In my last post, I blogged about the real reason why admins are tortured with Internet Explorer Enhanced Security Configuration (IE ESC) on Windows Server, and I discussed the different methods of how to turn it off. Today I show you how to leverage Group Policy to disable IE ESC.

Michael Pietroforte

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in IT management and system administration.

I can only speculate why Microsoft doesn’t offer a Group Policy setting or at least a downloadable ADMX template for disabling IE ESC. I suppose it is because it would be too easy to disable IE ESC domain-wide, and many admins would make Microsoft’s efforts to essentially uninstall Internet Explorer on servers futile.

However, since you can use Group Policy Preferences to change Registry settings, it only costs you a few clicks to ensure that IE ESC will be turned off on a large number of servers.

Two different Registry keys exist for disabling IE ESC, one for administrators and one for users.

For administrators:

Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}

For users:

Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}

Note that the keys are identical except for one for number, which is highlighted above. The value name is IsInstalled, and its default value is 00000001, which corresponds to an enabled IE ESC. To disable IE ESC, you have to set IsInstalled to 00000000.

To add this setting to Group Policy Preferences, follow the steps below. (I assume here that you are familiar with Group Policy. If not, you had better leave the IE ESC settings untouched.)

  1. Log on to a Windows server. (Windows workstations don’t have the Registry key.)
  2. Edit a Group Policy object that is linked to the OU that contains the servers for which you want to disable IE ESC.
  3. Navigate to Computer Configuration -> Preferences -> Windows Settings -> Registry.
    Disable IE ESC with Group Policy - Add Registry Item in Group Policy Preferences
  4. Right-click Registry and then navigate to New -> Registry Item.
  5. Navigate to the Key Path specified above, depending on whether you want to disable IE ESC for admins or non-admins.
    Disable IE ESC with Group Policy - IsInstalled
  6. Click IsInstalled and then Select.
    Disable IE ESC with Group Policy - Set IsInstalled to 0
  7. Set the Value Data to 00000000 and click OK.
    Disable IE ESC with Group Policy - IsInstalled setting added
  8. The new Registry item should appear in the Group Policy Preferences folder. You might want to run gpupdate to deploy the settings right away or wait until the next Group Policy update cycle.

If IE ESC is disabled, Internet Explorer will welcome you with a refreshing Caution: Internet Explorer Enhanced Security Configuration is not enabled. So be careful. You just enabled Internet Explorer on multiple servers.

Caution Internet Explorer Enhanced Security Configuration is not enabled

Caution: Internet Explorer Enhanced Security Configuration is not enabled

Win the monthly 4sysops member prize for IT pros

Share
1+

3 Comments
  1. Frank Verhagen 4 years ago

    Thanks for this small but usefull tip!

    0

  2. mohit 1 year ago

    Great Article Man

    0

  3. Cody 1 year ago

    This worked for me, however you must log off/log on in order for it to take effect in new Explorer sessions 🙂

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017

Log in with your credentials

or    

Forgot your details?

Create Account