In this post, I will show you how to disable Internet Explorer Enhanced Security Configuration (IE ESC) on multiple remote computers using PowerShell.

Sitaram Pamarthi

Sitaram Pamarthi is working as a Windows Engineer and his special fields of interest are PowerShell, Active Directory, Exchange, and virtualization.

I am sure most Windows administrators are familiar with the frustrating screen shown below. When you log on to a Windows Server and try to browse to a website (including Microsoft sites), you’ll sometimes see this kind of message. This happens when you have Internet Explorer Enhanced Security Configuration (IE ESC) enabled on your server.

Disable IE Enhanced Security Configuration (IE ESC) on remote computers using PowerShell

IE Enhanced Security Configuration (IE ESC)

The script that I am going to discuss below will help you disable IE ESC on multiple remote computers so that you don’t need to disable it explicitly by logging on to each Windows Server you built. You can also place code from this script into your WDS build routines so that IE ESC will get disabled during build time itself.

IE ESC has ON/OFF settings for administrators and normal users. These settings are stored in the registry at HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} for administrators and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} for normal users. The “IsInstalled” registry value in the aforementioned keys gives the IE ESC ON/OFF status. If this registry value is set to “0”, IE ESC is disabled; “1” means enabled. So, the script is all about connecting to the remote registry and modifying the registry key values.

Below is the core part of the script. The script loops through each computer and checks if it is responding to a ping. If the ping is successful, the script connects to the remote registry using the Dotnet class [Microsoft.Win32.RegistryKey] and opens the sub keys that we discussed before. After that, it executes the SetValue method on the IsInstalled registry value to change its value to 0 (that is, to disable). All of these registry operations are bounded inside a try-catch block so that any errors that occur during registry connection and data modification are caught and handled properly. Based on the success or failure of the operation, each computer is assigned to either $SuccessComps or $failedComps, enabling these arrays to be used to store the data in files located on the c:\ drive when the –OutputToLogs parameter is used with the script.

foreach($Computer in $ComputerName) {if(!(Test-Connection -Computer $Computer -count 1 -ea 0)) {Write-Host "$Computer NOT REACHABLE"$FailedComps += $Computercontinue}Write-Host "Working on $Computer"try {$BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$Computer)$SubKey = $BaseKey.OpenSubKey($AdministratorsKey,$true)$SubKey.SetValue("IsInstalled",0,[Microsoft.Win32.RegistryValueKind]::DWORD)$SubKey = $BaseKey.OpenSubKey($UsersKey,$true)$SubKey.SetValue("IsInstalled",0,[Microsoft.Win32.RegistryValueKind]::DWORD)Write-Host "Successfully disabled IE ESC on $Computer"$SuccessComps += $Computer}catch {Write-Host "Failed to disable IE ESC on $Computer"$FailedComps += $Computer}}

If you are interested in knowing more about how to create and modify registry keys of remote computers using PowerShell, read my previous article.

Usage and Examples:

Here are the usage instructions and other help material for this script.

PS C:\scripts> get-help .\Disable-IEESC.ps1 -DetailedNAMEC:\scripts\Disable-IEESC.ps1SYNOPSISDisables Internet Explorer Enhanced Security Configuration (IE ESC).SYNTAXC:\scripts\Disable-IEESC.ps1 [[-ComputerName] <String[]>] [-OutputToLogs] [<CommonParameters>]DESCRIPTIONThis script disables IE ESC on a list of given Windows 2008 Servers.PARAMETERS-ComputerName <String[]>Computer name(s) for which you want to disable IE ESC.-OutputToLogs [<SwitchParameter>]This option allows you to save the failed and successful computer namesto text files on c:\.Successful computers are listed in the c:\successcomps.txt file.Failed computers are listed in c:\failedcomps.txt.<CommonParameters>This cmdlet supports the common parameters: Verbose, Debug,ErrorAction, ErrorVariable, WarningAction, WarningVariable,OutBuffer, and OutVariable. For more information, type"get-help about_commonparameters".-------------------------- EXAMPLE 1 --------------------------C:\PS>Disable-IEESC.PS1 -ComputerName Comp1, Comp2Disables IE ESC on Comp1 and Comp2.-------------------------- EXAMPLE 2 --------------------------C:\PS>Disable-IEESC.PS1 -ComputerName Comp1, Comp2 -OutputToLogsDisables IE ESC on Comp1 and Comp2 and stores output in logfiles located on c:\.-------------------------- EXAMPLE 3 --------------------------C:\PS>Get-Content c:\servers.txt | Disable-IEESC.PS1 -OutputToLogsDisables IE ESC on computers listed in servers.txt and saves success and failed computers list to c:\.

You can download the PowerShell script to disable Internet Explorer Enhanced Security Configuration here.

NOTE: By providing this script to disable IE ESC, I didn’t mean to say that you should disable IE ESC as a best practice. This script is intended only to help you disable IE ESC after you have decided that there is a good reason to do so. To know the ups and downs of disabling IE ESC, read this post.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

0
Share
2 Comments
  1. khaos 4 months ago

    So, using the code you've provided is difficult at best as after copy you have to disassemble it from this unformatted mess: 

    PS C:\scripts> get-help .\Disable-IEESC.ps1 -DetailedNAMEC:\scripts\Disable-IEESC.ps1SYNOPSISDisables Internet Explorer Enhanced Security Configuration (IEESC).SYNTAXC:\scripts\Disable-IEESC.ps1 [[-ComputerName] <String[]>] [-OutputToLogs][<CommonParameters>]DESCRIPTIONThis script disables IE ESC on a list of given Windows 2008Servers.PARAMETERS-ComputerName <String[]>Computer name(s) for which you want to disable IEESC.-OutputToLogs [<SwitchParameter>]This option allows you to save the failed and successfulcomputer namesto text files on c:\.Successful computers are listed in the c:\successcomps.txtfile.Failed computers are listed in c:\failedcomps.txt.<CommonParameters>This cmdlet supportsthe common parameters: Verbose, Debug,ErrorAction, ErrorVariable, WarningAction,WarningVariable,OutBuffer, and OutVariable. For more information, type"get-help about_commonparameters".-------------------------- EXAMPLE 1 --------------------------C:\PS>Disable-IEESC.PS1 -ComputerName Comp1, Comp2Disables IE ESC on Comp1 and Comp2.-------------------------- EXAMPLE 2 --------------------------C:\PS>Disable-IEESC.PS1 -ComputerNameComp1, Comp2 -OutputToLogsDisables IE ESC on Comp1 and Comp2 and stores output in logfileslocated on c:\.-------------------------- EXAMPLE 3 --------------------------C:\PS>Get-Content c:\servers.txt | Disable-IEESC.PS1 -OutputToLogsDisables IE ESC on computers listedin servers.txt and saves success and failed computers list to c:\.

    There has to be a better way to format the displayed code rather than the way it is here. 🙁  I tried on Chrome, IE11, and Edge.  

    0

  2. khaos 4 months ago

    I found the download for the formatted code.  Thanks for that.  I would still love to see the on-page code formatted for clarity. However, thanks again. 

    1+

    Users who have LIKED this comment:

    • avatar

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account