Saturday Link Roundup–Bitlocker & Display Driver Crashes

Bitlocker
Bitlocker Group Policy Settings
How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

Display driver stopped respondingLimiting Repetitive GPU Hangs and Recoveries
Display Driver Stopped Responding and has Recovered [Solved]
TDR Registry Keys

Other
Microsoft: Understanding Web Proxy Configuration
How a $5 Raspberry Pi Zero can hack your locked laptop
local .pac-file URL format that works with IE and Safari (Windows)?

More on Internet Explorer 11 and “Enterprise Mode”

64px-Internet_Explorer_7_LogoIt’s been fun TRYING to implement Enterprise Mode

Some of the hurdles I’ve found so far:

  • it’s a new technology which Microsoft is releasing ongoing bug fixes for.
  • if you are going to use Microsoft Edge, your Sitelist MUST be hosted on a web server.  You can’t use a UNC path (ie. file://)
  • Microsoft Edge does not support webpages using vbscript, so you need to set a compatibility mode for that.
  • F12 Developer Mode is inconsistent in how it detects/renders Enterprise mode.
  • IF you are using the Group Policy setting “Display intranet sites in Compatibility View”, then you are getting Enterprise Mode + Compatibility View.
  • Microsoft updated the XML schema so version 2 (Windows 10) is not backward compatible with Windows 7 or 8.1.

References:
IE Enterprise Mode in a Nutshell
whatsmyuseragent.com
How to Detect Features Instead of Browsers
Internet Explorer 11’s Many User-Agent Strings
Compatibility View is used for Trusted sites in Internet Explorer 8
2.1.3.5 X-UA-Compatibility Meta Tag and HTTP Response Header
Should I Enable Enterprise Mode Through the Tools Menu or an XML File?

Internet Explorer 11 and “Enterprise Mode”

64px-Internet_Explorer_7_Logo“Our application only works on IE8”

was the refrain from a customer recently.  We just finished deploying Internet Explorer 11, and it was suddenly realised that the application had issues.

So doing some research, IE11 Enterprise Mode looks much better than setting IE Compatibility Mode via a X-UA-Compatible tab (blogged about that here).

The advantages of IE11 Enterprise Mode are as follows:

  • User agent string differences. Many legacy Web apps use browser detection, not today’s best practice of feature detection. By replicating the original Internet Explorer 8 user agent string, Enterprise Mode works for sites that fail if they can’t recognize IE8 as the browser.
  • ActiveX controls and other binaries. Some ActiveX controls silently fail if they query the browser version and get a response they don’t expect, so Enterprise Mode appeases these by mimicking IE8’s responses. In testing, customers report that many of these ActiveX controls “just work” in Enterprise Mode.
  • Deprecated functionality. Internet Explorer 8 still contained some vestiges of proprietary functionality, such as CSS Expressions which was used to place objects dynamically on a page. This functionality was removed in later versions of Internet Explorer, but some legacy Web apps used this to place buttons and other elements. Enterprise Mode brings back some deprecated features, including CSS Expressions.
  • Pre-caching and pre-rendering. Many modern browsers like Internet Explorer 11 pre-cache and pre-render pages, to make browsing more fluid. When you click on a pre-cached link, one tab disappears while the pre-rendered content tab appears in its place. To a legacy navigation controls, this behavior is confusing—so Enterprise Mode turns it off.

    (content courtesy of Microsoft’s IE Blog)

References:

Internet Explorer Compatibility Mode

“When people inside the building visit our web site, IE Compatibility mode is being forced on.  People on the internet don’t get compatibility mode.  Please fix.”

Internet Compatibility mode was created by Microsoft, for corporate customers.  It was first introduced with Internet Explorer 8.  Corporate customers predominately had websites coded for Internet Explorer 6.  Websites in the “Intranet” Security Zone get Compatibility Mode.

The solution to the customer query is to configure their webpage to specify what compatibility mode it is compatible with.  Microsoft have some guidance on this:
Defining document compatibility
Attaining IE8 Site Compatibility – Short Reference
Understanding Compatibility Modes in Internet Explorer 8
Specifying legacy document modes

If you visit a website with Internet Explorer, and press the F12 key, you’ll launch the Developer Tools screen.
IE Compatibility Mode

The webpage shown in the Developer Tools screenshot above is running in IE8 Standards mode.  The IE8 Standards mode has been forced by the X-UA-Compatible meta tag.

 

Some other things to be aware of.

Document Mode vs. Browser Mode
Document Mode.
Influences how the page displays in the browser,
The web server can force the document mode to what it wants.  In the example above, “IE8 Standards” mode has been forced by the X-UA-Compatible tag.
So, in essence, the Document Mode setting is “owned” by the web server.

Browser Mode
Browser Mode is simply put, is Internet Explorer telling the web server what it can display. 
In a corporate environment, placing a site into the Intranet Zone forces IE Compatibility Mode on.

Document Mode will in all (most?) cases override Browser Mode.
And this makes sense when you think about it.  The web server, and the webpage author, should know what their webpage page is designed for.

Gotta’s I’ve seen / heard of:

  • Placing the X-UA-Compatible meta tag in the HEAD section AFTER any scripts or CSS, DOES NOT WORK
  • The X-UA-Compatible meta tag MUST be in the HEAD section before all other elements except for the title element and other meta elements.
  • Having multiple X-UA-Compatible meta tags in the one page DOES NOT WORK.

Intranet site is identified as an Internet site when you use an FQDN or an IP address
When you access a local area network (LAN), an intranet share, or an intranet Web site by using an Internet Protocol (IP) address or a fully qualified domain name (FQDN), the share or Web site may be identified as in the Internet zone instead of in the Local intranet zone. For example, this behavior may occur if you access shares or Web sites with Microsoft Internet Explorer or Windows Internet Explorer, with Microsoft Windows Explorer, with a command prompt, or with a Windows-based program when you use an address in any one of the following formats:
  • \\Computer.childdomain.domain.com\Share
  • 
http://computer.childdomain.domain.com
  •  \\157.54.100.101\share
  •  file://157.54.100.101/share
  •  http://157.54.100.101

Bypassing Internet Explorer Group Policy lockdowns.

We lock down Internet Explorer, to prevent our non IT-savvy staff from changing settings which will break their internet access.  We apply those same settings to ourselves, which isn’t as bad as it sounds.  It ensures that when we make a Group Policy change, we’re impacted in the same way if it goes wrong.

But there are times when we need to bypass those settings.  One way we do that is by deleting the Group Policy Registry keys which control Internet Explorer.  We put the following in a .reg file and execute it:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]

[-HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

[-HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]

It works quite well.

“My computer is slow!” – A case of slow add-ons.

End user computer performance is about perception.  How fast does it “seem”?

Recently I looked at a corporate laptop, the user complained it was slow.  I checked the usual culprits and nothing seems to be hogging the CPU.  So I asked

“What do you mean by slow”

“Internet Explorer takes a long time to start up.”

!

Since Internet Explorer 9. the Manage Add-on feature monitors the load time of the installed add-ons.

Add-ons

In the above screen, you can see that the “Blog This in Windows Live” add-on takes 0.77 seconds to load.  I disabled the “Blog This in Windows Live” add-on, the loading speed of Internet Explorer improved, and the customer was happy.

Resetting the "IE Browser Choice” preference.

We upgraded Internet Explorer to IE8.  Foolishly enough, we assumed that on a Corporate Desktop, that users would only use Internet Explorer.

Then the complaints from the vocal Firefox majority rolled in.

“How dare you force me to use Internet Explorer!”

So we had to provide those Firefox users with a “choice”.

The solution was to reset the Internet Explorer “browser choice” setting so next time IE was launched:
Browser choice

We did this by using a VBscript, that we depoloyed to all the computers:
On Error Resume Next
Set objWSH = CreateObject("WScript.Shell")
objWSH.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations","Yes","REG_SZ"
Set objWSH = Nothing
WScript.Quit(0)

Roll forward 6 months, a query from the customer:

Can you reset the browser choice, as we’re moving away from Firefox …

“Why not use Group Policy?”
As it’s a corporate environment, we restrict what the users can change via the Internet Explorer menus.  In this environment, it was less hassle to use a VBscript to reset one option compared to allowing users to modify other menu options grouped in the same menu tab.

What happens when you uninstall Internet Explorer 8?

It makes itself hard to reinstall itself.  The install program looks at registry and decides, “heck, I’m already installed.”

At least that’s happened when I had to reinstall it via Microsoft SMS.  Perhaps it’s a feature of using a Corporate IE8 install (via IEAK).

Here are the registry keys it leaves behind:

HKEY_CLASSES_ROOT\Installer\Products\8A653C7C0B669A246B8B25E4B1444325

HKEY_CLASSES_ROOT\Installer\UpgradeCodes\8988913259C9CB34697403EA2CD10D97

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\
S-1-5-18\Products\8A653C7C0B669A246B8B25E4B1444325

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\
84AAB8E17B4FE3244884F5CFCD1110B9

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\
8988913259C9CB34697403EA2CD10D97

And the GUID of this key may/will change:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7C356A8-66B0-42A9-B6B8-524E1B443452}