I am writing an installer for an application that requires that IE run in Enterprise Mode (EM). (Please don't answer with explanations why I shouldn't do that.) EM can be disabled by an Active Directory group policy (if this gets the lingo wrong, please advise). In this case, the user can't enable Enterprise Mode. How can I detect this state in my installer so that i can warn the user to contact their IT administrator to beg them to enable EM? I assume that group policies can be read but a code sample would be great.
How to detect if IE's Enterprise Mode is disabled by group policy?
2k Views Asked by Paul Topping At
3
There are 3 best solutions below
0
On
I did a little searching to find out how we might do what gpresult does programmatically. This is a bit stream-of-consciousness as I reported what I found in the order I found it:
The gpresult utility is used to report on RSoP (Resultant Set of Policy). As the name implies, this gives the result of all the policy settings. A good summary can be found in Performing Resultant Set of Policy Queries with the GPRESULT Tool. It says:
If you are a consultant who works on other people’s networks though, you don’t usually have the luxury of being intimately familiar with the network’s configuration. If you get called in to diagnose a problem on a client’s network, you may be able to determine that the problem is group policy related in a matter of minutes. However, it can take days to figure out exactly which group policy element is causing the problem because the group policy can be so complex.
So the bottom line is that we are probably much better off using the output from gpresult to detect the Enterprise Mode group policy than writing a bunch of code to do it. On the other hand, there appears to be APIs that directly query the RSoP: How to retrieve currently applied GPOs on your local machine using WMI via Windows Scripting Host (WSH). While this article has code written to be run in WSH, I believe the analogous thing can be done in C++ code. This sample dumps the dictionary structure returned by the API to the console. Our code would presumably just check a single value in the dictionary. Or perhaps it has to find a certain setting in the dictionary. If found, its value is examined. If not found, it can be assumed there is no group policy set.
There is a way to do RSoP queries in C++. The starting point appears to be IGPM::GetRSOP.
0
On
One answer we've found is that the gpresult program can be run on the client machine to produce a report the group policies. Our installer could presumably run this program and parse its output to find the setting. Of course, if gpresult can read the group policy, there are likely Windows APIs called by gpresult that my installer can call directly. If anyone knows what these calls are, please reply.
It might be possible for you to check the values in the registry since you can also enable Enterprise Mode via registry. Though I haven't verified if values in "Sitelist" will be blank if EM is disabled:
Please check:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode.
or
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode.
Some useful links - Turn on Enterprise Mode and use a site list:
http://msdn.microsoft.com/en-us/library/dn640699.aspx