Thursday, October 8, 2015

IE Trusted Sites Not Working in RDS

Ran into a fun issue this week. For some reason, Internet Explorer Trusted Sites were not applying correctly when using Internet Explorer as an RDS RemoteApp. When looking at the Trusted Sites list, it would appear blank, yet you would be prevented from modifying the list because it was controlled by Group Policy. This caused all sorts of problems with internal websites that must be in the Trusted Sites zone to work properly.

In order to manage the Trusted Sites list, we utilized the Site to Zone Assignment GPO setting, and had quite an extensive list of entries. GPUpdate was showing the GPO was applying successfully. This was further confirmed by looking in the registry and finding the entries listed correctly under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap.

So there were no Group Policy errors, and the sites were being written to the registry correctly, yet it still wasn't working. It was time to pull out ProcessMonitor and figure out what was happening. First, a healthy and working session.

A working ProcMon capture
A working ProcMon capture
As we can see above, the user is successfully reading from the registry, including the subkeys Ranges and Domains. Next, through sheer dumb luck, I discovered that when IE Enhanced Security Configuration is enabled, the Trusted Sites list is not read from the registry. Here's a ProcMon from a system with IE ESC enabled.

A ProcMon showing IE ESC enabled
A ProcMon showing IE ESC enabled
The two screenshots are distinctly different. Notice in this capture that the system looks for the EscRanges and EscDomains subkeys, something that wasn't occurring on a working session with IE ESC disabled. Now, in my instance, IE ESC was disabled for users, so that shouldn't be the issue. Let's take a look at the ProcMon from an IE RemoteApp session...

A ProcMon taken from an IE RemoteApp session
A ProcMon taken from an IE RemoteApp session

Well that certainly looks familiar, doesn't it? We can see that Internet Explorer is looking up the EscRanges and EscDomains subkeys again, almost as if Enhanced Security Configuration is enabled, despite it clearly being off as shown by Server Manager and in the registry.

After doing some research (aka Googling), I discovered a TechNet forum post where someone offered a solution to this issue. There is an extremely deep registry key that needs to be changed.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Under this registry key, you may find a DWORD called IEHarden. It was set to 1 on my RDS servers. By changing this value to 0, and resetting the user's profile (either delete their roaming profile or delete their User Profile Disk), this resolved the issue, and IE Trusted Sites were read correctly from the registry when using the IE RemoteApp.

The problem registry setting...
The problem registry setting...
This one caused me a day and a half of pain - I hope this post shows up in Google for someone else and helps them out!

3 comments:

  1. Great article, we ran into same problem with brand new RDS 2012R2 Frm . But sandly IEHarden-Setting doesn't do the job for us :-(
    The Zone-Assignment just showing empty ...

    BR
    Alex

    ReplyDelete
  2. We got it ...
    ZoneAssignment was made under hive EscDomains - it should be under Domains. Put it in there and set the IEHarden did the trick!! Thanks for pointing into the right direction!!!

    ReplyDelete