Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

The things that are better left unspoken

a blog by Sander Berkouwer

Related

AD Manager Plus
 

Blog roll

News



Archives

Blocking Internet Explorer 10 Automatic Delivery

Microsoft is getting ready to release Internet Explorer 10 for Windows 7 and Windows Server 2008 R2. Internet Explorer 10 is built into Windows 8 and Windows Server 2012 by default and Microsoft vowed to bring it to Windows 7 and Windows Server 2008 R2 too. The latest available version of Internet Explorer will be delivered as a Windows Update soon.

Choice

Your enterprise web based application may be affected by the new Internet Explorer or its new security features. When this is the result of testing your application, you might decide not to deploy Internet Explorer 10. This blogpost shows you your options:

  • The Graphical User Interface (GUI)
  • The Internet Explorer 10 Blocker Toolkit
  • Windows Server Update Services (WSUS)

The Graphical User Interface

If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:

  • Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
  • Do not Install: You will not be asked again to install Internet Explorer 10, however if you have admin privileges you can always use the optional update to install Internet Explorer 10 afterwards.
  • Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.

IE10 Blocker Toolkit

Microsoft has now released the Internet Explorer 10 Blocker Toolkit to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates are enabled. It offers three ways to block Internet Explorer 10 indefinitely from your environment:

Through a script

The Toolkit to Disable Automatic Delivery of Microsoft Internet Explorer 10 comes with ie10_blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 10 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)

The script has the following command-line syntax:

IE10_Blocker.cmd [<machine name>] [/B] [/U] [/H]

Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.

Through the registry

The IE10_Blocker.cmd script in the Toolkit to Disable Automatic Delivery of Internet Explorer 10 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 10 on either the local machine or a remote target machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0\DoNotAllowIE10

  • When the key value name is not defined, distribution is not blocked.
  • When the key value name is set to 0, distribution is not blocked.
  • When the key value name is set to 1, distribution is blocked.

You can create this registry setting manually too, if this is a more appropriate method for your environment.

Through a group policy

When you’re a fan of Group Policy (like I am) the Toolkit offers to disable the automatic delivery of Internet Explorer 10 with a custom *.adm file.

Note:
The custom *.adm file from the Toolkit only offers a Computer setting; there is no Per-User setting.

To use the custom *.adm file, open up the Group Policy Editor, open the Computer Configuration node, then the Policies node and finally right-click the Administrative Templates node. Select Add/Remote Templates… from the context menu. Click Add… and browse to the folder where you extracted the Toolkit. Select IE10_blocker.adm and click Open. Click Close.

Navigate to Computer Configuration, then Administrative Templates, then Classic Administrative Templates, Windows Components, Windows Update and finally Automatic Updates Blockers v3.

Here, you’ll find a Group Policy Setting named Do not allow delivery of Internet Explorer 10 through Automatic Updates:

Do not allow deliviery of Internet Explorer 10 through Automatic Updates Group Policy Setting (click for original screenshot)

Enable it, and then click OK. This will instruct computers to ignore the Internet Explorer 10 download. The only thing you need to do next, is to instruct your colleagues to do the same (but only the colleagues with administrative privileges on their computers).

Windows Server Update Services

In enterprise environments the tools of choice to control which updates get delivered to what (groups of) computers and servers are the free Microsoft Baseline Security Analyzer (MBSA), Enterprise Update Scan (EUS) tool, the free Microsoft Windows Update Services add-on to Windows Server, and of course Microsoft System Center Configuration Manager. Pick your tool of choice here.

Concluding

Internet Explorer 10 might prove to break your mission-critical web based application. As a last resort you might decide to block Internet Explorer 10 from your Windows 7 and Windows Server 2008 R2-based networking environments.

You have plenty of tools at hand to defend your networks. Use them wisely.

Tool download

Toolkit to Disable Automatic Delivery of Internet Explorer 10

Further reading

Internet Explorer 10 Delivery through Automatic Updates 
Internet Explorer 9 Blocker Toolkit Download  
Internet Explorer 9 Blocker Toolkit FAQ 
Explore Internet Explorer 10 
Manage Internet Explorer 10 
Microsoft inches closer to delivering Internet Explorer 10 for Windows 7

Comments

No Comments

Anonymous comments are disabled