Best Practices Question

How do I retain IE11 ActiveX/security settings in my GOLD image ?

08/20/2018 1154 views
I am deploying Win10 LTSB 2016 v1607 AND Win10 ENT v1803 images with K2000 v6.0.425 and KBE for Win10 v1803
I have multiple IE11 settings needed for multiple applications; MS EDGE is NOT an option for these legacy apps. 
  1. Popup Blocker, SmartScreen and Compatibility View settings are OFF.
  2. Internet Options>Security>Trusted Sites>Custom Level...some ActiveX controls are ENABLED
  3. Enable Protected Mode, Enhanced Protected Mode and Enable 64-bit processes for Enhanced Protected Mode are checked (ON)
After deploying image, some of theses settings are not set. 
I have also imported the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer registry settings via Post-installation Tasks
We are trying to resolve WITHOUT distributing a Group Policy throughout domain.

What else can be done to preserve these IE11 and/or browser security settings during the sysprep/deployment processes for Win10 LTSB 2016 v1607 and/or Enterprise v1803?
1 Comment   [ + ] Show comment


  • We do have a DEFAULT or PUBLIC profile. We have a local machine admin account and domain users.

All Answers

What I would do is use RegEdit and set the defaults you want in the Default profile. When a new user logs onto the system, they should get the settings from Default. 
Load RegEdit
File Menu | Load Hive
Give it a name (I use DefaultUser)
Set the registry keys you need
(Note there should already be one named .DEFAULT)

The biggest problem with this is determining what values to set. IE can be particularly difficult, since many values are binary which control several (or many) settings at once. 

One suggestion would be to setup a temporary Group Policy, assign it to a user and export the settings from
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Right-click and select Export

When you import them into the Default profile, replace HKEY_CURRENT_USER with HKEY_USERS\DefaultUser. If the keys are under \Policies, users won't be able to change them. If you want users to be able to change them, remove \Policies from the path.

Answered 08/20/2018 by: PaulGibson
Orange Belt

Wouldn't it be simpler to use Group Policy?
Answered 08/21/2018 by: VBScab
Red Belt

  • I would like to avoid Group Policy if possible for now. Any changes to image that can be accomplished without a domain Group Policy is preferred.
    • I get it, but there will be a point where this will not be cost effective, too much trouble...

      ah.. Legacy Software:
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ