California,OU=USA,DC=theitbros,DC=com)
  3. Right-click on OU and select Create a GPO in this domain and link it here;
    gpo proxy settings
  4. Specify a policy name, for example CA_Proxy;
    gpo proxy
  5. Click on the policy and select Edit;
    group policy proxy settings
  6. Expand the following section: User Configuration > Preferences > Control Panel Settings > Internet Settings. Right click and select New > Internet Explorer 10 (this policy will also be applied for the IE 11);

    Note. In previous versions of Internet Explorer (6, 7 and 9) to configure Internet Explorer settings you needed to use the following section in the Group Policy Editor console: User configuration > Policies > Windows Settings > Internet Explorer Maintenance. However, in Internet Explorer 10 (firstly appeared on Windows Server 2012 and Windows 8) the Internet Explorer Maintenance (IEM) section was removed from GPO Editor. Moreover, this section also disappears in Windows 7/Windows Server 2008 R2 after Internet Explorer 10 or 11 installed. If you try to apply IEM policy to a computer with IE 10 or 11, it will not work.
    group policy proxy settings server 2016

  7. On the standard windows with the Internet Explorer settings, go to the Connections tab and press LAN Settings button.
    gpo proxy settings windows 10
  8. Tick the checkbox “Use a proxy server for your LAN” and specify the Address and Port of your proxy server (for example 192.168.1.11, port 3128). To enable this option, press F6 button (underline for that setting will change the color from red to green). To disable specific policy setting press F7 (disable the option “Automatic detect settings” this way).
    Tip. The green underscore for the IE parameter means that this policy is enabled and will be applied through Group Policy. Red underlining means that the setting is configured, but disabled for users’ computers. To enable all settings on the current tab, press F5. To disable all policies on this tab use F8 key.Note the Bypass Proxy Server for Local Addresses option. When this policy setting is enabled, local resources are always accessed directly, not through a proxy server. Windows automatically recognizes the address of the format http://theitbros as local and IE when accessing them bypasses the proxy. However, it is important to note that the addresses of the format http://forum.theitbros.local or http://192.168.0.50 can’t be recognized by the system as local. In order to avoid using a proxy to access such resources, you need to configure exceptions for them using the policy Do not use proxy servers for addresses beginning with (see below).
    proxy gpo
  9. If you need to specify the list of address exceptions, click Advanced. In the field Do not use proxy servers for addresses beginning with: specify the list of IP addresses or domains. For example:
    192.*;*.theitbros.com

    group policy proxy settings windows 10

  10. Press OK twice to save settings.

Note. This rule only works for Internet Explorer 10 and Internet Explorer 11. For earlier IE versions, you need to create separate rules.

It remains to update group policy settings on client computers (with the command: gpupdate /force) and check proxy settings in IE (Control Panel > Network and Internet > Internet Options > Connections > LAN Settings).

proxy settings gpo

If you want the proxy server settings to be applied to users depending on the IP subnet in which they work, you can use the GPP Item Level-Targeting. To do this, switch to the Common tab in the policy settings and check the Item-Level Targeting option. Click on the Targeting button.

internet explorer proxy settings gpo

Select New Item > IP address ranges. Specify the range of IP addresses in your subnet for which you want to apply proxy settings.

group policy proxy settings server 2012

Save the policy settings. Similarly, create several IE policies with proxy settings for different IP subnets.

windows 10 proxy settings gpo

As a result, the proxy settings for the users will be applied depending on the IP network (office) in which they works (convenient for mobile employees with laptops).

Tip. To configure new IE policy from Windows Server 2008/R2, you need to download Administrative Templates for Internet Explorer and copy files Inetres.admx and Inetres.adml to the folder %SYSTEMROOT%PolicyDefinitions.

Also, you can configure IE proxy settings using the registry. Expand the GPP section User Configuration > Preferences > Registry and create 3 registry parameters in the following registry key:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]:

  • ProxyEnable (REG_DWORD) = 00000001
  • ProxyServer(REG_SZ) = 192.168.1.11:3128
  • ProxyOverride (REG_SZ) = 192.*;*.theitbros.com

set proxy gpo

Proxy Settings for Computers in Group Policy

By default, IE proxy settings are per user. Those, user can change proxy settings. Using the GPO, you can apply proxy settings to all users of the computer. To do this, go to the following section in the GPO Editor console: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer. Enable the policy Make proxy settings per-machine (rather than per user).

Note. The same setting can be enabled through the registry:

REG key: HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DWORD parameter: ProxySettingsPerUser = 0

windows 10 gpo proxy settings

To apply settings to computer objects, also enable the policy Configure user Group Policy loopback processing mode under the Computer Configuration > Policies > Administrative Templates > System -> Group Policy.

How to Apply WinHTTP Proxy Settings via GPO?

By default, the WinHTTP service does not use the proxy settings configured in Internet Explorer. As a result, some system services (including the Windows Update service: Wususerv) won’t be able to access the Internet.
Check current WinHTTP proxy settings with the command:

netsh.exe winhttp show proxy

gpo set proxy

Current WinHTTP proxy settings:

Direct access (no proxy server).

To enable WinHTTP proxy for a computer through a GPO, you must configure a special registry parameter.
First, you need to configure proxy for WinHTTP on the reference computer. The easiest way is to import proxy settings from IE:

netsh winhttp import proxy source=ie

gpo proxy internet explorer

These settings will be saved in the WinHttpSettings parameter under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.

ie proxy settings gpo

Now open your proxy GPO and go to Computer Configuration > Preferences > Windows Settings > Registry > New > Registry Wizard.

Select Local computer and specify the full path to the WinHttpSettings parameter.

gpo internet explorer proxy settings

It remains to click Finish, update the policy on computers, and make sure that the WinHTTP proxy settings are applied successfully.

Comments
  1. Posted by skip1019
  2. Posted by Daniel
    • Posted by TheITBros
      • Posted by Daniel
  3. Posted by Stefan
    • Posted by Stefan
      • Posted by james
  4. Posted by Ameeer
  5. Posted by NorthBayTeky

Add Your Comment