Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET-IT: Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET

interesting GPO troubleshooting hunt… stucked…

Home Forums Microsoft Networking and Management Services GPO interesting GPO troubleshooting hunt… stucked…

Viewing 1 post (of 1 total)
  • Author

  • mla


    I have a situation…

    for accessing some https sites users need to have TLS 1-1.2 enabled. In current situation TLS settings are UNCHECKED. When the user checks TLS boxes in Advanced of IE11 he can access the sites.


    after computer restart the checkmarks for TLS are wiped out.

    THE CAUSE: I guess… GPO :)

    The GPO is managed by few people and is old heritage… First I run resultant in GPMC for regular user and regular machine – affected. I was sure that I will find the GPO responsible for TLS/SSL settings with the option “don’t use TLS”.

    Didn’t find any…

    I did a simple thing:

    1. created OU TestTLS in the OU Workstations.

    2. Moved one affected computer from Workstations to TestTLS.

    3. Created GPO object TLS config.

    Enabled TLS 1 to 1.2 in computer settings (to be sure that it will take precedence if some User thingy leaking)

    4. Linked it to OU TestTLS

    5. Restarted computer. The result is POSITIVE – GPO applied. TLS settings are set in IE (with no uncheck possibility).


    How to find what causing UNCHECK TLS when my “push” TLS GPO is not turned ON?

    Since I cannot find the GPO that has an opposite setting “do not use TLS” I want to ask the forum where from it could “leak” and how to deal with the issue

    Sure I can just push my GPO on top of the Domain and forget. But I feel uncomfortable in our computer business :)… until I find the answer.

    Here is a screamshot for the GPO I set for enabling TLSs.

    I asked the same question on MS GPO forum. Had an advice that didn’t lead to a problem finding…

    Also, when link the TLS CONFIG gpo to Root of domain, moved to be first GPO, filtered to one computer in bottom OU with 17 inherited GPOs it perfectly works and I cannot find what causing the problem without this GPO applied to wipe out TLS settings set manually in browser.


Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: