- 'When I go to settings it says that my browser is being managed by my enterprise, and when I go to enterprise policies it lists 'ImportEnterpriseRoots' as true. Is this just a part of Firefox, or should I be concerned? And if it is a part of Firefox what does it actually mean?' Could/would someone please actually answer the questions?
- 'ImportEnterpriseRoots'=dword:00000001 Attached image windows properly identifies the Root certificate as revoked.
Antivirus software never stops troubling Firefox users, particularly Avast. Like Chrome, depending on the version you use, expect Firefox to show “Your browser is being managed by your organization” or “Your organization has disabled the ability to change some options” message in Settings if you’ve installed security software.
It will also show a DWORD value “ImportEnterpriseRoots” enabled by the Avast Antivirus. Apart from this, if you visit about:config page, there you will find a preference “security.enterpriseroots enabled” and it Status is locked and value is True. Hello again, This is a re-post of 288 because my lab conditions were tainted and tests not valid. I am using GPO to set ImportEnterpriseRoots setting. Under about:policies the setting is true and locked but our enterprise root cert is no.
Chrome Your Browser Is Managed
FYI, the first message is currently being displayed in Nightly, and the second is showed in Firefox 67 stable version. This can happen if external software such as Antivirus set policies for Firefox browser, luckily the message can be removed.
If you’ve installed Avast antivirus on your computer, Settings page informs your organization placed restrictions on you to not to change settings. If your PC does not belong to any organization and you’re the only single user using it, then that may annoy you, rightly so.
Visiting about:policies from browser address bar reveals all policies set by user or external software for Firefox browser. Here, in this case, you’ll notice “ImportEnterpriseRoots” policy being using and its value set to true.
Navigating to HKEY_LOCAL_MACHINE/Software/Policies/Mozilla/Firefox/Certificates also shows ImportEnterpriseRoots” Dword enabled by Avast.
In about:config you can find pref “security.enterprise_roots enabled” value as “locked“.
Remove “Your browser is being managed by your organization” message in Firefox
1. Open the registry editor
2. Navigate to HKEY_LOCAL_MACHINESOFTWAREPolicies
3. Select and delete “Mozilla” parent key present below Microsoft on the left side
3. Restart the Firefox browser and visit Settings, you’ll no longer see the message.
Note: Uninstalling Avast removes the policy only, but the key will be left in Registry, and notice will still be shown in the Firefox browser, it is mandatory to remove Mozilla registry key we mentioned above to see the message go away.
Related articles:
We ran into an issue where we had enabled HTTPS Inspection on our firewalls and Firefox was throwing up a certificate error for everyone. I had previously created a CA cert and pushed it out to everyone via GPO, but by default Firefox does not look at the Windows Certificate Store. This is how to change that, it may not be the most efficient way and feel free to suggest edits but this is how I got it working for us.
5 Steps total
Step 1: Create Enableroot.js using Notepad
When Firefox opens, it runs any .js scripts in the following location:
C:Program Files (x86)Mozilla FirefoxDefaultsPref - 64 Bit Machine
C:Program FilesMozilla FirefoxDefaultsPref - 32 Bit Machine
You will need to create a file called Enableroot.js (or similar) with the following contents:
/* Allows Firefox reading Windows certificates */
pref('security.enterprise_roots.enabled', true);
This file will need to end up in the above relevant location, the next steps will show how to do this via GPO.
Importenterpriseroots Policy
Step 2: Create shared folder on DC
Create a shared folder, granting Everyone READ access, called EnableRoot (or similar) on one of your DC's, and drop the Enableroot.js file in this folder. So, the UNC path of this folder should be similar to:
DC1EnableRootEnableroot.js
Step 3: Create (or edit) GPO to deploy this file
I had already created a GPO to deploy a CA cert across our domain, so I just edited this one. You can create a new one if you so wish.
Edit GPO, and navigate to:
Computer ConfigPreferencesWindows SettingsFiles
Right click, select New then File. Set the Action to Create. In Source File type the UNC path to the shared Enableroot.js mentioned above. In Destination file you want one of the following:
C:Program Files (x86)Mozilla FirefoxDefaultsPrefenableroot.js - 64 Bit Machine
C:Program FilesMozilla FirefoxDefaultsPrefenableroot.js - 32 Bit Machine
Click ok. For me as I know we have both 32 and 64 bit machines I made a copy of this and in the copy I changed the destination to the other one (so 1 rule is c:program files, the other is c:program files (x86)).
Step 4: Link GPO to relevant OU's
I created the original GPO at domain level and edited the original one so I did not need to do this, but if you only want this to apply to certain machines you will need to link this GPO to the individual relevant OU's.
Step 5: TEST!
Find a machine that you know had previously been getting certificate errors in Firefox. reboot, log in and test. If successful, you should see that magical green padlock when going to www.google.co.uk or any other HTTPS site.
Alternatively of course you could just do a GPUPDATE /FORCE from the command prompt, but you will probably want to do it by rebooting to make sure if you tell a user to reboot it will work.
8 Comments
- CayenneJacob9339 Mar 17, 2017 at 04:23pm
Thanks for the guide. Some of us use Firefox and we will be enabling SSL DPI on our firewalls after upgrading this summer, so bookmarking this for future reference.
- PimientoDolsey May 2, 2017 at 07:11pm
Thank You! This workaround has saved me so much time!
- Pimientotbrim Jul 18, 2017 at 11:27am
Fantastic solution. Instead of creating a shared folder I chose to use the SYSVOL...
- CayenneMrTartan Jul 18, 2017 at 12:32pm
I have spent ages looking for a good solution for this and finally I found it! I should have known someone here would have created this, great stuff!
I haven't deployed with GPO, instead I used PDQ deploy but just that simple file in step 1 has enabled something I've been struggling with for ages. The official FF ways are less than ideal.
For anyone else in my boat. We use Websense/Forcepoint as a web based proxy, this means you also need to deploy the cert file they provide. That has always worked with IE/Edge/Chrome but FF was a problem. Now deploying this has solved the problem completely.
Totally buying you a beer if we ever meet!
- SerranoBrad34 Oct 12, 2017 at 03:15pm
Glad I stumbled across this. Thanks for the post helped me out.
- PoblanoGlenn9657 Nov 17, 2017 at 11:12am
Just adding this as a further info: https://wiki.mozilla.org/CA:AddRootToFirefox as it may help someone
- PimientoNate9701 Jun 29, 2018 at 02:19pm
This doesn't appear to be working for me. I'm running version 61.0 and the .js file is in the appropriate location but I'm still not able to browse using Firefox.
- Datilgreggmh123 Feb 9, 2019 at 08:40pm
The new procedure as of mid-2018 is to use the Firefox group policy templates from Mozilla’s GitHub page (use the newest version): https://github.com/mozilla/policy-templates/releases, put the unzipped templates into the domain's central store (domainsysvolpoliciespolicydefinitions), then set Computer Config > Admin Templates > Mozilla > Firefox > Certificates > 'Import Enterprise Roots' to Enabled. Close and reopen Firefox.
If one needs to do it manually per machine, simply enter 'about:config' into the Firefox address bar, then double-click security.enterprise_roots.enabled to change it from False to True. Close and reopen Firefox.
Gregg