After deploying fresh Windows Server 2012 R2 Standard instances (with GUI) on VMware, multiple administrators report an unexpected behavior where browsers automatically launch with msn.com during login - regardless of whether using Internet Explorer or Firefox. The redirection occurs through Microsoft's fwlink service (LinkId=255141) before landing on msn.com with the wispr parameter.
Through extensive testing across cloned VMs, I've confirmed this isn't malware-related but rather Microsoft's default configuration for Server 2012 R2. The behavior persists even after:
- Cleaning all Startup folders (%programdata%\Microsoft\Windows\Start Menu\Programs\Startup and user-specific paths)
- Inspecting with Sysinternals Autoruns (autoruns.exe /accepteula)
- Whitelisting-limited network environments where msn.com isn't accessible
Initial registry edits proved insufficient despite modifying both 32-bit and 64-bit branches:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
"Default_Page_URL"="about:blank"
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main]
"Start Page"="about:blank"
"Default_Page_URL"="about:blank"After analyzing deeper Windows components, I found these additional required changes:
1. Disable First Run Wizard
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /v "DisableFirstRunCustomize" /t REG_DWORD /d 1 /f2. Modify Group Policy for Server 2012 R2
Create/import this ADMX template (save as IE_Startup.admx):
<policyDefinitions revision="1.0" schemaVersion="1.0">
<policyNamespaces>
<target prefix="ie_startup" namespace="Microsoft.Policies.InternetExplorer"/>
</policyNamespaces>
<resources minRequiredRevision="1.0"/>
<supportedOn>
<definitions>
<definition name="SUPPORTED_IE11" displayName="$(string.IE11)"/>
</definitions>
</supportedOn>
<categories>
<category name="CAT_IE_STARTUP" displayName="$(string.CAT_IE_STARTUP)"/>
</categories>
<policies>
<policy name="POL_DisableMSNStart" class="Machine" displayName="$(string.POL_DisableMSNStart)" explainText="$(string.POL_DisableMSNStart_Help)" key="SOFTWARE\Policies\Microsoft\Internet Explorer\Main" valueName="DisableMSNStartPage">
<parentCategory ref="CAT_IE_STARTUP"/>
<supportedOn ref="SUPPORTED_IE11"/>
<enabledValue>
<decimal value="1"/>
</enabledValue>
<disabledValue>
<decimal value="0"/>
</disabledValue>
</policy>
</policies>
</policyDefinitions>3. PowerShell Cleanup Script
Run this as Administrator to handle all edge cases:
# Remove MSN auto-start components
Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*Windows*IE*"} | Disable-ScheduledTask
# Reset browser associations
DISM /Online /Cleanup-Image /RestoreHealth
sfc /scannow
# Final registry lockdown
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
)
foreach ($path in $regPaths) {
if (Test-Path $path) {
Set-ItemProperty -Path $path -Name "Start Page" -Value "about:blank"
Set-ItemProperty -Path $path -Name "Default_Page_URL" -Value "about:blank"
New-ItemProperty -Path $path -Name "DisableMSNStartPage" -Value 1 -PropertyType DWORD -Force
}
}
# Reapply local GPO
Invoke-Command -ScriptBlock {gpupdate /force}After implementing these changes:
- Reboot the server twice (some policies require multiple restarts)
- Check Event Viewer logs for any remaining IE-related startup tasks
- Monitor Process Monitor (procmon.exe) during login for unexpected browser launches
After deploying several Windows Server 2012 R2 Standard VMs in VMware, I encountered an irritating behavior where any browser (including newly installed Firefox) automatically launches with an MSN.com redirect upon user login. The URL in question follows this pattern:
http://go.microsoft.com/fwlink/p/?LinkId=255141 → http://www.msn.com/?ocid=wispr
Standard troubleshooting steps proved ineffective:
- Startup folders in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startupwere empty - Autoruns from Sysinternals showed no suspicious entries
- Registry modifications for IE defaults had no lasting effect
The root cause appears to be Windows Server's default first-run experience configuration. Here's a PowerShell script to completely disable this behavior:
# Disable MSN redirect through registry
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main"
)
$regPaths | ForEach-Object {
Set-ItemProperty -Path $_ -Name "Start Page" -Value "about:blank" -Type String -Force
Set-ItemProperty -Path $_ -Name "Default_Page_URL" -Value "about:blank" -Type String -Force
Set-ItemProperty -Path $_ -Name "First Home Page" -Value "about:blank" -Type String -Force
}
# Additional keys found in Server 2012 R2
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
-Name "DisableFirstLogonAnimation" -Value 1 -Type DWord -Force
# For Firefox specific issues
$firefoxPrefs = @"
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.startup.page", 0);
"@
$firefoxPrefs | Out-File "$env:APPDATA\Mozilla\Firefox\Profiles\*.default\prefs.js" -Append
For domain-joined servers, implement these GPO settings:
# GPO Registry.pol file excerpt Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer: "Disable First Run Wizard" = Enabled "Set default home page" = Enabled (Value: about:blank)
When creating golden images, include these post-sysprep commands in your deployment script:
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}" /v IsInstalled /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}" /v IsInstalled /t REG_DWORD /d 0 /f
For environments with strict egress controls, consider these firewall rules:
# Windows Firewall example
New-NetFirewallRule -DisplayName "Block MSN Redirect" -Direction Outbound
-Program "%ProgramFiles%\Internet Explorer\iexplore.exe"
-RemoteAddress "204.79.197.200" -Action Block