SMBKitchen Archives: Blocking IE 11


Post to Twitter Post to Facebook Post to StumbleUpon

It’s been more than a year since this article was published to the SMBKItchen, so we’re now sharing it with the general public.

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN


Patch Management TiPS

Internet Explorer 11

Here we go again, but this time we need to decide when we want IE 11 to be installed on our systems.

Once again you will need to test and ensure compatibility with line of business applications and key business websites before approving the update on your customer’s machines.

At the present time IE11 is offered up but unchecked on Windows 7 machines.

clip_image002

Soon it will be pushed out to unmanaged machines.

There will be no release of IE11 on Windows 8 machines. You are expected to upgrade those machined to Windows 8.1 to obtain IE11. There will be no IE11 on Server 2012 machines.

Here is guidance on how to stop Internet Explorer 11 from being installed on your customer’s Windows 7 sp1 machines:

Blocking IE 11 in Managed Networks

If you use Microsoft’s server patch management tool called Windows Server Update Services to manage updates in your customer’s networks (natively installed on SBS 2003 R2, SBS 2008 and SBS 2011 standard), you need to do nothing at all in order to stop the deployment of IE 11. By default, as long as WSUS is controlling the updates in the network, the category of IE11 update rollups will not be approved and will not deploy automatically.

If you use another patch management tool, or you have an unmanaged environment you may wish to block the deployment of IE 11.

First some facts of the upgrade process to IE 11

1. Internet Explorer 11 can always be uninstalled. To uninstall it, go to the control panel, then to programs and features, click on View Installed Updates and remove IE11.

2. IE11 will only be offer to those who have local administrator rights on their Windows 7 computers. If your customers have been deployed with non-administrator rights they will not see this update automatically deployed

3. IE11 will be available as an “Important” update through automatic updates soon after it releases to the web. The timing of this “RTW” is not known at this time, but given that we already see it offered up but unchecked, they will begin to push it out soon.

4. If a machine has automatic updates enabled and has Service pack 1 for Windows 7, they will get an automatic upgrade to IE 11.

5. Microsoft tends to “throttle” large patches and monitors for any issues. IE 11 may be announced as being released, but you may not see it on your customer’s workstations for a few days or a few weeks afterwards.

6. Even if you previously used the IE blocker toolkit for IE8, IE9 or IE10, you will need to use this specific kit for IE11 as the specific registry key has changed.

Blocking IE 11 using the toolkit

If your clients are in an unmanaged deployment you may wish to use the IE11 blocking toolkit available from the Microsoft download site (http://www.microsoft.com/en-us/download/details.aspx?id=40722 ) in order to block IE 11. This tool kit does not expire, but be aware that your unmanaged customer can manually go to Windows or Microsoft update and scan for updates and be offered up IE 11. It does not block the “offering” of IE 11 to a Windows 7 sp1 machine. It will block the automatic deployment via Windows update to an unmanaged machine.

Instructions for standalone deployments

clip_image003

If you merely need to block IE11 from a few machines, installing this blocker script by hand during your normal review of the machine may be your choice. It may not be the most efficient way to block IE 11 however.

Patching is often most disruptive to unmanaged customers. Internet Explorer 11 is default on Windows 8.1

IE11 for Windows 7 includes many, but not all, of the same features that are in the Windows 8.1 version. Here’s what’s different:

•In the Windows 7 version of IE11, the URL bar remains at the top of the browser (like it is with IE10 on Windows 7). IE11 for Windows 8.1 puts the URL bar at the bottom.

•The new tab view in Windows 8.1 isn’t part of the IE11 for Windows 7 release.

•IE11 on Windows 7 won’t support for premium video extensions like the 8.1 version does. “There are many solutions available for Windows 7 customers to stream and view protected content online, those methods will continue to function for customers,” a spokesperson confirmed. (Read: Silverlight and Flash.)

•No support for Google’s SPDY protocol (the precursor to HTTP 2.0) in IE11 on Windows 7. IE11 on Windows 8.1 does support SPDY.

•IE11 on Windows 7 will not support Enhanced Protected Mode browser security enhancements. (IE10 on Windows 7 didn’t, either.)

Beyond this, IE11 for Windows 7 and IE 11 for Windows 8.1 are largely the same, according to Microsoft officials.

Like IE11 on Windows 8.1, IE11 on Windows 7 includes support for WebGL. It will natively decode JPG images in real-time on the GPU so that pages load faster, use less memory and help improve battery life and support HTML5 link prefetching and pre-rendering, officials said. IE11 on Windows 7 also it incorporates the same changes to the “Chakra” JavaScript engine, including changes to garbage collection and just-in-time (JIT) compilation as IE11 for Windows 8.1 does, they said.

(source: http://www.zdnet.com/microsoft-releases-to-the-web-ie11-for-windows-7-7000022751/ )

Download the blocker toolkit from http://www.microsoft.com/en-us/download/details.aspx?id=40722

1. Click on the link to download the package and select ‘Run’ or ‘Open’. You will be asked to accept the end-user license agreement (EULA) before you gain access to the package contents. The package contains 4 different files.

2. Ignore the fact that the download warning says IE11 release preview

clip_image005

Figure 1 – ignore the warning and click to continue

clip_image007

Figure 2 – Accept the EULA

3. Pick a location where you would like to place the 3 files above by clicking on ‘Browse’. Once you have specified the location to place the extracted files, click ‘OK’. If the folder location does not previously exist you will be prompted to make the location to store the three files.

clip_image009

Figure 3 – Insert location of extraction

4. Launch an elevated Command Prompt by navigating to Start -> All Programs -> Accessories -> and then right click on “Command Prompt” and select “Run as Administrator”.

clip_image011

Figure 4 – Right mouse click on Command Prompt

5. Type “CD” followed by the path to where you have extracted the 4 files in step 2 above.

clip_image013

Figure 5 – Moving to the extract location

6. In the Command Prompt, type “ie11_blocker.cmd /B” and hit Enter to set the blocker on the machine.

clip_image015

Figure 6 – enter in the command to block IE 11

7. You will see confirmation in the Command Prompt: “Blocking deployment of Internet Explorer 11 on the local machine. The operation completed successfully.” You can now close the Command Prompt window.

clip_image017

Figure 7 – IE 11 is now blocked

8. To confirm, click on start, in the run box, type in regedit and hit enter. Navigate to the HKEY_LOCAL_MACHINE key, then to SOFTWARE, then to Microsoft, then to Internet Explorer, then to Setup, then to 10.0

clip_image019

Figure 8 – Ensuring that the block registry key is set

9. You will see a registry key there blocking the deployment of IE11

clip_image021

Figure 9 – Reviewing the registry key

Instructions for using your own deployment tool

Using a Remote management tool that allows for scripting, merely push out a registry key as follows:

Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\11.0

Key value name: DoNotAllowIE11

Deploy a DWORD (32-bit) value with a Hexadecimal value of 1 as shown below to block IE 11.

clip_image023

Figure 10 – Registry key values

The registry key will block the automatic deployment of IE11.

Alternatively you can script the command included in this download by specifying the machine name. The syntax to use is IE11_Blocker.cmd [<machine name>] /B. The command switch of /U will unblock the distribution of IE11 and the switch of /H will showcase the help file. If the remote registry can’t be accessed due to security permissions or the remote machine can’t be found, an error message is returned from the REG command.

clip_image025

Figure 11 – Switches used in the command

Instructions for using group policy

Included in the toolkit is a Group policy ADM file. It allows administrators to import the new group policy settings to block or unblock automatic deliver of IE11. Users running Windows 7 (SP1) or Windows Server 2008 R2 (SP1) will see the policy under Computer Configuration / Administrative Templates / Classic Administrative Templates / Windows Components / Windows Update / Automatic Updates Blockers v3. This setting is available only as a Computer setting; there is no Per-User setting.

Note: This registry setting is not stored in a policies key and is thus considered a preference. Therefore if the Group Policy Object that implements the setting is ever removed or the policy is set to Not Configured, the setting will remain. To unblock distribution of Internet Explorer 11 by using Group Policy, set the policy to Disabled.

_____

Not a Third Tier customer yet? Let me introduce:  We’re Third Tier. We provide advanced Third Tier support for IT Professionals and MicroStaffing for IT consulting firms. Come on over, create an account (no charge) and follow our social media locations.

Third Tier Get Support BlogFeed Blog Twitter Twitter Facebook Facebook LinkedIn LinkedIN

Leave a comment

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.