I thought about trying to find a better name for this post and this issue, but this is all I could come up with.
Update 16/10/2017: A few people have contacted me and made me aware that doing the reg hack below can prevent users from using Microsoft Office Clipart, so you should be aware of that before proceeding.
Additionally, I’ve found that with Windows 10 1703 (Creators Update), allowing access to http://www.msftconnecttest.com/redirect through your firewall/proxy will achieve the same thing without the reg hack and without preventing access to Microsoft Office Clipart. Please note though, it does not work with 1607.
ANYWAY, I finally tracked down how to stop Windows 10 1607 (Anniversary Update) from opening the default browser with msn.com. There are no startup or login registry entries, Group Policy settings, Scheduled Tasks, or even programs in the Start Menu startup folder. This is *something* that Windows is doing itself.
I’ve only encountered this issue on corporate networks, not on my home network, so I knew that some sort of authentication/proxy/filtering/firewall thing. I’ve also only had this issue with Windows 10 1607 (Anniversary Update), not 1511 (November Update) or 1507 (RTM).
It seems that Windows 10 is probing the network to get out to the internet, hitting some sort of issue (I’m guessing that it’s authentication in my case) and then opening up the default browser and browsing to a Microsoft owned address that results in a redirect to http://www.msn.com. In my case no authentication dialogue box pops up, it just browses to the site and appears to be happy with that. Weird. If it were only happening to “Admin” users I wouldn’t worry about it, but it happens to everyone! So, although not a cause for major concern or enough to halt my roll out of Windows 10 1607, I still wanted to fix it, if possible.
After some research it appears a similar issue to this occurred with Windows 8. I never had this issue during my roll out of Windows 8 but the resolution appears to work for Windows 10 1607 as well. At this stage I don’t know if making this change causes any unforeseen problems, but I’ll add to this post if I see anything.
Here’s how to prevent it. Using the registry editor, navigate to the location below, and change the “1” (enabled) to a “0” (disabled).
This should stop the browser from opening at login but Internet access should still be available.
I hope this helps. If you’ve already done this and it’s caused another issue, please let me know in the comments or tweet me!
You’ll probably want to roll this out to your Windows 10 clients, of course you can do it via Group Policy but as it’s a one time setting I would suggest adding it to the Task Sequence that builds your reference image.
Adding the registry change to Group Policy
- Open Group Policy Management
- Navigate to Group Policy Objects
- Right click and Create or edit your Group Policy for your Windows 10 Clients
- Navigate to Computer Configuration > Preferences > Windows Settings > Registry
- Right click and go to New > Registry Item
- Under Key Path enter SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
- Under Value name enter EnableActiveProbing
- The Value type should be REG_DWORD
- The Value data should be set to 00000000 – that’s six zeros for a Hexadecimal Base or you can just enter one zero for Decimal Base.
- Click OK to save the changes.
- If you created a new Group Policy Object, you will need to link it to an OU that contains the clients you want the GPO to affect. To do this right click the OU and select Link an existing Group Policy… and then select the Group Policy you created earlier.
Adding the registry change to a Task Sequence
- Open Notepad and paste the following into it:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet] "EnableActiveProbing"=dword:00000000
- Save the file with any name you like, but it must have the extension .reg
- Copy the .reg file to your Deployment server. It needs to be accessible by the Task Sequence, so I put mine in E:\DeploymentShare\Applications\
- In the Task Sequence, you’ll want to add it before the Windows Update (Pre-Application Installation) item, so select that item first.
- Click the Add button at the top of the sequence, and go to General > Run Command Line.
- Select the new Run Command Line item and click the Up button at the top of the sequence to move it above the Windows Update (Pre-Application Installation) item.
- On the right hand side of the window, under Name, enter whatever you want, I called mine cmd – disable active probing
- Under Command Line enter REG IMPORT Z:\Applications\ActiveProbing.reg
- Click OK to save and close the Task Sequence and you’re done!
When you run the Task Sequence to create a reference image, the registry will be edited and during your build phase you won’t get any browser windows opening on login.