User Proxy settings showing up in Local System Account - Correct way to apply Proxy settings
If you are wondering how your local system account is getting proxy settings even though you have applied proxy settings only for users, this post will help you.
Here you will see the proxy settings set in Local system account:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
The applications which run in system context might stop working if the Local system account contains proxy settings or any undesired settings which are not set by system administrator.
Here is how the user base settings can get written to Local system account registry key.
- IE maintenance GPO
- IEAK also has the same ability to import connection settings and deploy to a client PC. Once established, the SYSTEM registry profile will be tattooed.
Here I will discuss about the IE maintenance GPO which causes this behavior.
When you use Internet Explorer Maintenance Group Policy to set user based connections settings, it provides you with two options:
IMPORTANT: Windows 8 with Internet Explorer 10 deprecates IEM in favor of a more robust tool called Group Policy Preferences. Read More... |
If you choose Connection Settings options to set connection settings for the user, it causes this behavior.
To test it yourself, try setting this GPO in your local computer using Local group policy editor.
- (Run gpedit.msc command to open Local GPO editor)
- User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Connection Settings - choose [Import the current Connection Settings from this machine] and click [Modify Settings]
Once GPO is applied to the user, check this registry:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Expected Results:
"Proxy Server" settings of connection should not apply to HKEY_USERS\.DEFAULT. \Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
Actual Result:
“Proxy Server" settings of connection gets added here: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections key.
What we recommend:
The respective proxy settings part of IE Maintenance should be used. User Configuration - Windows Settings - Internet Explorer Maintenance- Connection-Proxy Settings
NOTE: If you have configured connection settings and then try to click on proxy settings, you are presented with following warning by the policy editor:
It tells you that proxy settings will overwrite the imported connection settings.
This warning applies to the user scope only.
It is of no use to profiles that are not in scope to receive user-based Internet Explorer policy settings (such as the SYSTEM registry profile). So remember that the system base settings added by connection settings will still exist and user based proxy settings will be overridden.
Once you click on OK, you are presented with the following dialog box:
You can then use following articles to configure proxy settings.
- Configure Proxy Settings, using below TechNet article:
If this is proxy settings for a specific dial-up connection:
If it needs to have the same proxy settings as LAN, then DialUpUseLanSettings is the best approach as mentioned in https://support.microsoft.com/kb/839571
-
- If not, maybe CMAK would be a better approach to deploy that connection
Connection Manager Administration Kit
You can also use PowerShell and GPO.
-
- Deploying VPN Connections by Using PowerShell and Group Policy
- Provisioning VPN client settings using Group Policy
I hope this helps and solve the mysterious question of why your local system account gets user based proxy settings.
This blog has been provided to you by Anshu Vashishta, IE Support Engineer.
Comments
- Anonymous
July 29, 2014
Remark: Concerning use of a pacfile, as explained use "connection settings" will configure local system and if you don't want that, use of "Automatic Browser Configuration" will avoid that (as "proxy settings" part does not allow configuration of a pacfile).We had problem of automatic an duncontrolled download of latest IE patch by our IE10 setups. - Anonymous
March 20, 2015
Interesting article, but what about to remove the settings if already applied ?I'm in the situation where internet explorer maintenance are no more available on client local gpo settings because windows 7 and IE 10 are installed but a service which runs on local system account still use proxy.Do you have please some walkarount ? - Anonymous
April 08, 2015
@Mike, Might be relevant, I pay for my proxy webguard server per user, so it was authenticating as the user and the local machine.Find the; HKEY_Current_UserSoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnections "DefaultConnectionSettings" (first create the right proxy info in your browser)And copy it to the path; HKEY_LOCAL_MACHINE\SoftwareMicrosoftWindowsCurrentVersionInternet SettingsConnectionsI don't really know an easy way of copying it apart from just writing it in manually. But that will set any proxy browser settings for the local machine.