EPM on Server 2012R2 - GPO vs User Preference

Add-in Express™ Support Service
That's what is more important than anything else

EPM on Server 2012R2 - GPO vs User Preference
Curious behavior when setting EPM via GPO 
Damon Durand




Posts: 8
Joined: 2017-01-27
I have finished my BHO that I was working on earlier.

However, I have noticed a bit of unusual behavior and I'm not sure how to begin troubleshooting.

I have a Server 2012R2, fully-patched.

In the GPOs that apply to the test user (non-Administrator, running as a normal "User"), I have a few settings set:

  • Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows:Enabled
  • Turn on Enhanced Protected Mode:Enabled


These, in turn, generate the following policy values, as expected:


HKCUSoftwarePoliciesMicrosoftInternet ExplorerMainIsolation:PMEM
HKCUSoftwarePoliciesMicrosoftInternet ExplorerMainIsolation64Bit:1


Without the BHO installed, IE operates as you might expect. When I look at the integrity level of the IE process using Process Explorer I see that it is running in AppContainer. Browsing works just fine, no problems.

Next, I install the BHO to the Program Files (x86) directory per the documentation using a WiX installer created via the Add-In "Create a Setup Project" Wizard.

Now, IE hangs on launch. If I look in Process Explorer I see an IE process running at the same AppContainer integrity level, but the broker process never appears.

At first I thought this was a bug in my BHO. I simplified my code as far as I could. Same results.

Somewhere in my testing I added the following key leaving all other things the same:


HKCUSoftwareMicrosoftInternet ExplorerMainIsolation:PMEM


This should be unnecessary, since I am enabling EPM via the GPO/policy values. I believe this is the value that gets set if the user sets EPM using the IE UI. However, once I set this value, IE launches just fine including the BHO and its broker process and everything works as expected.

If I rename/delete the non-policies value, IE goes back to its old behavior of hanging during launch. I can put the value back in place and the launch hang disappear.

Since this is a terminal server, I can login with two users simultaneously. The exact same GPOs apply to both users. If I set this value in one user's HKCU the problem goes away for that user but continues for the user without the value. Flip the values for the two users and the results follow.

Any thoughts how I should continue to troubleshoot this?

Thanks in advance!
Posted 06 Feb, 2017 18:32:20 Top
Sergey Grischenko


Add-in Express team


Posts: 7187
Joined: 2004-07-05
Hi Damon,

I can’t reproduce the issue in my Windows 8.1. I will test it in Windows Server 2012 and will let you know about results soon. Is the issue reproducible with a new empty add-on?
Posted 08 Feb, 2017 05:18:59 Top
Sergey Grischenko


Add-in Express team


Posts: 7187
Joined: 2004-07-05
Hi Damon,

I tested BHO + Broker App on Server 2008 R2 and 2012 R2 systems with both options are enabled.
All worked fine. I installed the add-on using setup.exe, not GPO. Is the issue reproducible if you install the BHO via setup.exe?
Posted 10 Feb, 2017 10:07:49 Top
Damon Durand




Posts: 8
Joined: 2017-01-27
Sorry, finally got a chance to test this again today.

I can reproduce it with a completely empty add-on/broker. Basically, I created an empty add-on, I created an empty broker and added it to the existing solution. Set the GUID for the broker in the design properties of the add-on, added a setup project to the existing solution and compiled. Didn't edit any code nor add any. I needed to adjust a .NET version dependency setting in order for the setup project to compile cleanly but that's about it.

Copied the setup.exe and the MSI file over to the plain vanilla 2012R2 test machine. This test machine is not in a domain or anything, no GPOs applied, as simple as I could make it.

Install was performed using setup.exe while logged in with the local Administrator account on the machine.

I have a ZIP file of my empty solution and a screen recording of the issue being reproduced on the test machine. (I tried to show everything, Process Explorer views of the Integrity level as it changed from test run to test run, registry edits, IE behavior, etc). I don't see a way to attach the files to this forum post, but I can easily provide them. (Empty solution is 4MB, screen recording is 6MB)

Let me know if I can provide these and what else I can do to help troubleshoot this,

Thanks!
Posted 15 Feb, 2017 13:52:48 Top
Sergey Grischenko


Add-in Express team


Posts: 7187
Joined: 2004-07-05
Hi Damon,

Please upload the solution to Dropbox ang give me a link for download. I will test the project.
Posted 16 Feb, 2017 05:44:09 Top
Damon Durand




Posts: 8
Joined: 2017-01-27
Project (and recording if you want to review) is available here: https://dl.dropboxusercontent.com/u/2814879/TestProject.zip

Thanks!
Posted 17 Feb, 2017 02:25:43 Top
Sergey Grischenko


Add-in Express team


Posts: 7187
Joined: 2004-07-05
Hi Damon,

Thank you for the video. I managed to reproduce the issue. I used 'gpedit.msc' to enable EPM in Windows Server 2012. I will fix this issue in the next build of the product. Please don't enable EPM in Windows Server 2012 until I find a reliable solution.
Posted 17 Feb, 2017 11:00:06 Top
Damon Durand




Posts: 8
Joined: 2017-01-27
I'm glad the video helped.

Right now we are going to set the value at HKCU\Software\Microsoft\Internet Explorer\Main\Isolation to match the value at HKCU\Software\Policies\Microsoft\Internet Explorer\Main\Isolation for the affected test users but I will be eager for the new release so we can roll it out in a production environment.

Thanks for your assistance and I hope you find an elegant, easy solution!
Posted 21 Feb, 2017 15:05:10 Top
Damon Durand




Posts: 8
Joined: 2017-01-27
Sergey Grischenko writes:
I will fix this issue in the next build of the product. Please don't enable EPM in Windows Server 2012 until I find a reliable solution.


For our planning purposes, do you have any estimate as to when the next build of the product might be available? We're trying to determine if we move toward a production rollout with the workaround or wait for the next build.

Thanks!
Posted 28 Feb, 2017 13:28:09 Top
Sergey Grischenko


Add-in Express team


Posts: 7187
Joined: 2004-07-05
Hi Damon,

We are not planning to publish a new build of the 'Add-in Express for IE' product until Visual Studio 2017 is released.
Then we need some time to support Visual Studio 2017 in the product. So I expect that the new build will be published in April.
Posted 01 Mar, 2017 12:08:55 Top