Overriding Group Policy Settings With App-V

There are certain situations where it is desirable to override group policy settings in an App-V package, for example:

  • Relaxing security settings to enable Data URI support in Internet Explorer in the virtual environment
  • Increasing security to restrict a virtualised legacy Java version so that only specific websites can access it

The last statement made by Microsoft on this subject was that it is not supported, and as of App-V 4.5, the client will ignore any policy registry keys in the package:

http://blogs.technet.com/b/appv/archive/2009/04/23/some-insight-into-how-softgrid-and-app-v-4-5-handle-group-policies.aspx

I’m not sure if Microsoft changed their stance on this at some point, but in my testing with App-V 4.6 SP3, any registry keys stored under HKLM\Software\Policies work just fine and are read and used by the virtual application. However, in a DSC linking scenario, any policies from the child packages are ignored similar to the way described in the link above; only policy keys in the parent package are used.

With App-V 5.0, all policies are ignored by default. Any attempt to read or write to HKLM\Software\Polices, HKCU\Software\Policies, or even HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings, will get redirected to the native registry. Thankfully this is all configurable however! Please note that this is a global setting that will affect all virtual applications on the client, so care must be taken to avoid capturing policy settings in other packages unintentionally.

Here is the registry key in question, along with its default contents:

[HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\AppV\Subsystem\VirtualRegistry]
PassThroughPaths = REG_MULTI_SZ :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
HKEY_LOCAL_MACHINE\SOFTWARE\Policies
HKEY_CURRENT_USER\SOFTWARE\Policies

Delete the value HKEY_LOCAL_MACHINE\SOFTWARE\Policies to allow the policy keys captured in the package to work. It appears that policies in HKLM override any equivalent policies placed in HKCU, so I advise just erasing this value and ensuring any policy values required in your sequences are stored under HKLM also. With connection groups, the policies can be placed in any of the packages, although the final result may be affected by the package load order and the merge/override status of the registry keys.

I recommend that all keys are set to merge unless you absolutely want to override all content from a policy area in the native registry. For example, if HKLM\SOFTWARE\Polices\Microsoft\Windows\CurrentVersion\Internet Settings is captured and set to override, it may mask setting such as the proxy configuration, resulting in the browser not functioning correctly.

10 responses on “Overriding Group Policy Settings With App-V

  1. JS

    Delete HKEY_LOCAL_MACHINE\SOFTWARE\Policies key at seqvencer, before seqvensing ?

    1. If you like, but you shouldn’t need to unless there’s a setting already in there that you need to capture in your package.

  2. Rmoat

    Hey Dan,

    So do I delete the HKEY_LOCAL_MACHINE\SOFTWARE\Policies from the VirtualRegistry string? Or am I actually deleting the HKEY_LOCAL_MACHINE_SOFTWARE\Policies registry key?

    I’ve been trying to get some Internet Explorer restrictions set, but when my packages are finished, those settings do not take effect.

    1. You need to delete the line HKLM\SOFTWARE\Policies from HKLM\SOFTWARE\Microsoft\AppV\Subsystem\VirtualRegistry\PassThroughPaths.

      1. Rmoat

        Thanks Dan! Not entirely sure it works with the latest hotfix. Cannot get policy settings for hiding and disabling proxy settings, connections tab in IE to take effect in the package. Doesn’t seem like HKLM or HKCU registry keys are not saving, even with that line removed from PassThroughPaths.

        1. Im having the same experience with HF4 installed unfortunately. Removing the registry does not seem to allow the package to override local settings

          1. Not sure what’s going on there then – works for me!

          2. NiallJen

            Hi Dan,

            Specifically I am trying to change the value HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe from 1 to 0

            Had initially tried adding the registry to the sequence and setting it to override without success until I came across this article (really useful blog by the way!) Still no Joy, I wonder if I am missing something obvious. I will post if I have a breakthrough.

          3. Hi Dan,
            Finally! I got the solution from part 1 of your Guide to Sequencing Java. I had to add the -noframemerging switch to my IE shortcut! It looks like IE was looking outside the ‘bubble’ without that switch. Thanks for this article and keep up the great work.

Leave a Reply