Start disable Internet Explorer before it´s to late
Internet Explorer 11 will go end of life on June 15, 2022. This means no more security patches for the web browser. Web browsers should absolutely be security updated to mitigate incidents. Edge has been there for years now and a really good replacement. So lets get rid of the old and in with the new!
Deploy Microsoft Edge
First, make sure you deploy the latest and greatest web browser Microsoft Edge. This browser is not only available on Windows. Also on MacOS, Android, iOS and Linux. So make sure you give your users the same experience on all platforms. One simple way to deploy Edge and also keep it up to date, is to use Intune.
- Sign in to the Microsoft Endpoint Manager admin center.
- Select Apps > All apps > Add.
- In the App type list under the Microsoft Edge, version 77 and later, select Windows 10 and Later.
- Accept the default settings.
- Select the appropriate channel for your users. normally stable
- Keep the language to Operating System Default. (select if you need to deploy a specific language)
- Finish creating the app deployment and assign it to your targets.
Internet Explorer Mode
If you still have sites that don´t work in new browsers like Edge, there is a IE mode you can use as an interim solution. IE mode on Microsoft Edge makes it easy to use all of the sites your organization needs in a single browser. It uses the integrated Chromium engine for modern sites, and it uses the Trident MSHTML engine from Internet Explorer 11 (IE11) for legacy sites. You only need to add all sites that needs to run in IE mode to a list and deploy the setting. This can be done either by GPO or MEM Intune.
Enable IE Mode with GPO
- Open Group Policy Editor.
- Click Computer Configuration > Administrative Templates > Microsoft Edge.
- Double-click Configure Internet Explorer integration.
- Select Enabled.
- Under Options, set the dropdown value to
- Internet Explorer mode if you want sites to open in IE mode on Microsoft Edge
- Click OK or Apply to save this policy setting.
- Create or reuse a Site List XMLAll sites that have the element <open-in>IE11</open-in> will now open in IE mode.
- Open Group Policy Editor.
- Click Computer Configuration > Administrative Templates > Microsoft Edge.
- Double-click Configure the Enterprise Mode Site List.
- Select Enabled.
- Under Options, type the location of website list. You can use one of the following locations:
- (Recommended) Web: https:/intranet/sites.xml
- Local network file: \\network\shares\sites.xml
- Local file: file:///c:/Users/<user>/Documents/sites.xml
- Click OK or Apply to save these settings.
Enable IE Mode with Intune
- Sign in to the Microsoft 365 admin center with your admin credentials.
- Navigate to Settings > Org settings and select Microsoft Edge site lists
- Select Create a new list.
- Enter a Site list name and a Description, and then select Create.
- Select Close panel.
- Select the site list again.
- Select Import list and then on the right-hand panel, select Browse.
- Select the file you want to import and then select Upload on the bottom of the panel.
- After your list is imported, select Close panel.
- Select the breadcrumb above the site list name to go up a level.
- Select the site list you want to publish to the cloud, and then select Publish site list.
- On the right-hand panel, update the Version number and select Publish.
- Select Close panel.
- Select the site list you want to assign to devices.
- Copy the Site list ID.
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Devices > Windows > Configuration profiles
- Click +Create profile
- Select Windows 10 and later as Platform
- Select Templates as Profile type
- Select Administrative Templates
- Click Create
- Give the profile a Name and a Description (Optional) and click Next
- Scroll down and Select Microsoft Edge
- Search for Cloud
- Open Configure the Enterprise Mode Cloud Site List
- Select Enabled
- Enter the Site list ID in the text box and click OK
- Search for Configure Internet Explorer integration
- Open the settings
- Select Enabled
- Select Internet Explorer mode and click OK
- Finish creating the configuration profile and assign it to your Windows devices.
Disable Internet Explorer
Microsoft will eventually send out an Cumulative update to disable IE for you. But it´s always better to be prepared. Start disable it your selves on a pilot group to see if all works without the browser. When all troubles are solved, disable IE for all!
Disable IE with GPO
- Open the Group Policy Editor.
- Go to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer.
- Double-click Disable Internet Explorer 11 as a standalone browser.
- Select Enabled.
- Under Options, pick one of the following values:
- Never if you don’t want to notify users that IE11 is disabled.
- Always if you want to notify users every time they’re redirected from IE11.
- Once per user if you want to notify users only the first time they are redirected.(Recommended)
- Click OK or Apply to save this policy setting.
Disable IE with Intune
- Sign in to the Microsoft Endpoint Manager admin center
- Browse to Devices, Windows, Configuration profiles
- Click +Create profile
- Select Windows 10 and later as Platform
- Select Profile as Templates, choose Custom from available Template name and click on Create button.
- In Basics, Specify a descriptive name for the policy, a description (optional), then select Next.
- In Configuration settings, Click on Add button.
- Enter the following settings:
Name : Disable Internet Explorer
Description : Disables Internet Explorer
OMA-URI : ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
Data Type : String
Value : <enabled/><data id=”NotifyDisableIEOptions” value=”2″/>
- 0 = Never if you don’t want to notify users that IE11 is disabled.
- 1 = Always if you want to notify users every time they’re redirected from IE11.
- 2 = Once per user if you want to notify users only the first time they are redirected.
- Finish creating the configuration profile and assign it to your Windows devices.
End User Experience
If a user tries to open the disabled Internet Explorer, a message is displayed: This action is restricted…. (Would have been great if this message was editable. but NO)
If a user tries to open a page from Enterprise Mode Cloud Site List it will show a small IE logo in the addressbar to indicate running in IE mode:
To verify if the list has been deployed, open up Edge://compat/enterprise