Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

GPO ineffective - Firefox ESR

  • 7
  • 1 nwere nsogbu anwere nsogbu a
  • 1 view
  • Nzaghachi ikpeazụ nke cowspotter

more options

We're looking at using the GPO functionality to start managing our existing Firefox deployments. We've loaded the ADMX file and have created a test GPO that does 2 things:

1. Enable AutoUpdate 2. Creates 2 bookmarks

We've deployed the GPO to a few machines, confirmed the GPO is applying via GPResult, and confirmed that there are corresponding entries in HKLM\Software\Policies\Mozilla\Firefox but we're not seeing the changes occurring in the browser. AutoUpdate is still disabled and greyed out (via the previously deployed local JSON config file) and the bookmarks aren't present.

Any idea why we wouldn't see the changes as effective in the browser? Browser is running 60.4.0 ESR (32-bit).

We're looking at using the GPO functionality to start managing our existing Firefox deployments. We've loaded the ADMX file and have created a test GPO that does 2 things: 1. Enable AutoUpdate 2. Creates 2 bookmarks We've deployed the GPO to a few machines, confirmed the GPO is applying via GPResult, and confirmed that there are corresponding entries in HKLM\Software\Policies\Mozilla\Firefox but we're not seeing the changes occurring in the browser. AutoUpdate is still disabled and greyed out (via the previously deployed local JSON config file) and the bookmarks aren't present. Any idea why we wouldn't see the changes as effective in the browser? Browser is running 60.4.0 ESR (32-bit).

Asịsa ahọpụtara

The URLs need to be fully qualified:

https://www.google.com

Gụọ azịza a na nghọta 👍 1

All Replies (7)

more options

It sounds like you were controlling Firefox using a policies.json file previously and are now trying to change over to the equivalent group policy template instead. This may be a foolish question, but you have removed the policies.json files from your systems, correct?

If not, that file could be overriding the settings that you are trying to enable through GPO.

more options

I'd previously inquired about GPO vs JSON (https://support.mozilla.org/en-US/questions/1239683) and was told GPO overrides JSON. We were trying to avoid deleting the local JSON file as a part of our GPO deployment.

The one thing I just noticed is I don't actually see us using a JSON file. What we have is a localsettings.js file located in C:\Program Files (x86)\Mozilla Firefox\defaults\pref, and that file points to mozilla.cfg in C:\Program Files (x86)\Mozilla Firefox. Within mozilla.cfg with the following content:

// WKS Mozilla Firefox Lockdown // Disable updater lockPref("app.update.enabled", false); // Make absolutely sure it is really off lockPref("app.update.auto", false); lockPref("app.update.mode", 0); lockPref("app.update.service.enabled", false); // Disable Add-ons compatibility checking clearPref("extensions.lastAppVersion"); // Don't show 'know your rights' on first run pref("browser.rights.3.shown", true); // Don't show WhatsNew on first run after every update pref("browser.startup.homepage_override.mstone","ignore"); // Don't show Windows 10 splash screen on first run pref("browser.usedOnWindows10", true); // Set default homepage lockPref("browser.startup.homepage","REDACTED"); // Disable the internal PDF viewer lockPref("pdfjs.disabled", true); // Disable the flash to javascript converter lockPref("shumway.disabled", true); // Don't ask to install the Flash plugin pref("plugins.notifyMissingFlash", false); // Disable plugin checking lockPref("plugins.hide_infobar_for_outdated_plugin", true); clearPref("plugins.update.url"); // Disable health reporter lockPref("datareporting.healthreport.service.enabled", false); // Disable all data upload (Telemetry and FHR) lockPref("datareporting.policy.dataSubmissionEnabled", false); // Disable crash reporter lockPref("toolkit.crashreporter.enabled", false); Components.classes["@mozilla.org/toolkit/crash-reporter;1"].getService(Components.interfaces.nsICrashReporter).submitReports = false; // Disable default browser check lockPref("browser.shell.checkDefaultBrowser", false); // Delete history on exit // lockPref("browser.history_expire_days", 0); // lockPref("browser.history_expire_days.mirror", 0); // lockPref("browser.formfill.enable", false); // lockPref("browser.download.manager.retention", 0); // lockPref("network.cookie.cookieBehavior", 0); // lockPref("network.cookie.lifetimePolicy", 2); // Disable password manager // lockPref("signon.rememberSignons", false); // lockPref("pref.privacy.disable_button.view_passwords", true); // Disable themes // lockPref("config.lockdown.disable_themes", true); // Enable Java Plugin lockPref("security.enable_java", true); // Automatically enable extensions lockPref("extensions.autoDisableScopes", 0);

This setup appears different than the normal JSON file setup I see documented elsewhere. Is it possible this file is preventing the GPO from applying properly?

more options

You are running an AutoConfig file, which is different from a GPO or policies.json. It's designed to allow you to control preferences that can't be controlled by group policy, although it can overlap with your GPO.

For example, your specific code says:

// Disable updater lockPref("app.update.enabled", false); // Make absolutely sure it is really off lockPref("app.update.auto", false); lockPref("app.update.mode", 0); lockPref("app.update.service.enabled", false);

This will override your GPO, which is why the update feature is still disabled and greyed out. It's because those preferences have been locked by this configuration.

On a test system, I'd recommend commenting out (putting a // in front) of the lines that appear to control the updating function of Firefox. Do the same if you are having any other issues with it overriding your GPO.

Fortunately, whoever made that file added a lot of comments to tell you what each cluster of preferences does, so it should be fairly easy to find the ones that are causing issues.

After you get your test system working, you can push out the updates to that file globally to all systems on your network.

more options

Rather than commenting out the specific lines, i just removed both the localsettings.js file and the mozilla.cfg file from the directory. That doesn't seem to have had any impact though. The bookmarks are still not showing up in the browser and I see no change in the auto-update availability.

more options

Update: It appears the auto-update function is working, but the 2 bookmarks and the home page that are defined in the GPO are not effective. I can see the associated keys in the registry have been created, but the browser is not responding to these keys.

Here's the resulting keys: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks\1] "Title"="TEST" "URL"="www.google.com" "Favicon"="" "Placement"="menu" "Folder"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks\2] "Title"="TEST2" "URL"="www.cnn.com" "Favicon"="" "Placement"="menu" "Folder"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Homepage] "URL"="REDACTED" "Locked"=dword:00000001

more options

Asịsa Ahọpụtara

The URLs need to be fully qualified:

https://www.google.com

more options

Thanks for your help. We updated the URLs to be fully qualified and they successfully applied. In total, it took the removal of the local config file and the proper formatting within the GPO for the changes to be effective.