Windows Proxy settings, registry, Group Policy, DefaultConnectionSettings binary value is changed after reboot


I am stumped by how Windows Proxy registry settings interact with GP in an enterprise environment.

I have a number of users experiencing intermittent or permanent loss of access to internet from their workstations. This is occurring ever since a TransperantProxy (what is a TransperntProxy btw?) GP has been rolled out. I have no access to the GP (so I cannot take a look) I also do not have access to most normal administrative tools because management reasons . . . :facepalm: the TL;DR is the following question: Is there any way to get the details about what (process ID, process Name, GP . . . something) is causing the registry DefaultConnectionSettings binary value to change?

Here are the situation details:

  1. The policy is controlling the check boxes in "Local Area Network (LAN) Settings) (Win+R ==> inetcpl.cpl ==> Connections ==> “LAN settings”)
  2. According to the policy all the check boxes get “un-checked” like below
  3. This policy does not always work because either the user is not in the correct OU, or the computer is no in the correct OU or subnet or both or reasons . . .
  4. The Windows proxy settings are located at the following registry keys (in as far as individual users are concerned): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings; andHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings Windows Proxy settings, registry, Group Policy, HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connection\DefaultConnectionSetting
  5. The DefaultConnectionSetting is an array of binary values that are controlled by bitwise operations
  6. The 9th index of DefaultConnectionSettings contains the result of the bitwise operation that sets the proxy settings

    7.The relevant values for the index in this instance (because there are others) are values 01 and 05.
  7. Value 01 means that no check boxes are checked
  8. Value 05 means that ONLY the “Use automatic configuration script” (i.e., pac file) box is checked (this also happens to be the old group policy that used the pac file)
  9. I tried to manually adjust the registry values for users/computers that, according to gpresult /r (a utility that tells you the results of a group policy update) and the AD admin , seem to be getting the appropriate TransperantProxy GP. Adjusting the registry manually or through the Windows GUI seems to work for the active session BUT the settings do not survive a reboot
  10. I have tried to audit registry changes but am unable to see what changes the registry. All I know is that when I change the registry, I can find a entery in the Secruity logs that points to my username and the key that I changed
  11. I also confirmed this with procmon that shows that the registry key was changed and shows the value of the key after the change
  12. After I reboot the computer the changes get lost and old changes come back and I am not able to find what is changing this because generally, It has been my experience that adjust registry manually overrides GP.
  13. I think that GP is whipping the manually set registry settings because if I remove the machine from the domain and never loggin into the user sesssion (i.e., GP is not pulled) the correct registry settings in the ntuser.dat file remain unchanged. However, when I rejoin the domain and login (i.e., GP is pulled) the manual set registry settings get whiped–makes sense I suppose if this is enterprise GP. However, this is not working so I need to somehow prove that it is the GP that is doing this. Is there any way to get the details about what (process ID, process Name, GP . . . something) is causing the registry change?

I have looked at all sorts of things (procmon, auditing the registry where the Windows logs do not rotate like LInux systems–the older values just get deleted). I am just stuck.

Help please. Many thanks.