Security Incident Response

If you think you have or know you have a Security Incident please fill in the form and our experienced Onevinn CSIRT team will reach out shortly.
 
The team has long experience in supporting customers in Incident Response and Compromised Recovery.
 
Keep calm and we will be with you shortly!

Jörgen Nilsson 30 Mar 2021
2 min

Disable Internet explorer as standalone Browser in Windows 10 – Now!

Internet Explorer 11 is very very old and insecure and should not be used for public browsing anymore. We still need in for many, often internal, websites that still only works in IE 11 or for example requires SilverLight.

Introduced in Windows 10 and Server in February 2021 Cumulative Update, a new setting enables us to show a message to the end user if we want to restrict the use of Internet Explorer 11 and instead open Edge. Great! If we have our IE Site Mode List correctly configured and working, then this is a great option.
This little video shows how it will look like for the end-user.

IE11 Block Mode

 

How do we configure it then? If we look at a Windows 10 device for example with the February update installed, we can see that Inetres.admx was updated in February. So simply copying that to our central Policystore we can configure the setting.

updated Inetres.admx 1

Requirements

  • Operating systems and updates:
    • Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2: KB4598291 or later
    • Windows 10 version 1909, Windows Server version 1909: KB4598298 or later
    • Windows 10 version 1809, Windows Server version 1809, and Windows Server 2019: KB4598296 or later
    • Windows 10, version 1607, Windows Server 2016: KB4601318 or later
    • Windows 10 initial version (July 2015): KB4601331 or later
    • Windows 8.1: KB4601384 or later
    • Windows Server 2012: KB4601348 or later
  • Microsoft Edge Stable Channel

For more information: https://docs.microsoft.com/en-us/deployedge/edge-ie-disable-ie11

Group Policy

Using group Policy the setting is under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer as shown in the picture below.

Disable Internet Explorer 11

When configuring it we have three options if the dialog should be shown for the end-user or not. And If we show it, we can select only once or every time. Maybe every time is not really an option as they will most likely be annoyed.

Disable IE 11 options

As soon as the supported OS is updated with a Cumulative Update that adds support the setting will be active.

Intune

For our Intune modern managed devices, we need to configure this setting as well. The good thing is that the .ADMX and .ADML file is already on the device so we do not need to provision it.

The following Custom setting will do the trick.

Custom policy

It is easier to copy and paste it from here:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
Data type: String
Value: <enabled/><data id="NotifyDisableIEOptions" value="1"/>

If we look in the .ADMX file the following is the part with the settings we can set the value to.

Settings available:

0 = Never
1 = Always
2 = Once per user

Summary

We need to start getting rid of Internet Explorer and this is a good way until we can finally remove it when all sites/apps with dependencies are decommissioned.
Let’s all hope that is sooner than later