I have found the answer to this problem. (still pretty sure no one cares but here it is anyway. Maybe someone will find it interesting or maybe I will stumble upon this post in 6 months when it is time to apply 1709 to my systems...)
When you have custom IE settings like those created with IEAK, installing IE Branding creates a registry entry in HKLM\ActiveSetup\Installed Components so that your custom settings are applied when the user first logs in to the computer. The problem is that there is another registry key in ActiveSetup that applies the default IE settings to the user profile. The process that does the default settings application is IE4UInit.exe and it has its own entry in ActiveSetup. Here is the problem... When you upgrade to Windows 10, the VERSION of the ActiveSetup entry is updated for the apply default IE policies entry. Because the version number of the ActiveSetup entry is changed, IE4UINIT.exe runs again for every user existing or new and paves over the user's existing IE settings. This shouldn't happen, in my opinion. NEW users should get IE settings applied via ActiveSetup, but existing users with existing profiles shouldn't have their IE settings messed up by a Win 10 upgrade. Unfortunately, fixing that is beyond my ability. Microsoft seems content with paving over the users IE settings with every Win 10 upgrade from here on out. And since it is Internet Explorer-- a dead end--there is no one at Microsoft that cares. The only thing I can do to correct this problem is to also upgrade the version number of IEAK's ActiveSetup entry so that at least if the users IE settings get re-paved at every Windows 10 Upgrade with MY customized defaults instead of Microsoft's. So this is what I have done. Now, after a Windows 10 upgrade, the first time a user logs in following the upgrade, the IE4UINIT runs to reset IE 11 settings back to the Microsoft default, but IEAK comes after and resets the user's setting to the IEAK customized defaults. It really is too bad that the Windows Upgrade process wipes out or resets so many of the users settings every six months. I suppose most people would just be content to set IE settings via GPO and be done with it. I choose to use IEAK to set defaults so that if there is a case where the user has to deviate from our default settings to access a certain web site, she can just go in and change the settings on that one client. If I set the defaults in GPO, they would be locked for everybody and I would have to somehow manage exceptions in a way that would be resource intensive - best to set defaults and let the users decide. From: [email protected] [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Tuesday, October 31, 2017 3:22 PM To: [email protected] Subject: [External] [MDT-OSD] Windows 10 upgrade 1607->1703 clobbers IE settings This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing> Feedback<http://aka.ms/SafetyTipsFeedback> I am running into a strange situation when performing in place upgrade via task sequence to apply Win 10 1703 over 1607. We have customized security settings for Trusted sites zone via IEAK. Among other things, I change credentials to be passed for sites in Trusted Sites zone. We have noticed that when Windows 10 upgrade is applied via Task Sequence, the users customized Trusted Sites settings are reverted to the Microsoft default rather than maintained as configured either by the user or by IEAK applied previous to the upgrade. Does anyone know of any techniques to protect the users' Internet Explorer settings so that they are not modified by the upgrade process? It doesn't clear Trusted Sites sitelist, but it definitely resets the security settings from that zone from Custom levels to the defaults that come along with "Medium" This is a pretty big deal for us as web applications we manage count on Trusted Sites security being configured in a specific way and the Windows 10 upgrade is breaking them. It is also breaking Citrix Receiver single signon, which relies on IE pass through auth in trusted sites. ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy all copies of the original message and attachments thereto. Email sent to or from UI Health Care may be retained as required by law or regulation. Thank you. ________________________________ ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is intended only for the use of the individual or entity to which it is addressed, and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient, any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete or destroy all copies of the original message and attachments thereto. Email sent to or from UI Health Care may be retained as required by law or regulation. Thank you. ________________________________
