Configuring an explicit proxy via GPO

Modified on Wed, 20 Jan, 2021 at 9:45 AM

Problem:

When you want to deploy an explicit proxy configuration via the GPO, the new Windows 10/Server 2016 & 2019 settings for internet explorer most of the times won't work and won't apply the required proxy settings.

Solution: 
The best solution here is to configure a GPO using registry keys that will enforce the explicit proxy configuration.

Please note that by default all proxy configuration is done "per user", which means that the registry setting should be applied on the User Configuration.


Create a new GPO and go to the following location:

User Configuration > Preferences > Windows Settings > Registry

Then, on any blank space on the right pane, right click and select New > Registry Item


Create the following 3 registry keys:

Action: Update

Hive: HKEY_LOCAL_MACHINE (yes HKLM, not user)

Key path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value name: ProxyEnable

Value type: REG_DWORD

Value data: 00000001

Base: Hexadecimal


Action: Update

Hive: HKEY_LOCAL_MACHINE (yes HKLM, not user)

Key path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value name: ProxyServer

Value type: REG_SZ

Value data: [Proxy server IP]:[Proxy server port] (192.168.25.185:8080 or frp-websec-wcg.bulwarx.local:8080)

The later result of this registry on client will look like this:


Action: Update

Hive: HKEY_LOCAL_MACHINE (yes HKLM, not user)

Key path: Software\Microsoft\Windows\CurrentVersion\Internet Settings

Value name: ProxyOverride

Value type: REG_SZ

Value data: [Exception site list]

Replace the [Exception site list] with the name of every sites that needs to be accessed directly, separated with semicolon. The usage of wildcard mask is permitted here. Optionally, add <local> at the end of the list to make sure the “Bypass proxy server for local addresses” option is ticked in the result. In this example, the list of sites that must be bypassed are *.mustbegeek.com and any IP address in the 192.168.* subnet, therefore the configuration will look as follows:

The later result on client’s Internet Explorer setting and in the Advanced menu will look like in these figures below:

Note: the “Bypass proxy server for local addresses” option will not be ticked if <local> is not added at the end of the list on registry.



This will still allow the user to change the proxy setting until the next GPO refresh

To enforce a setting to prevent the user from changing this setting update the following GPO setting:

User Configuration > Windows Components > Administrative Templates > Internet Explorer

Find the setting named "Disable Changing Proxy Settings" and set it to enable

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article