In this article, we’ll take a look at how to centrally configure proxy settings on Windows 10 computers in a domain using Group Policy. Most popular browsers (such as Microsoft Edge, Google Chrome, Internet Explorer, Opera) and most applications automatically use the proxy settings set in Windows to access the Internet. We’ll also look at how to set up WinHTTP proxy settings on Windows.
In this article, we will look at the specifics of configuring a proxy server through Group Policy in supported versions of Windows (Windows 10, 8.1, and Windows Server 2012/2016/2019). Note that proxy settings are set differently in Windows 7/Server 2008R2, Windows XP/Windows Server 2003 with discontinued support.
How to Set Proxy Settings on Windows via GPO?
On the latest Windows versions, you must use Group Policy Preferences (GPP) to configure IE and proxy settings in the GPO Editor. There is also the option of using a special extension of Internet Explorer Administration Kit 11 (IEAK 11) – but it is rarely used.
Open the domain GPO Editor console (Group Policy Management Console – GPMC.msc), select the OU with the users to which you want to apply proxy settings, and create a new policy Create a GPO in this domain, and Link it here.
Go to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings. In the context menu, select New -> Internet Explorer 10.
To configure proxy settings on Windows 10/Windows Server 2016, you need to use the Internet Explorer 10 item.
<FilterFile lte="0" max="99.0.0.0" min="10.0.0.0" gte="1" type="VERSION" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" bool="AND" not="0" hidden="1"/>
A special Group Policy Preferences IE form will appear in front of you, almost completely identical to the Internet Options settings in the Windows Control Panel. For example, you can specify a home page (General tab -> Home page field).
The following function keys are available:
- F5 – Enable all settings on the current tab
- F6 – Enable the selected setting
- F7 – Disable the selected setting
- F8 – Disable all settings in the current tab
To specify proxy settings, go to the Connections tab and click the Lan Settings button. The proxy server can be configured in one of the following ways:
- Automatically detect settings – automatic detection of settings using the wpad.dat file;
- Use automatic configuration script – auto-configuration script (proxy.pac);
- Proxy Server – the IP address or DNS name of the proxy server is specified directly in the policy settings. This is the easiest way, and we will use it.
Check the option Use a proxy server for your LAN, and specify the IP/FQDN name of the proxy server and the connection port in the corresponding Address and Port fields.
By enabling the Bypass proxy server for local addresses option, you can prevent applications (including the browsers) from using a proxy server when accessing local resources (in the format http://localnetwork). If you use resource addresses like http://web1.woshub.loc or http://192.168.1.5, then these addresses are not recognized by the Windows as local ones. These addresses and addresses of other resources, for access to which you do not need to use a proxy, must be specified manually. Press Advanced button and add this addresses to the field Do not use proxy servers for addresses beginning with in the following format: 10.1.*;192.168.*;*.woshub.loc;*.local.net.
After you save the policy, you can view the InternetSettings.xml file with the specified browser settings in the policy folder on the domain controller:
\\UKDC1\SYSVOL\woshub.com\Policies\{PolicyGuiID}\User\Preferences\InternetSettings\InternetSettings.xml
GPP allows you to more finely target policy to users/computers. For this, GPP Item Level Targeting is used. Go to the Common tab, enable the option Item-level targeting -> Targeting.
In the form that opens, specify the conditions for applying the policy. As an example, I indicated that the proxy configuration policy will be applied only to users who are members of the proxy_users domain security group. You can use your own logic for assigning proxy parameters.
It remains to link the proxy policy to the AD container with the users and update policy settings on them. After applying policies on the users’ computers, new IE settings should be used. You can check the current proxy settings on Windows 10 in the Settings -> Network and Internet -> Proxy. As you can see, the computer now uses the proxy settings specified in the domain policy.
Configure Proxy Setting via Registry and GPO
In addition, you can configure IE settings through the registry using GPP policies. For example, to enable proxy server, you need to configure the following registry parameter in the registry key HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Internet Settings. In the GPO editor go to the section User Configuration -> Preferences -> Windows Settings -> Registry and create three registry parameters under the specified reg key:
ProxyEnable(REG_DWORD) =00000001ProxyServer(REG_SZ) =192.168.0.11:3128ProxyOverride(REG_SZ) =https://*.woshub.com;192.168.*;10.1.*;*.contoso.com;<local>
You can also use Item-level targeting here to target your policy settings for specific users/devices.
If you need to create proxy policies not per-user, but for the entire computer (per-computer), use the GPP settings from the GPO section Computer Configuration -> Preferences -> Windows Settings -> Registry. Set the same registry parameters under the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.
Change WinHTTP Proxy Settings via GPO
Some system services or applications (for example, the Wususerv update service or PowerShell) don’t use user’s proxy settings by default. For such applications to work correctly and access the Internet, you need to configure the WinHTTP proxy settings in Windows.
To check if WinHTTP proxy is configured on your computer, run the command:
netsh winhttp show proxy
The answer “Direct access (no proxy server)” means that no proxy is set. 
You can manually set a proxy for WinHTTP on your computer with the command:
netsh winhttp set proxy proxy.woshub.com:3128 "localhost;10.1.*;192.168.*;*.woshub.com"
Or import proxy settings from user’s Internet Explorer settings:
netsh winhttp import proxy source=ie
However, you won’t be able to configure WinHTTP through the GPO – there is no corresponding parameter in the GPO editor, and the parameter are stored in binary registry attribute that is not suitable for direct editing.
The only way to set WinHTTP proxy settings on Windows via GPO is to configure WinHTTP proxy on the reference computer, export the value of the WinHttpSettings parameter from the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections, and deploy this parameter to domain computers through the GPP registry extension.
16 comments
Do we have to restart the user machine for this group policy to take effect
To apply user policy, user must logoff and login to machine or execute the command :
gpupdate /force
when I restarts the client and I do gpupdate / force the gpo not working to block the websites but she managed to display ONLY the URL of the home page sets but I can not bring down the parameters proxy to block certain sites on my client machines
Very Good Tutorial.
Works 100 percent. I tried varies different methods trying to set up the homepages on my
WINDOWS SERVER ESSENTIALS 2012 R2. BE VERY CAREFUL AND DO NOT FORGET TO PRESS “F5” TO SAVE THE CHANGES.
Add the websites and make sure your CURSOR is still blinking in the box where you added the website address. And then press “F5”. The red line changes to blue and then hit save and in Command prompt , RUN the command GPUPDATE /FORCE.
Thanks a million to the author. Really good resource.
However, after applying this GPO, the user still has the ability to go in and remove the proxy settings. I don’t see an option to force the proxy settings and not allow the user to remove them.
And taking away admin rights to the local machine for the user is not an option.
To prevent users from changing proxy servers settings, you can hide the IE Connection page using GPO:
User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel -> Disable the Connections page
I created this policy and it is not being applied. Does anyone have this working on Windows 7 Clients with IE 11 ??
Can you check that the policy apply to the new operating systems: Windows 2012, Windows 8.1?
[…] Do you have Group Policy Preferences in Server 2008? Configure Internet Explorer 11 Settings Using GPO | Windows OS Hub […]
I cannot edit the settings on the Security tab and in Trusted Sites. Its grayed out. How would I add a site to the Trusted Sites?
You can add site to the trusted list using the rigistry:
for current user:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomainsor for all users:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomainsOr you can use this policy:
User Settings -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List
I cannot disable with F7 and F8 Languages. If I delete or add some language it will be deleted/added on user side. If I delete all languages from the list then they will be deleted also from user side. Do you know how can I disable any changes in languages?
I’ve never configured languages preferences in IE using a GPO. Have you tried clicking on the Suffix field and pressing the F8 button?
As I see all the available options have changed the underscore to red.
There’s a problem here when the IE feature is disabled as the GPP searches the iexplore.exe to filter out the machines asn that file doesn’t exist in that case.
_https://igorpuhalo.wordpress.com/2022/07/15/windows-proxy-settings-ultimate-guide-part-ii-configuring-proxy-settings/
Hi I use this method it work well my problem is in proxyoverde .I add website that I want to access .I add like 90 website link it work but when I add more than 90 those above 90 won’t bypassed .how to add more than 90 site on exception? Am using windows server r12