Disabling Automatic Delivery of Internet Explorer 10

Microsoft just released the Toolkit to Disable Automatic Delivery of Internet Explorer 10

It’s like any other previous kit that they released: it contains an adm template for group policies and a good old batch file.

The batch file in that toolkit is actually able to enable or disable the delivery of IE10 on the local computer or on a remote target as long as you’ve administrative credentials, activated the remote registry and configured the firewall properly to allow the Core Networking and File and Print features.

In a powershell 3 console, to block it locally you can do:

& E:\IE10_Blocker.cmd --% . /B

You’ll end up with this in the registry

To revert back to the default behavior you can do:

& E:\IE10_Blocker.cmd --% . /U

With Powershell, we can actually easily get a function to first query the presence of the setting in the registry and get a second function to set the setting on and off on a Windows 7 computer running Powershell V2 like this:

#Requires -Version 2.0

Function Get-IE10BlockerStatus {
[CmdletBinding()]
Param()
Begin {
    $key = 'HKLM:\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0'
} 
Process {
    Write-Verbose -Message "Checking for IE 10 Blocker status on $($env:COMPUTERNAME)"
    try {
        $status = Get-ItemProperty -Path $key -Name DoNotAllowIE10 -ErrorAction Stop
    } catch {
        $status = New-Object -TypeName PSobject -Property @{ DoNotAllowIE10 = 0}
    }
    switch ($status.DoNotAllowIE10) {
        0 {
            # Keeping a V2 compliant code
            New-Object -TypeName PSObject -Property @{Status = 'Allowed'}
            break
        }
        1 {
            New-Object -TypeName PSObject -Property @{Status = 'Blocked'}
            break
        }
        default {
            # Should not get there, but if it really fails, it's probably off
            New-Object -TypeName PSObject -Property @{Status = 'Unknown'}
        }
    }
}
End {}
}

Function Set-IE10BlockerStatus {
[CmdletBinding()]
Param(
    [switch]$Enable = $true
)
Begin {
    $key = 'HKLM:\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0'    

    # Make sure we run as admin            
    $usercontext = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()            
    $IsAdmin = $usercontext.IsInRole(544)                                                       
    if (-not($IsAdmin)) {            
        Write-Warning "Must run powerShell as Administrator to perform these actions"            
        break
    }             
}
Process {
    switch ($Enable) {
        $false {
            Write-Verbose -Message "Setting status of IE10 on $($env:COMPUTERNAME) to: Allowed"
            try {
                # Attempt to delete the value if it exists
                Get-ItemProperty -Path $key -Name DoNotAllowIE10 -ErrorAction Stop | Remove-ItemProperty -Name DoNotAllowIE10 -ErrorAction Stop
            } catch {
                # If it failed, it means it doesn't exist
            }
            break
        }
        $true {
            Write-Verbose -Message "Setting status of IE10 on $($env:COMPUTERNAME) to: Blocked"
            try {
                # Create the key if required
                if (-not(Test-Path $key))  {
                    New-Item -Path $key -Force  -ItemType Container -ErrorAction Stop
                }
                # Set the value
                Set-ItemProperty -Path $key -Name DoNotAllowIE10 -Value 1 -Type DWORD -Force -ErrorAction Stop 
            } catch {
                Write-Warning -Message "Failed to set the value in the registry of $($env:COMPUTERNAME) because $($_.Exception.Message)"
            }
            break
        }
        default {
            Write-Warning -Message "Should never get here"
        }
    }
}
End {}

<#

.SYNOPSIS    
    Block IE10 on WU/MU
 
.DESCRIPTION  
    Prevents the machine from receiving Internet Explorer 10 via Automatic Updates on the Windows Update and Microsoft Update sites

.INPUTS
    None
        This script doesn't accepts any input.

.OUTPUTS
    None
        This scripts doesn't have any ouput.

 .LINK    
    https://p0w3rsh3ll.wordpress.com/
 
.EXAMPLE    
    Set-IE10BlockerStatus -Enable -Verbose

    This will block IE10 on the local computer

.EXAMPLE    
    Set-IE10BlockerStatus -Enable:$false -Verbose

    This will revert back to default settings and allow you to receive IE10 via WU/MU

.NOTES    
    Name: Set-IE10BlockerStatus
    Author: Emin Atac
    DateCreated: 31/01/2013

#>
}

Here’s how to use the above functions:

Get-IE10BlockerStatus -Verbose            
            
Set-IE10BlockerStatus -Enable -Verbose            
            
Get-IE10BlockerStatus -Verbose            
            
Set-IE10BlockerStatus -Enable:$false -Verbose            
            
Get-IE10BlockerStatus -Verbose            

It can easily be extended to target remote computers. It can be done via WMI or directly through the remote registry capability or by using powershell remoting. I prefer the latest as it’s as easy as copy/pasting the above functions code into a PS1 file and add one of the above sample lines (based on your needs) and run:

Invoke-Command -ComputerName RemtePC1,RemotePC2 -FilePath .\MyFile.ps1 -Credential (Get-Credential)

Have fun! 😎

Advertisements

One thought on “Disabling Automatic Delivery of Internet Explorer 10

  1. For this kind of settings I usually prefer to rely on Group Policies (GPO). Microsoft has only an old adm based template to offer in its toolkit 😦

    Here are admx/l based files to achieve the same thing as the adm file:
    !The content of xml files is case sensitive.
    Make sure to test the desired behavior in a Lab before pushing this into production 🙂

    • myOrg.admx
    • <?xml version="1.0" encoding="utf-8"?>
      <!--  (c) 2006 Microsoft Corporation  -->
      <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
        <policyNamespaces>
          <target prefix="myorg"     namespace="Microsoft.Policies.myOrg" /> 
          <using prefix="products" namespace="Microsoft.Policies.Products" />
        </policyNamespaces>
        <resources minRequiredRevision="1.0" />
      
        <supportedOn>
          <definitions>
            <!--At least Windows 7 or Windows Server 2008 R2-->
            <definition name="SUPPORTED_Windows7" displayName="$(string.SUPPORTED_Windows7)">
              <or>
                <range ref="products:WindowsServer2008" minVersionIndex="1"/>
                <range ref="products:MicrosoftWindows" minVersionIndex="6"/>
              </or>
            </definition>
         
          </definitions>
        </supportedOn>
      
        <categories>
      
          <category name="myOrg" displayName="$(string.Cat_myOrg)" />
      	    <category name="Adobe" displayName="$(string.Cat_Adobe)">
      	      <parentCategory ref="myOrg" />
      	    </category>
      
      	    <category name="Google" displayName="$(string.Cat_Google)">
      	      <parentCategory ref="myOrg" />
      	    </category>
      
      	    <category name="Oracle" displayName="$(string.Cat_Oracle)">
      	      <parentCategory ref="myOrg" />
      	    </category>
      		    <category name="JRE" displayName="$(string.Cat_JRE)">
      		      <parentCategory ref="Oracle" />
      		    </category>
      	    <category name="Microsoft" displayName="$(string.Cat_Microsoft)">
      	      <parentCategory ref="myOrg" />
      	    </category>
      		    <category name="WindowsUpdate" displayName="$(string.Cat_WU)">
      		      <parentCategory ref="Microsoft" />
      		    </category>
        </categories>
        <policies>
          <policy name="NoSP"
      	class="Machine" 
      	displayName="$(string.NoSP)" 
      	explainText="$(string.NoSP_Help)" 
      	presentation="$(presentation.NoSP)" 
      	key="Software\Policies\Microsoft\Windows\WindowsUpdate" 
      	valueName="DoNotAllowSP"> 
            <parentCategory ref="WindowsUpdate" />
            <supportedOn ref="SUPPORTED_Windows7" />
            <enabledValue>
              <decimal value="1" />
            </enabledValue>
            <disabledValue>
              <decimal value="0" />
            </disabledValue>
          </policy>
          <policy name="NoIE10"
      	class="Machine" 
      	displayName="$(string.NoIE10)" 
      	explainText="$(string.NoIE10_Help)" 
      	presentation="$(presentation.NoIE10)" 
      	key="Software\Microsoft\Internet Explorer\Setup\10.0" 
      	valueName="DoNotAllowIE10"> 
            <parentCategory ref="WindowsUpdate" />
            <supportedOn ref="SUPPORTED_Windows7" />
            <enabledValue>
              <decimal value="1" />
            </enabledValue>
            <disabledValue>
              <decimal value="0" />
            </disabledValue>
          </policy>
        </policies>
      </policyDefinitions>
      
    • myOrg.adml
    • <?xml version="1.0" encoding="utf-8"?>
      <!--  (c) 2006 Microsoft Corporation  -->
      <policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
        <displayName>entrer le nom complet ici</displayName>
        <description>entrer la description ici</description>
        <resources>
          <stringTable>
            <string id="Cat_myOrg">My Org Settings</string>
            <string id="Cat_Adobe">Adobe</string>
            <string id="Cat_Google">Google</string>
            <string id="Cat_Microsoft">Microsoft</string>
            <string id="Cat_WU">Windows Update</string>
      
            <string id="NoIE10">Do not allow delivery of Internet Explorer 10 through Automatic Updates</string>
            <string id="NoIE10_Help">This policy setting allows you to disable delivery of Internet Explorer 10 via Automatic Updates.
      The update includes important security improvements, so Microsoft strongly recommends that customers deploy this update as soon as possible.
      This policy setting allows organizations not using Systems Management Server (SMS), Software Update Services (SUS) or another update management solution and needing more time to plan the rollout of Internet Explorer 10 to disable the delivery through Automatic Updates.
      This policy setting does not prevent installation of Internet Explorer 10 through other mechanisms such as SMS, SUS, product disk and so on.
      If you disable or do not configure this policy setting, the update will be available as an update through Automatic Update.
      NOTE: This setting does not disable Automatic Updates or access to Windows Update. Nor does it prevent delivery of updates other than Internet Explorer 10 through Windows Update or Automatic Updates.</string>
      
      
      
            <string id="NoSP">Do not allow delivery of the service Pack through Windows Update or Automatic Updates</string>
            <string id="NoSP_Help">This policy setting allows you to temporarily disable delivery of a service pack from Windows Update or Automatic Updates.
      
      The service pack includes important security improvements, so Microsoft strongly recommends that customers deploy this update as soon as possible.
      
      This policy setting allows organizations not using Systems Management Server (SMS), Software Update Services (SUS) or another update management solution and needing more time to plan the rollout of the service pack to temporarily disable the delivery of the service pack through Windows Update and Automatic Updates.
      
      The mechanism to temporarily disable delivery of the service pack is available only for a limited time. After this time period, this policy setting will have no effect. Please see the Windows Web page on the Microsoft web site for information about the expiration date.
      
      This policy setting does not prevent installation of the service pack through other mechanisms such as SMS, SUS, product disk and so on.
      
      If you enable this policy setting, the service pack update is not available to users through Windows Update. In addition, the Automatic Update client does not download this package.
      
      If you disable or do not configure this policy setting, the service pack update will be available as an update through Windows Update (either manually or through a properly configured Automatic Update client).
      
      NOTE: This setting does not disable Automatic Updates or access to Windows Update. Nor does it prevent delivery of updates other than the service pack through Windows Update or Automatic Updates.</string>
            <string id="Cat_Oracle">Oracle</string>
            <string id="Cat_JRE">JRE</string>
      
            <string id="SUPPORTED_Windows7">At least Windows 7 or Windows Server 2008 R2</string>
      
          </stringTable>
          <presentationTable>
            <presentation id="NoSP" />
            <presentation id="NoIE10" />
          </presentationTable>
        </resources>
      </policyDefinitionResources>
      

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s