Mcafee Security für Exchange

Mcafee hat eine stabile Virenschutz Version für Exchange 2010 heraus gebracht. Wir hatten bei Exchange 2007 einige Kunden welche zu Trend gewechselt haben weil Groupshield 7.X nicht sauber lief.

Die aktuellen Version 8.5 von Mcafee Security für Exchange scheint aber zumindest auf Exchange 2010 wieder sauber zu gehen. Bei 2013 würde ich dies derzeit nicht einsetzen oder ganz genau planen.

Das Ganze soll als Abfang oder zusätzlicher Scanner hinter einer z.B. Fortinet Fortimail oder Mcafee Webgateway laufen. On Demand Scans brauchen wohl immer noch viel CPU Last aber Mcafee hat hier dazu gelernt und ein Monitoring eingebaut fuer bestimmte Werte. Z.B. auch RPC Latenz Zeiten von Outlook.exe auf den Exchange. Dies waren Sachen welche bei der 7.X nicht sauber gingen.

Lizenz

Die meisten grösseren Kunden haben min. die Mcafee EPS Suite. Da ist nebst EPO, Mcafee Security für Exchange mit dabei als Lizenz.

Version und Namen

Letzte Groupshield Version 7.0.2 > Neu "Mcafee Security fort Microsoft Exchange" welches es in der dritten Version gibt. Sieht aber vom interface/GUI her gleich aus wie Groupshield. (Nachfolger)

Release Versions:

Einige wichtige Punkte bei der V8.5 Version:

Braucht als Basis:

Where to place:

Logs:

So sieht es aus:

Install Optionen:

Standalone auf CAS-Array hinter Load Balancern:

Auf den CAS Servern lässt sich die Config Exportieren und auf dem zweiten CAS importieren.

Managed by EPO:

Ist die Installation EPO integriert kann man die Software via EPO deployen und auch zentral managen. (Ob man sich dies getraut soll jeder selber entscheiden)

System Error 2221 has occurred in Batch Logonscripts

If you run a logon script on Windows 7 you get an error 2221 when the client tries to mount a network drive.

We have also seeing this appear in Outllook.exe with Exchange Server.

• User suddenly can't connect to network share
• Name Resolution is running
• You can access the Server with \\ipadress\share but not with \\servername\share
• The DNS the client gets are valid and are running
• NSLOOKUP has no errors
• THE DNS are correct
• You did ipconfig /flushdns
• You did a "netsh winsock reset" and Reboot
• Checked time on DC and clients

   

Somehow user or applications get credentials for application WHICH may run on the same server as the Network shares Integrated in the Credentials manager. This may be outdated or wrong. Mayb working for a webserver and app that's runs on the server but not the fileshare SMB.

Here is how to solve it

Type start and search for

ENGLISH:

credentials manager

DEUTSCH:

Anmeldeinformationsverwaltung

Check if the connecten/Credentials that does not work is there and remove it

http://windows.microsoft.com/de-de/windows7/what-is-credential-manager

In German it's called

Anmeldeinformationsverwaltung

Patchday May 2015, Windows Update 3020369 W7 stuck at stage 3 of 3

Following of the four Mai/May 2015 Windows Updates from Patchday could get your Windows 7/8.x both 32BIT and 64BIT or Server 2008 R2 stuck at the stage "stage 3 of 3" Preparing to configure Windows. Do not turn off your computer.

 We think on Windows 7 64BIT this is caused by KB 3020369 which was reported false by some blogs as KB 3020269. This was an intermin patch released on 22.04.2014 (Between Avril and May Patchday intermin)

http://www.microsoft.com/en-us/download/details.aspx?id=46827

This seems related or narrowed down to those four Updates together with the May 2015 updates.

KB 3020369 (reported wrong by some blogs and copied 1:1 to other blogs 3020269 ;-))

https://support.microsoft.com/en-us/kb/3020369/ (Read only DC)

On Server 2008 R2 this is the patch causing problems.

KB 3020370 > MAY 2015

https://support.microsoft.com/en-us/kb/3020370/

KB 3045645 > MAY 2015

https://support.microsoft.com/en-us/kb/3045645/

KB 3013531 (Windows Phone update .MKV Files)

https://support.microsoft.com/de-de/kb/3013531

May 2015 patches:

https://technet.microsoft.com/en-us/library/security/ms15-may.aspx

https://support.microsoft.com/en-us/kb/3020369/

The case is NOT related to KB 3046002.

Just press CTRL – ALT – DEL to skip the page. All updates should be installed correct.

This has also happened on an older patch KB 2533552.

Falls Sie diesen Logon Screen nach dem installieren von Windows Updates sehen melden Sie sich

Bitte durch Drücken der drei Tasten CTRL-ALT-DEL an Ihrem System an. Bitte stellen Sie den

PC nicht ab/aus.

CTRL – ALT – DEL (Drei Finger Combo)

A remote mailbox user receives the following error message when he or she tries to configure Exchange Active Sync account on an Android device:

Setup could not finish

Failed to search Exchange server automatically. Enter settings manually

https://support.microsoft.com/en-us/kb/3035227?wa=wsignin1.0

http://blogs.technet.com/b/exchange/archive/2015/03/17/announcing-update-rollup-9-for-exchange-server-2010-service-pack-3.aspx

http://www.microsoft.com/en-us/download/details.aspx?id=46372

Solution:

If the MobileSyncRedirectBypass feature is causing the problem, you can turn it off by editing the web.config file for the Autodiscover protocol:

1. Locate the web.config file for the Autodiscover protocol:
   1. For Exchange Server 2013 MBX, the file is in the following location:

      %ExchangeInstallPath%\ClientAccess\Autodiscover

   2. For Exchange Server 2010 CAS, the file is in the following location:

      %ExchangeInstallPath%\ClientAccess\Autodiscover

2. Open the web.config in Notepad, and then change the existing string from "true" to "false."
3. Save the file.
4. Run IISRESET /Norecycle.

Follow these steps on all CAS servers that will receive Autodiscover queries from devices.

Internet Explorer 10 / 11 IE Warnung, GPO, Gruppenrichtlinien, Group Policy

Error or PUP UP in IE10/IE11

Deutsch:

Sie sind im Begriff, sich Seiten über eine sichere Verbindung anzeigen zu lassen. Keine Information, die Sie mit dieser Seite austauschen, kann von anderen Personen im Web gesehen werden.

English:

You are about to view pages over a secure connection.

https://social.technet.microsoft.com/Forums/en-US/65e8f915-6300-4367-8aa5-626539a62240/disable-ie-10-11-security-alert-popup-w-group-policy?forum=winserverGP

This seems not be possible with GPO or within an ADM/X from MS. You need to deploy a HKCU key.

Change this key from 1 > 0 per USER (HKCU)

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

WarnOnIntranet

REG_DWORD

0

WarnonZoneCrossing

REG_DWORD

0

0 = ZERO = DO NOT SHOW WARNING

Integrate that into a GPO

Make sure you have a WMI filter so you only catch IE11 on clients:

See our Blog for infos on how to do that

First seeing VEEAM Replicas i asked the people what happens if the VMware ESX Crashes and someone's just starts all machines he finds on the ESX. (Like maybe IT told you in remote affiliates). The problem is that also the REPLICAS from VEEAM could be started.

This would be a Disaster because an old Exchange and Domain Controller would have contact to the sharp network together with an old one.

Solution Since Veeam 7.0

Veeam calls it Network mapping. On the Replica you can choose which ESX Network will be connected and this can be different then on the source machine.

ON ESX Server: Create a new Switch and dummy network in ESX. Maybe also change the VLAN ID to something you never use. Make sure on the right side there is no adapter connected.

VM_VEEAM_DUMMY

VLAN ID: 233

This is the target solution we want. The Replicas should land connected in the VM_VEEAM_DUMMY. So if someone or something starts them UP by accident / error they have no connection to productive network.

Now change the Veeam Replica Job.

EDIT

Select "Separate Virtual Networks"

SOURCE: Select the source network AS it is on the source server you get the machine from

TARGET: Select the Server you want the replicas (or have them) and then choose the new generated VM_VEEAM_DUMMY

Click through and FINISH (Don't change existing settings)

Now the replicas will automatic LAND in the empty network.

Microsoft enables Strict Transport Security in Windows 7 and 8.1 with Internet Explorer 11

Patch: Update KB3058515 (MS15-056)

For: Internet Explorer 11 ONLY

What for: Will make a pseudo SSL connection if Website supports and ONLY on second visit.

With the Microsoft July Update KB3058515 (MS15-056) Microsoft finally activates HSTS under IE11. This was planned for Window 10 now on Window 7 and 8.1. Since 2013 this was a wish from certain customers.

https://connect.microsoft.com/IE/feedback/details/793747/ie11-feature-request-support-for-the-strict-transport-security-header

Some points to know.

• Die Site muss auf der anderen Seite HSTS aktiviert sein / Die website has to activated for HSTS Server side (See the secure net paper on how to do that)
• Erst beim zweiten Besuch der Site nützt es was / Only after the second contact to the website this will be active
• Keep in mind that Browser performance MAY be hit. See the First presentation in the Link for related info to that.
• Alle US-Behörden ab sofort nur noch https (Nach den Hacks von Ende 2014)

http://www.internet2.edu/presentations/fall11/20111004-stsauver-hsts-performance.pdf

http://tech.slashdot.org/story/15/06/09/2219211/internet-explorer-11-gains-http-strict-transport-security-in-windows-7-and-81

https://www.securenet.de/fileadmin/papers/HTTP_Strict_Transport_Security_HSTS_Whitepaper.pdf

http://caniuse.com/#feat=stricttransportsecurity

https://status.modern.ie/httpstricttransportsecurityhsts

https://support.microsoft.com/de-de/kb/3058515

See our IE11 Deployment Links:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

http://www.butsch.ch/post/Internet-Explorer-911-GPO-old-IE9-not-visible-WMI-checks.aspx

Microsoft macht vorwärts mit Windows 10 im Juli 2015 ist Launch. Galt es 8.0 und 8.1 zu verhindern sollte man hier am Ball bleiben. Die Systemhäuser setzen W10 ein und es wird migriert so bald wie dies möglich ist.

Dieses ICON ist wohl mit KB3035583 im Mai 2015 gekommen. An sich auf dem WSUS geblockt bei den kleinen Kunden ohne WSUS durchgerutscht

• BlockWindows10.cmd deinstalliert 3 Patche (Und ruft das VBscript auf)
• VBscript HideWindowsUpdates.vbs HIDE'd die 3 Patche vor dem Windows Update Client (wuapp.exe)

Derzeit kommen vier Patche in Frage, welches Teile davon auslösen. Workaround: Diese Deinstallieren und von Windows Update verstecken.

KB2952664

Compatibility update for upgrading Windows 7

KB2990214

Update that enables you to upgrade from Windows 7 to a later version of Windows

KB3022345

Update to enable the Diagnostics Tracking Service in Windows

KB3035583

Update enables additional capabilities for Windows Update notifications in W 8.1 and W7 SP1

Guter Haupt Link zum Problem:

http://superuser.com/questions/922068/how-to-disable-the-get-windows-10-icon-shown-in-the-notification-area-tray

User OPMET posted some script which we slightly modified:

BlockWindows10.zip (744.00 bytes)

HideWindowsUpdates.zip (751.00 bytes)

This is a problem which is often under estimated and there since Windows i don't know. Often a source for problem with WSUS-Agents, Deployment Agents etc.

Problem often seen:

On many HP-laptops in my environment is LAN/WLAN-switching not working well. The device is always connecting first the Wi-Fi. Bios-settings are correct.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/6f550108-91f4-4228-88dc-5888410132c3/lanwlanswitching?forum=winserverGP

Here is how to get it done on Windows 7 client.

1. The BIOS has an OPTION LIKE in HP ('LAN/WLAN Switching')
2. Script the BINDING Order depending on analyses of routes or netsh info (nvspbind.exe)
3. Use a Third Party Tool which can install but pay

Some links in that direction:

http://community.spiceworks.com/topic/190709-force-laptop-to-prefer-wired-lan-over-wlan-when-both-are-available

http://superuser.com/questions/112585/how-can-i-disable-wifi-when-computer-is-connected-to-lan-with-wire-using-gpo

https://social.technet.microsoft.com/Forums/windowsserver/en-US/007da9d4-c029-4751-97bc-dd55b798cfa1/disable-wifi-connection-with-gpo-when-network-cable-is-plugged?forum=winserverGP

All HP laptops:

There is an option named 'LAN/WLAN Switching' in BIOS. This option is listed under System Configuration > Built-In Device Options. Please enable this and check. This should disable the WLAN when the LAN is connected.

HP: G1 Series had some problem which was solved in G2 version in that direction.

Windows 8/10 this should work seamless without losing open files or connection. But this generated a delay of up to 40 seconds.

HP Notebook PCs - the Computer Does Not Automatically Switch Between the LAN/WLAN Connections in Microsoft Windows 8 and 8.1

http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03707130

RESOLUTION

This is a built-in feature of Microsoft Windows 8 and 8.1. The computer may take up to 40 seconds to switch from one network to the other. This delay is by design to avoid interrupting file transfers and other processes.

It0s unclear from what this comes but we suspect scripts querying Exchange Objects in some form or a third party software

Which Querys some Exchange objects to fast. For some MDM/Blackberry solutions things where made open (Throttling). The client does not have Kerberos Authentication / SPS activated,.

Error:

The WS-Management service cannot process the request. The system load quota of 1000 requests per 2 seconds has been exceeded

Solve this with:

Cmd

Try:

Iisreset /noforce

If that get stucks full reset with:

Iisreset

Solved:

Here is where to find the mentioned setting in Enteo/Frontrange for updates:

Configure the Polling Frequency for Package Preparation on the ORG Master Depot

The Polling Frequency for Package Preparation of the Distribution Service (in charge of the

ORG Master Share) should be reduced to 5 minutes to ensure the update packages are

prepared in a timely fashion. The default value is 120 minutes.

ADAC = NOT Deutscher Pannendienst ;-)

Fine grained Password Policy in 2013 R2 Domain Active Directory, Error 4625 event

Sometimes you need accounts TO None expire or not getting Locked out. We all now it's stupid in security terms but if the software has a bug and locks the account you have to hurry. Search on ALL of the Domain Controller for event 4625. There you should see the client who does it. There also lockout/whoislocked scripts which does that. (Account locked)

The regular Domain password policy is here:

But we want a second one with different settings and only for a few users in a security group

New way with ADAC on 2012R2

http://blogs.technet.com/b/canitpro/archive/2013/05/30/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad.aspx

https://technet.microsoft.com/de-CH/library/hh831702.aspx

Old way with ADSIEDT.MSC

http://www.grouppolicy.biz/2011/08/tutorial-how-to-setup-default-and-fine-grain-password-policy/

https://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx

Make a new ADS group: sg_gpo_password_policy_bsb_non_locked and make the accounts which should have special password policy member of that group "Only user accounts"

Go to SYSTEM

Go to PASSSWORD Settings Container

Choose "Directly applies to" and make sure you choose the correct Security Group you made for this.

Under cmd on DC do a:

Repadmin /syncall

Its finished and working

CROSS CHECK old Method with ADSIEDT

Wie kann man eine DLL oder ein File Testweise auf einem Enteo Client ersetzen? Wir haben heute eine DLL fuer einen DEV fix von Frontrange erhalten. Dann nach nachfragen noch einen Link zu einer KB welche einen Key beschreibt. Sollte jemand verstehen wo man es nun ändern soll oder darf kann er uns dies schildern. Eventuell in einer Zeichnung oder Schema?

Ersetzen einzeln TEST DLL bei Enteo Agent

1. Beide Frontrange Service anhalten
2. Registry KEY erstellen auf dem CLIENT
3. Beide Frontrange Service neu starten
4. Beide Frontrange Service anhalten
5. DLL ersetzen (Rein filebasierend ohne Registrierung der DLL)
6. Beide Frontrange Service Starten
7. Kontrolle ob die beiden DLL nicht wieder ersetzt werden

Beispiel Files ersetzen welche Enteo Kunden vom Support bekommen:

KB Artikel 12492

Mcafee EPO prevent exe RUNNING FROM %appdata% folders with an Access protection Policy

How to protect from most 0day Flash Exploits and malware like Ransom Cryptowall in summer 2015. You simply can't keep up with patching even with deployment or

Management solutions in place. Now you should have an IPS Filter like Fortigate with Fortiguard. Fortigate is most of the times involved in detection of Flash Exploits so a good choice in that direction.

But the problems are SSL/HTTPS Virus of you can't break the stream because of legal concerns.

Here is a solution to strip it down by Mcafee but as always not clear in their documentation.

Sure this covers 80% but it will take out some heat. Another tip would be to use Microsoft EMET from ou side. There is also a GPO to prevent such things but this will take more time to setup.

Mcafee EPO Server Logon

Go to Clients

Assigned Policy

Access Protection Policy

Choose your "Policy" > "My Default"

Now the trick was the PATH. I am not sure but ONE Mcafee KB was wrong or not sol effective here.

We are still unsure if it has to be \ or / if you read their docu.

Well here is how it worked for us. We don't want to catch %appdata%\temp because there is already an

Options in mcafee itself for that and it was not a good idea with some customers and special apps.

Check left corner FOR "Workstation" and for "Server"

Client side TEST

EPO side view

Original Link from Mcafee:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25480/en_US/McAfee_Labs_Threat_Advisory-Ransom_Cryptowall.pdf

Wildcard patterns mcafee:

https://kc.mcafee.com/corporate/index?page=content&id=KB54812

Adobe:

https://helpx.adobe.com/security/products/flash-player/apsa15-04.html

Not only ET wants to phone home! Microsoft is bombing even corporate customers and small business customers with Updates they don't want and never agreed. KB3022345 seems to be a patch for Clients and servers which send a lot of Information encoded over SSL to Microsoft Servers. They must be in short time for their Windows 10 releases and catching every application on the world. As if we did not supply enough Information with tools like MACT (https://www.microsoft.com/en-us/download/details.aspx?id=7352) they now get the info unasked. Feel free to block on your private or corporate Firewall. And no nobody has pre-selected Windows 10 Download and testbunny mode.

Update: KB3022345

Hosts which are connected:

191.232.139.254, vortex-win.data.microsoft.com

191.232.139.253, settings-win.data.microsoft.com

Port: HTTPS/SSL/443

https://support.microsoft.com/en-us/kb/3022345

Update for customer experience and diagnostic telemetry

This update has been replaced by the latest update for customer experience and diagnostic telemetry that was first released on June 2, 2015. To obtain the update, see 3068708 Update for customer experience and diagnostic telemetry.

Helping the overall application experience

The Diagnostics Tracking service collects diagnostics about functional issues on Windows systems that participate in the Customer Experience Improvement Program (CEIP). CEIP reports do not contain contact information, such as your name, address, or telephone number. This means CEIP will not ask you to participate in surveys or to read junk email, and you will not be contacted in any other way.

For any released product with an option to participate in CEIP, you can decide to start or stop participating at any time. Most programs make CEIP options available on the Help menu, although for some products, you might have to check settings, options, or preferences menus. Some prerelease products that are under development might require participation in CEIP to help ensure the final release of the product improves frequently used features and solves common problems that exist in the prerelease software.

 Please also see Windows 10 NAG screen posting we made:

http://www.butsch.ch/post/Windows-10-NAG-screen-active-How-to-prevent-(on-W7W8).aspx

WMI Hotfixes to date 29.07.2015

During IE11 projects we have seen problems with some WMI and WUSA.EXE KB installations. It sometimes seems that the WMI provider

who offers that info hangs or is out of date. Even with some command to refresh it0s stuck. This is a list of Hotfixes we found in that direction

For Existing Windows 7 64BIT Deployments with SP1.

IE11patch Infos:

http://www.butsch.ch/post/IE11-IEAK-11-Setup-9-PRE-Deployment-Patches-2b-1-Hotfix.aspx

YES = Installs on W7 SP1 64BIT with all Updates from WSUS do date 29.07.2015

NO = Does not install on same system

001 (YES)

https://support.microsoft.com/en-us/kb/2705357

2705357

Windows6.1-KB2705357-v2-x64.msu

002 (YES)

http://support.microsoft.com/kb/2692929

2692929

Windows6.1-KB2692929-x64.msu

003 (YES but choose 2617858)

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7

http://support.microsoft.com/kb/2465990

2465990 > SUPERSEEDED > Replaced by > 2617858 (https://support.microsoft.com/en-us/kb/2617858)

2465990 > Windows6.1-KB2465990-v3-x64.msu (Older)

2617858 > Windows6.1-KB2617858-x64.msu (Newer, Superseeds the old one)

004 (YES)

https://support.microsoft.com/en-us/kb/2492536

2492536

Windows6.1-KB2492536-x64.msu

005 (NO)

https://support.microsoft.com/en-us/kb/982293

982293

Windows6.1-KB982293-x64.msu

Windows 10, WSUS Integration

If you support Server 2012R2 and 8.1 then you have the Updates on the WSUS you will see the new Categorys straight away.

Windows 10, Mcafee VSE 8.8 with Patch 6 which should be released 26. August 2015

https://kc.mcafee.com/corporate/index?page=content&id=KB51111

https://community.mcafee.com/community/business/blog/2015/08/02/windows-10-support-updates

Mcafee EPO Server Problem no Protection Policy visible (blank/empty)

After Upgrade to Version 5.3 and installed EPO to non c: drives and you did not enable 8.3 for that drive

After upgrade of a VSE product first time after you installed new EPO to non c: drives and you did not enable 8.3 for that drive

When you view the VSE Access Protection policy within the ePO console, the policy appears to be blank. This is because the manual only says to check and enable 8.3 naming convention on c: drives and forgets to mention other drives?

Happens also if you upgrade to VSE 8.8 PATCH 5 AND you are a smart guy who installs EPO Binaries on D: like they teach you. (And not on c: because all that grows goes on D: ;-)

* Enable 8.3 Naming Convention (Short) for the Disk you have EPO Path installed and reboot did the trick ( fsutil.exe 8dot3name set d: 0 )

* Export all Policies and Assignments!!

* Remove Extension for VSE 8.8 Patch 5

* Download 8.8 patch 5 Repost and extract Extension files (two) from www.mcafee.com

* Import Extension from VSE 8.8 Packages (VIRUSCAN8800(392).zip, VIRUSCAN8800(392).zip)

* Import your exported Policies

DO NOT FORGET to import and EXPORT POLICIES, you will lose them if remove the VSE Extension!

Environment

McAfee ePolicy Orchestrator (ePO) 4.x, 5.0, 5.1

McAfee VirusScan Enterprise (VSE) 8.8 patch 4 and 5

Problem

When you view the VSE Access Protection policy within the ePO console, the policy appears to be blank.

An Administrator cannot modify the existing (default) Access Protection policies.

Cause

ePO was installed to a drive other than the C: drive on the local system. The ePO Extensions for VSE rely on the existence of the VSCAN.bof content file to display the necessary policy information. The file must be located in one of the following ePO directories:

<Drive:>\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Software\Current\BOCVSE_1000\DAT\0000\

or:

<Drive:>\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\BOCVSE_1000\DAT\0000\

Solution from Mcafee

Perform a Master Repository pull in ePO and ensure that the option to check for Access Protection and Buffer Overflow content is selected. This will place the necessary content file in the required location.

Well sure you hear it often. It's slow because of the virus protection. Well understand Artemis, Understand how deep things scan or not? Never mind > Mcafee has a tool for all larger customers who want to identify possible Exclusion files or Directory on their system to step down on heavy load. We don't want to discuss about if it's a good idea but sometimes you may have to.

https://kb.mcafee.com/corporate/index?page=content&id=KB69683

The Profiler comes as MSI package and yes you can roll out the thing with EPO if you like and collect centralized Logfiles somewhere.

After the scan you can clearly see a source for Mcafee being slower. It's an English Windows 7 with German Office and also other German Software. So the MUI references are used heavy. These are the files we talk about.

Was ist der Unternehmensmodus?

Der Unternehmensmodus ist ein Kompatibilitätsmodus von Internet Explorer 11 für Geräte unter Windows 8.1 Update und Windows® 7. In diesem Modus werden Websites mit einer angepassten Browserkonfiguration gerendert, die darauf ausgelegt ist, Internet Explorer 8 zu emulieren und dabei allgemeine Kompatibilitätsprobleme mit Web-Apps zu vermeiden, die für ältere Versionen von Internet Explorer geschrieben und getestet wurden.

Technet Artikel: https://technet.microsoft.com/enus/library/mt269903.aspx

Wie sehe ich ob eine Website im Enterprise Mode läuft

Anzeige einer Website im IE-Unternehmensmodus / IE-Enterprise-Mode

Wie kann man eine Website als User in den Enterprise Mode setzen

1. Öffnen der Website im Browser
2. Extras > Unternehmensmodus Selektieren
3. Die Website bleibt nun automatisch auf Ihrem System in Enterprise Modus
4. Das aktivieren des Modus wird zentral geloggt und die Seite ggf. für alle Mitarbeiter zentral in den Modus gesetzt falls es sich um eine Business relevante Website handelt.

Enterprise MODE GPO Gruppenrichtlinien

UnternehmensModus über das Menu "Extras" ermöglichen

Dies ist a) Damit der user den MENUPUNKT "UnternehmensModus " überhaupt sieht b) Und nicht zwingend falls man dies NICHT loggen will! > Angabe von Webserver welcher die Änderung protokolliert (Siehe: "IE 11 Enterprise MODE Logging/Auswertung zentraler Ort"). FALLS der User eine Seite als Unternehmensmodus selektiert weiss die IT dann anhand eines zentralen Logfiles, dass dies gemacht wurde.

Die Webseitenliste für den UnternehmensModus-IE verwenden

Dies ist ein einfaches XML File in welcher drin steht welche Site IM Enterprise MODE laufen soll. Z.B. Wie eine Zonen Zuweisung in den GPO. Halt nur ein XML File.

URL fuer Sitelist: \\DOMAINCTRONOLLER\netlogon\tools\kunde_ie11_enterprise_sitelist.xml

Das halt IE11 nach 65 Sekunden nach dem Neustart des Internet Explorers.

Enterprise Mode Sitelist Tool (Warum nicht einfach Kompatilitätsmodus)

Dieses wird benötigt um die XML Sitelist einfacher zu erstellen oder bearbeiten. Das XML File kann auch jederzeit mit Notepad++ oder notepad.exe geändert werden. Wer unsicher mit XML files ist sollte dies aber mit dem Tool machen. Bei einem Fehler im XML Format gehen sonst die erwähnten Websites nicht sauber.

Es gibt Fälle bei welchem man spezielle Subseiten excluden muss andere der gleichen Website aber im IE11 Modus laufen lassen will. Würde man z.B. die ganze Seite im IE8-Modus emulieren wäre die ganze Seite mit ALLEN Unterseiten langsamer. Bei Intranet Lösungen kann man diese so optimieren.

Fiktives Beispiel:

www.baz.ch (Ist IE11 kompatibel und muss zwingend unter IE11 laufen)

www.baz.ch/Karten_bestellen.aspx (Geht nur mit IE8 sauber da alte Version)

www.baz.ch/portal (Ist IE11 kompatibel und läuft 50% schneller im IE11 Mode)

Im Enterprise Tool Sitelist kann man dies fein granular stufen und realisieren. Bei Intranet Anwendungen ist dies eventuell der Fall und man sollte dran denken, dass dies mit dem Tool und dem XML File möglich ist.

Wie ändere ich die Sitelist?

1. Direkt unter \\DOMAINCTRONOLLER\netlogon\tools\kunde_ie11_enterprise_sitelist.xml dies ändern
2. Mit dem Enterprise Mode Tool das File aufmachen und dann anpassen von \\DOMAINCTRONOLLER \\netlogon\tools\kunde_ie11_enterprise_sitelist.xml

IE 11 Enterprise MODE Logging/Auswertung zentraler Ort

Dieser Teil sammelt alle Websites welche nicht IE11 kompatibel sind und VOM user oder durch die IT in den Enterprise MODE geschaltet werden. Damit die IT dies mitbekommt meldet der Client dies dem Webserver und dieser schreibt ein Logfile.

Artikel Technet: https://technet.microsoft.com/en-us/library/dn781326.aspx

URL fuer GPO: http://webserver:81/EmIE.asp

Server: webserver mit IIS/ASP

Pfad der Logfiles: \\webserver\d$\logfiles_IE11_Enterprise_Mode\W3SVC1

Nach einigen Wochen werden die Logfiles ausgewertet und die Sites fuer alle User zentral in das XML File übertragen.

Einstellungen client WEBSERVER Logserver

Nachinstallieren IIS auf dem Server auf welchem IE11 die Infos über die User Aktivität sammeln soll.

Extern Links:

https://technet.microsoft.com/en-us/library/dn640689.aspx

https://technet.microsoft.com/en-us/library/dn781326.aspx

https://technet.microsoft.com/en-us/library/dn640699.aspx