Firefox za Enterprise Community Forum

I've been struggling for months to standardize a deployment of Firefox ESR across various client environments that reliably auto-updates and doesn't cause UAC prompts and XULRunner profile error pop-ups(I work in IT).

We deploy Firefox ESR in bulk on machines via a batch script which runs as SYSTEM, with msiexec /i and /qn flags.

Firefox installs fine, but then users are typically met with a UAC prompt when they first try to run Firefox. If they decline, then the UAC prompt comes back again next time and often fails to update at all, so the machine is left on an older, vulnerable version.

Regarding the environment: we have deployed the Firefox ESR admx templates and enabled the relevant auto update settings in Group Policy. But only some machines seem to stay up to date, and it seems like this only happens if a user with local administrative privileges has run the program at least once.

What I find unusual is that Firefox seems to attempt to make a "Background Updater" scheduled task for every user that runs the software on each PC, but these users do not have administrative privileges, and the scheduled task is set to only run when that user is logged in. Obviously a scheduled task running as a user with limited privileges isn't going to be able to update files in the Mozilla/Firefox subdirectory in "Program Files" as by default that's read-only access for non-admin users. And, obviously, if a user with local admin privileges DOES log into the machine, then it can update once, but then the scheduled task that it creates for that user (now with admin privileges) will only run when that user logs in - and we don't login as "admin"-privileged users day-to-day.

So, various machines are out of date, running vulnerable Firefox 128 instead of 140 or 142 even though they're all deployed from the same image and have the same policies and restrictions, and ran the same installer for Firefox.

Is there some reason why the auto update scheduled task isn't created at installation time, when administrative privileges have been granted? It's very odd that it doesn't, because then every time a user logs into a machine it seems like Firefox ESR creates the background upgrade task under a non-admin user which simply won't work. I see machines having 4 or 5 background upgrade scheduled tasks, all created by Firefox ESR, and yet the software still won't update - there's a UAC prompt every time the program launches, and going to Help -> About shows "Restart Firefox to update..." but then when clicking the button to restart Firefox, we get the UAC prompt, user doesn't have privileges, so this goes around and around in circles.

Is there a reliable way to keep Firefox up to date without manually logging into each machine and going through the UAC prompts? Can we manually create a scheduled task with the correct user account that has privileges to actually upgrade Firefox?

The background auto update mechanism simply doesn't make sense to our team on a machine-wide install.

I want nothing to do with AI.

I have unticked perplexity.ai in preferences#search but every search from the search bar and address bar goes to perplexity.ai then immediately crashes and displays "Internal Error".

To use DDG I have to type duckduckgo.com on the address bar then search from there.

Firefox 140.4.0 ESR.

I've' scanned the PC with malwarebytes. I restored windows from a backup image I haven't made any changes to the PC at all. Was working fine in the AM but by later afternoon, it started using perplexity.ai exclusively.

How do I get rid of perplexity.ai

I look after about 20 PCs. All Windows 10. All were running Firefox ESR ranging from 115 - 128. As I get time I update each to the latest 128.x. Using group policies I've disabled all update settings.

However, on two of the PCs, they have updated to v139.0.1. Both of the users swear they did not manually do any update. I can't figure out how they got downgraded to the retail channel.

So my question is, since 128 < 139 how can I get them back on to the ESR channel, without loosing history, bookmarks, passwords and saved logins? I gather FF's installer will detect 128 as an older version and throw an error?

ESR -> Retail to me is a downgrade. So is it possible then to upgrade back to 128.11.x?

Each PC is refreshed annually and the only backup of the profile folder I have is from the last refresh, which in most cases in 8-9 months old.

Is there any way to find out why the downgrade happened when group policy forbids it, and the user did not manually download and install the latest version?

When these downgrades happen they break things. For example, when one PC was downgraded to retail his outlook.com email no longer works. If he uses his laptop which is on 128.11.0 it works fine.

Hi,

I have 2 machines (Win10 and Win11) with FF 140.3.1esr (32-bit) installed which demonstrates the same failure when I enter one site's url:

PR_CONNECT_RESET_ERROR

Chrome at the same machines goes at this url w/o any failures. Any ideas what to change on "about:config" in FF to allow it opening this url w/o such error?

Hi,

I am having the issues on more than 1 pc that after updating the firefox esr 128 version to 140 esr version, the firefox does not work properly, specially with xWiki. when i click on xwiki (on-premis server), i can read the contents and all. but when i click edit then it shows the blank page. this is very odd as it happens after updating to 140 version. picture is attached.

Thanks Sheras

I have recently needed to update my motherboard, and the workshop put my C: and D: drives into an old second-hand motherboard they had. I have now checked Firefox - which was on my C: drive, and it works with all my old bookmarks. However I seem to now be part of an 'Enterprise', which I do not want. How do I get rid of my involvement with an Enterprise within Firefox? Thanks for your help. Kanga85

When I go to some websites, such as Corair.com it hangs. I cannot click on anything. If I try to access specific pages via a search engine the same happens. I can close the browser but the 8+ processes don't terminate so I have to kill them from task manager.

I clear all of my browser history when I close FF so I can't remember all of the sites this happens on, but it was more than just Corsair.com.

I'm using 140.2.0esr, but also had the problem with 140.1.0esr. I did not have this issue on 128.12.0esr (I upgrade to 140 after that).

I tried turning use hardware acceleration off/on, that didn't fix it.

I am just about to try safe mode.

Hello!

Currently we deploy Firefox via SCCM Package on our machines. The problem is, that Firefox currently only updates itself when you opened it once. This leads to all sorts of Vulnerability warnings etc.

At the moment these regkey settings in HKLM\SOFTWARE\Policies\Mozilla\Firefox are configured: AppAutoUpdate (REG_DWORD) 0x00000001 (1) DisableAppUpdate (REG_DWORD) 0x00000000 (0)

These two are enough for the updates, when the user opened Firefox (and created a profile).

So we tried the information detailed on this page: https://firefox-source-docs.mozilla.org/toolkit/mozapps/update/docs/BackgroundUpdates.html

To achieve a 100% unattended update we added following Key: BackgroundAppUpdate (REG_DWORD) 0x00000001 (1) which yielded no results. Firefox stayed on his old Version (V131 for this example).

We also added pref("app.update.langpack.enabled", false) in the autoconfig.js File as kind of a 'hail mary' action (bc. the documentation wrote, that this setting should be disabled); but it still does not work.

We've been through this rabbit hole quite some times now, and researching it also yields inconclusive results. (answers like: you still need to start Firefox once, before it can update).

So, what are we missing/doing wrong? Is a true unattended Background Update even possible or is "start Firefox once to create a profile" still the only way to go?

Thanks in advance for your time & help

Hi guys,

I'm trying to uninstall an extension using a GPO, but it's not working.

I've placed a GPO on the user's OU and configured the ID to be removed in the User-Part of that GPO. I previously retrieved the ID using about:debugging.

But nothing happens; the extension isn't removed. (Logoff/Logon/reboot/gpupdate /force .....)

128.11.0esr (64-Bit)

KeePassXC-Browser Extension

The GPOs for Edge and Chrome have the same function. Enter the ID there, and the extension is reliably removed.

Any suggestions? Thanks

Michael

Hello,

We are trying to automate updating Firefox ESR from 32bit to 64bit. There seems to be an issue with getting user's profiles to properly migrate for ESR. If we do a plain 32bit uninstall and 64bit installation, a new "default-esr-1" profile gets created (which is expected behavior from these Mozilla docs for new installs). But, when we set the MOZ_LEGACY_PROFILES=1 policy, this reverts to using the "default" profile instead of "default-esr" profile that was previously in use.

Are there any known ways around this which does not require user intervention to manually change back to the "default-esr" profile?

Thank you

We're exploring adopting a default deny policy for Firefox extensions in our enterprise. However when I tested this by creating a custom policies.json Firefox unexpectedly removed all extensions for me, including the ones I thought I had allow listed. Here is my policies.json but just keeping in the Facebook Container add-on to illustrate:

{

   "policies": {
       "ExtensionSettings": {
           "*": {
               "blocked_install_message": "Only approved Firefox extensions can be installed, please email your request to itdept@example.org",
               "installation_mode": "blocked",
               "allowed_types": ["theme", "dictionary", "locale"]
           },
           "@contain-facebook.xpi": { "installation_mode": "allowed" }
       }
   }

}

What I would like is to to allow pre-approved extensions (including if they already are installed) and all other types of add-on, but remove and prohibit installation of unapproved extensions.

Can anyone assist, please?

I am trying to manage Firefox browser for our users with MDM. On doing so, I can't able to get expected output on blocking the camera access for certain websites with the following OMA-URI.

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Permissions~Camera/Camera_Block

I can add websites in allow section and even lock the setting so that the users can't change. But facing issues with blocking camera access.

Is there any place where I can see the log if there are any error encountering by any chance? Any insights or suggestions would be greatly appreciated.

Thanks in advance!

We are currently considering using Firefox ESR as our default browser but experiencing a few issues and one of them is with our configured SailPoint IdentityIQ Single Sign-On Experience, which uses Basic Authentication.

Issue Description First, the login button needs to be clicked multiple times before access to the site is granted. Once signed in, the Firefox inbuilt authentication dialogue appears, prompting the user to log in again (see the attached screenshot). The landing page is only presented after clicking the login button several times. This creates a poor user experience, sometimes causing pages to load improperly. Interestingly, the same process works seamlessly in Edge Chromium.

Troubleshooting Steps Taken I have already attempted the following: 1. Temporarily disabled all custom and security settings in mozilla.cfg and config.json. 2. Temporarily disabled Firefox Tracking Protection. 3. Allowed third-party cookies for the specific URL. 4. Upgraded Firefox Version to 128.7.0 5. Since our Firefox browser is significantly hardened, I have also enabled and reconfigured the following settings in mozilla.cfg to ensure Basic Authentication is allowed, functions properly, and suppresses Firefox’s authentication prompt, but without success:

network.http.phishy-userpass-length = 255 network.http.use-basic-auth network.automatic-ntlm-auth.allow-non-fqdn network.automatic-ntlm-auth.trusted-uris security.enterprise_roots.enabled security.enterprise_roots.enabled

Observations from SailPoint Team Our colleagues from SailPoint have tested the setup in their environment, and according to them, it works as expected. However, their browser is not hardened, and they have leveraged the SailPoint UI for authentication instead of the built-in Firefox authentication prompt.

Further Investigation • Is there a specific configuration required in the user profile settings? • Network trace analysis shows 404 errors on GET requests and the following error codes on POST requests: • 302 Redirect: Mozilla Documentation • 408 Request Timeout: Mozilla Documentation

Next Steps Is there a specific security setting that needs to be enabled or disabled? Are there any particular Firefox enterprise policies we should modify? I have also attached screenshots for reference. Let me know if you need specific logs or network traces for further troubleshooting.

Dear Mozilla Firefox Team,

I hope this message finds you well.

We manage a network of workstations that frequently utilize the Mozilla Firefox browser. Recently, we have encountered a situation where many of our systems are showing vulnerabilities due to pending browser updates. The updates are being installed successfully; however, users often neglect to restart the browser, which is crucial for completing the update process and ensuring security.

To address this, we would like to inquire if there is an existing Group Policy that can be configured to automatically notify users when they need to restart their Firefox browser to apply the latest updates. Such a feature would greatly assist us in maintaining the security integrity of our workstations and ensuring that users are made aware of the importance of restarting their browsers when prompted.

If this functionality is not currently available, we would appreciate any insights on potential workarounds or future plans to incorporate such a feature.

Thank you for your attention to this matter. We look forward to your response.

Firefox is used on Windows 11 Enterprise. There is a firefox.cfg in the installation directory (and an autoconfig.js in the ./defaults/pref sub-directory). Everything works fine when a pref(...); entry is written to the firefox.cfg. However, we want the firefox.cfg to call the pref(...); entries from a global_config.js which is saved on the machines public directory.

Therefore, the firefox.cfg says:

// free line lockPref("autoadmin.global_config_url","file:///C:/Users/Public/.../global_config.js");

But firefox does not load whatever prefs are written to the global_config.js. There probably is problems with the formatting of the file path (file:///C:/Users/Public/.../global_config.js). What would the correct formatting look like? Unfortunately, Mozilla´s support guide only includes an example code for a firefox.cfg which calls a global_config.js via http:, but not via file:.

Hi,

I need to ask regardining this security.cert_pinning.enforcement_level. how can i set this value using the windwos server GPO? i could not find this even after copying the firefox.admx file. could someone please guide me how can i acheive it?

I would really appreciate the help!

Regards Sheras