Announcement

Collapse
No announcement yet.

interesting GPO troubleshooting hunt... stucked...

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • interesting GPO troubleshooting hunt... stucked...

    Hi,

    I have a situation...

    for accessing some https sites users need to have TLS 1-1.2 enabled. In current situation TLS settings are UNCHECKED. When the user checks TLS boxes in Advanced of IE11 he can access the sites.

    THE ISSUE:

    after computer restart the checkmarks for TLS are wiped out.

    THE CAUSE: I guess... GPO

    The GPO is managed by few people and is old heritage... First I run resultant in GPMC for regular user and regular machine - affected. I was sure that I will find the GPO responsible for TLS/SSL settings with the option "don't use TLS".

    Didn't find any...

    I did a simple thing:

    1. created OU TestTLS in the OU Workstations.

    2. Moved one affected computer from Workstations to TestTLS.

    3. Created GPO object TLS config.

    Enabled TLS 1 to 1.2 in computer settings (to be sure that it will take precedence if some User thingy leaking)

    4. Linked it to OU TestTLS

    5. Restarted computer. The result is POSITIVE - GPO applied. TLS settings are set in IE (with no uncheck possibility).



    THE QUESTION:

    How to find what causing UNCHECK TLS when my "push" TLS GPO is not turned ON?

    Since I cannot find the GPO that has an opposite setting "do not use TLS" I want to ask the forum where from it could "leak" and how to deal with the issue

    Sure I can just push my GPO on top of the Domain and forget. But I feel uncomfortable in our computer business ... until I find the answer.

    Here is a screamshot for the GPO I set for enabling TLSs.

    I asked the same question on MS GPO forum. Had an advice that didn't lead to a problem finding...

    Also, when link the TLS CONFIG gpo to Root of domain, moved to be first GPO, filtered to one computer in bottom OU with 17 inherited GPOs it perfectly works and I cannot find what causing the problem without this GPO applied to wipe out TLS settings set manually in browser.

    Thanks.
    Attached Files
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis
Working...
X