Disable Internet Explorer Enhanced Security Configuration (IE ESC) remotely with PowerShell

• Author
• Recent Posts

Sitaram Pamarthi

Sitaram Pamarthi is working as a Windows Engineer and his special fields of interest are PowerShell, Active Directory, Exchange, and virtualization.

Latest posts by Sitaram Pamarthi (see all)

• Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
• Create a list of local administrators with PowerShell - Wed, Mar 5 2014
• Remotely query user profile information with PowerShell - Tue, Nov 26 2013

I am sure most Windows administrators are familiar with the frustrating screen shown below. When you log on to a Windows Server and try to browse to a website (including Microsoft sites), you’ll sometimes see this kind of message. This happens when you have Internet Explorer Enhanced Security Configuration (IE ESC) enabled on your server.

IE Enhanced Security Configuration (IE ESC)

The script that I am going to discuss below will help you disable IE ESC on multiple remote computers so that you don’t need to disable it explicitly by logging on to each Windows Server you built. You can also place code from this script into your WDS build routines so that IE ESC will get disabled during build time itself.

IE ESC has ON/OFF settings for administrators and normal users. These settings are stored in the registry at HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073} for administrators and HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073} for normal users. The “IsInstalled” registry value in the aforementioned keys gives the IE ESC ON/OFF status. If this registry value is set to “0”, IE ESC is disabled; “1” means enabled. So, the script is all about connecting to the remote registry and modifying the registry key values.

Below is the core part of the script. The script loops through each computer and checks if it is responding to a ping. If the ping is successful, the script connects to the remote registry using the Dotnet class [Microsoft.Win32.RegistryKey] and opens the sub keys that we discussed before. After that, it executes the SetValue method on the IsInstalled registry value to change its value to 0 (that is, to disable). All of these registry operations are bounded inside a try-catch block so that any errors that occur during registry connection and data modification are caught and handled properly. Based on the success or failure of the operation, each computer is assigned to either $SuccessComps or $failedComps, enabling these arrays to be used to store the data in files located on the c:\ drive when the –OutputToLogs parameter is used with the script.

foreach($Computer in $ComputerName) {

if(!(Test-Connection -Computer $Computer -count 1 -ea 0)) {

Write-Host "$Computer NOT REACHABLE"

$FailedComps += $Computer

continue

}

Write-Host "Working on $Computer"

try {

$BaseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$Computer)

$SubKey = $BaseKey.OpenSubKey($AdministratorsKey,$true)

$SubKey.SetValue("IsInstalled",0,[Microsoft.Win32.RegistryValueKind]::DWORD)

$SubKey = $BaseKey.OpenSubKey($UsersKey,$true)

$SubKey.SetValue("IsInstalled",0,[Microsoft.Win32.RegistryValueKind]::DWORD)

Write-Host "Successfully disabled IE ESC on $Computer"

$SuccessComps += $Computer

}

catch {

Write-Host "Failed to disable IE ESC on $Computer"

$FailedComps += $Computer

}

}

If you are interested in knowing more about how to create and modify registry keys of remote computers using PowerShell, read my previous article.

Usage and Examples:

Here are the usage instructions and other help material for this script.

PS C:\scripts> get-help .\Disable-IEESC.ps1 -Detailed

NAME

C:\scripts\Disable-IEESC.ps1

SYNOPSIS

Disables Internet Explorer Enhanced Security Configuration (IE ESC).

SYNTAX

C:\scripts\Disable-IEESC.ps1 [[-ComputerName] <String[]>] [-OutputToLogs] [

<CommonParameters>]

DESCRIPTION

This script disables IE ESC on a list of given Windows 2008 Servers.

PARAMETERS

-ComputerName <String[]>

Computer name(s) for which you want to disable IE ESC.

-OutputToLogs [<SwitchParameter>]

This option allows you to save the failed and successful computer names

to text files on c:\.

Successful computers are listed in the c:\successcomps.txt file.

Failed computers are listed in c:\failedcomps.txt.

<CommonParameters>

This cmdlet supports the common parameters: Verbose, Debug,

ErrorAction, ErrorVariable, WarningAction, WarningVariable,

OutBuffer, and OutVariable. For more information, type

"get-help about_commonparameters".

-------------------------- EXAMPLE 1 --------------------------

C:\PS>Disable-IEESC.PS1 -ComputerName Comp1, Comp2

Disables IE ESC on Comp1 and Comp2.

-------------------------- EXAMPLE 2 --------------------------

C:\PS>Disable-IEESC.PS1 -ComputerName Comp1, Comp2 -OutputToLogs

Disables IE ESC on Comp1 and Comp2 and stores output in logfiles located on c:\.

-------------------------- EXAMPLE 3 --------------------------

C:\PS>Get-Content c:\servers.txt | Disable-IEESC.PS1 -OutputToLogs

Disables IE ESC on computers listed in servers.txt and saves success and failed computers list to c:\.

You can download the PowerShell script to disable Internet Explorer Enhanced Security Configuration here.

NOTE: By providing this script to disable IE ESC, I didn’t mean to say that you should disable IE ESC as a best practice. This script is intended only to help you disable IE ESC after you have decided that there is a good reason to do so. To know the ups and downs of disabling IE ESC, read this post.