Citrix and Internet Explorer 11 Enterprise Mode Part 3

Brian MurphySenior Information Technology Consultant
Holistic technology infrastructure strategy, design, engineering and implementation that is highly scalable, secure, optimized, automated
Several part series to implement Internet Explorer 11 Enterprise Mode

Part 1 covered XML design. The XML design is critical to the implementation and adding or removing sites from the sites.xml file. The XML file, like DNS, is read “right to left.” As of this writing, options include; IE 11 Default, IE 8 Emulation Mode, IE 10 Document Mode, IE 9 Document Mode, IE 8 Document Mode, and IE 7 Document Mode.

Part 2 covered XML structure and file parsing right to left and document mode. XML, like DNS, reads right to left (parsed) and greatest to least from a potential impact perspective, although one error at any level can result in an outage. Document mode provides a way to adjust for other document types using the same XML file.  

Moving from IE 8 using compatibility mode to IE 11 Enterprise Mode with compatibility view disabled might result in issues that are unrelated to an IE 11 Upgrade but by default, this is assumed when the issue is related to GPO or some other factor. This section provides examples of such scenarios.

By default, IE 11 without custom configuration using Group Policy has the following setting for Local Intranet Zone; one of the several settings that results in project defects. Having this information now resolves a future headache. This setting effectively "disables" the integrated login for every internal website having a full FQDN. Sites without FQDN (Intranet) sites would function but none of your sites having a full DNS name such as would resolve.
P3IMAGE1.pngUnfortunately, this causes authentication errors for sites that use Integrated Logon with Active Directory. It requires a modification to group policy objects (GPO) as follows:

P3IMAGE2.pngThis setting enables integrated login for anything listed in Intranet Zone, whether it is the short name, http://vcissgroup or FQDN

This assumes Active Directory domain joined workstations. Websites that require "Integrated login" use Active Directory credentials: the current logon with current password. Other "type" websites require a separate login ID and password and thus are not impacted by this modification to group policy.

Compatibility View mode and Enterprise Mode cause many issues where one or the other must take precedent. In other words, they must not be used together. Enterprise Mode requires “Compatibility View Mode” to be disabled.

The quickest way to disable Compatibility Mode is a custom filter on Group Policy, Computer Container, All Settings.

Start – Run – MMC.exe > Add or Remove Snap-ins
IMAGE3.pngGroup Policy Object Editor > Highlight > Click ADD (or Double Click)
IMAGE4.pngLocal Computer > FINISH
IMAGE5.pngVerify >Group Policy Object Editor > Local Computer Policy > OK
IMAGE6.pngClick OK
IMAGE7.pngVerify in the top-left that you are at Local Computer\Computer\Configuration\Administrative Templates\All Settings

image7-b.pngAll Settings under Computer configuration.
To expedite this process create a custom "Filter" and search for anything with "compatibility".

Right Click > Filter

IMAGE9.pngThis is not considered an optional step. The strategic direction for future versions of IE is meant to dynamically adjust compatibility. For those having to manage thousands of websites in Group Policy will appreciate the not -optional aspect of this change.  

Turn off Compatibility View = Enabled
Turn off Compatibility View button = Enabled IMAGE10.pngIMAGE11.pngExplanation:
To disable compatibility view requires enabling the Group Policy. Disabling this prevents the setting from applying automatically to the Intranet zones, users adding sites, or administrators adding sites.

Historically, Windows XP supported IE 6, 7 and 8. Vista only supported 9 and 10. Windows 7 and Server 2008 shipped with IE 8. Hence, most code was written to the middle version with the release of IE 11.

It is important to understand the logic of IE 8 Emulation mode versus running IE 8 and using Compatibility Mode to fix something written for IE 7. IE 8 emulation mode adjusts for IE 8 and IE 7 coded sites. It does this without Compatibility mode but instead is native to Enterprise Mode.

It is important to understand that this version of XML and syntax is specific to Windows 7 operating system and IE 11 running in Enterprise mode. The syntax for Windows 8.1 and 10 requires a different syntax. This series is applicable for 2008 R2 / 2012 / 2012 R2 mixed mode or native mode domain running Windows 7 client operating systems.  

  1. IE 11 Enterprise mode is enabled using a dedicated Group Policy Object 
  2. The Group Policy should be different for each instance where a different website is hosting a XML file
  3. Create IE 11 Enterprise mode group policy objects (GPO) for Workstation and Citrix servers.  
    • Workstation operating system is assumed to be Windows 7 
    • Server operating system is assumed to be Microsoft server 2008, 2008R2, 2012, 2012 R2
  4. IE 11 Enterprise mode should emulate IE 11 by default and add exclusions as needed (See PART 1)
  5. IE 11 Enterprise mode XML files are hosted on separate, dedicated web servers using HTTP
  6. Due to the critical nature, multiple web servers and load balancing technology is recommended
  7. XML file and web server must be accessible by all Workstations by HTTP on TCP port 80
  8. XML file and web server must be accessible by all Citrix Servers by HTTP on TCP port 80
  9. Use IE 11 Enterprise mode by default
  10. IE 11 Compatibility View mode is disabled 
  1. Do not use the Compatibility Mode View list or carry these forward from previous Group Policy settings
  2. Do not add sites to Compatibility Mode View in GPO in parallel with IE 8 Emulation mode
  3. Do not add sites to Compatibility Mode View in GPO before attempting IE 8 Emulation mode
  4. Not applicable to Windows 8.1 or higher 
  1. Dedicated Server assigned per line-of-business (LOB)
  2. Uses IIS 7.5 or higher
  3. Does not require new Application Pool, just a virtual directory with correct permissions
  4. To use port 80, already opened, a virtual directory is created under the Default Web Site
  5. The XML File share should meet the requirement of being accessible by all users using IE 11 per line-of-business (LOB). Best practice is to utilize IIS and HTTP protocol.
  6. Required when enabling Enterprise Mode global and utilizing a centralized file for managing exclusions
The aforementioned ADMX files must be copied to the “Central Repository” used to manage each prospective line of business.
  1. None of the IE 8, 9 or 10 settings under IE sections of linked group policy objects (GPO) are applicable and cause major problems.
  2. A new Group Policy Object is required in AD that pertains to only IE 11 and has the corresponding ADMX files must be referenced
    • One for workstation operating system - Windows 7 or lower
    • One policy for server operating system - Windows 2008 or higher  (IE 11 is installed)
  3. This GPO is then linked to the new IE 11 organizational unit (OU)
  4. At implementation, no Compatibility View settings should link to the new organizational unit (OU) for IE 11
  5. Placement of the IE 11 organizational unit (OU) is key
    • Legacy browser Compatibility View settings must not apply
    • Sites listed in Trusted, Intranet, and Internet still apply
This applies to the version 1 for IE 11 Enterprise Mode using Windows 7 and Internet Explorer 11

This three-part series provides beginning information to implement Internet Explorer 11 Enterprise Mode. Done correctly IE 11 Enterprise mode eliminates the need for compatibility mode and uses IE 11 emulation and document modes for internal or external websites that require legacy modes to work.
Brian MurphySenior Information Technology Consultant
Holistic technology infrastructure strategy, design, engineering and implementation that is highly scalable, secure, optimized, automated

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.