With the release of Microsofts Chromium-based Edge browser, the end is near for Internet Explorer 11. In one of the latest Windows Insider builds, Microsoft made a Group Policy setting available to Disable Internet Explorer 11 as a standalone app.
The settings is now also found in Windows 10 20H2 (19042.804).
In the GP Editor the setting is found under Administrative Templates, Windows Components, Internet Explorer.
As we can see, we can enable the policy and choose one of three options for notifying the end-user.
As the setting isn`t yet available in a current Windows 10 build, the setting isn`t available yet in the Microsoft Intune portal. But we can configure the setting with a custom configuration profile, which I show in the post.
I`m not sure in which preview build Microsoft added this setting. I`m running Windows 10 Insider Preview Build 20270 in which I found the setting.
Create custom configuration profile
As the setting is added to an existing admx file (inetres.admx) which is already supported by Intune, there is no need to ingest the admx file like we need to do with for example Google Chrome. The solution is pretty straight forward, we just need to create a custom configuration profile with one row.
We only need the exact policy name as found in the inetres.admx file and the corresponding ID.
For this, we open the admx file on a Windows 10 device that already supports the setting and search for the policy setting; DisableInternetExplorerApp. Here is also the enum ID mentioned, which we need to use later in the profile as data ID. Also notice, the three notify options with a corresponding value.
With this information we can build up our OMA-URI which we need when we use a custom profile:
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
As explained in previous posts, the first part is always ./Device/Vendor/MSFT/Policy/Config. And in this case, it`s followed by the name of the Category (without a space) and last the policy name.
Let`s configure the profile.
- Sign-in to the Endpoint Manager admin center
- Browse to Devices – Windows
- Browse to Configuration profiles
- Click +Create profile
- Choose Windows 10 and later as Platform
- Choose Custom as Profile
- Click Create
- Give the profile a Name
- Enter a Description (Optional)
- Click Next
- Click Add on the Configuration settings tab
- Give the Row a Name
- Fill in the OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
- Data type: String
- Value:
<enabled/><data id="NotifyDisableIEOptions" value="2"/>- Click Save
Here, above value corresponds to one of the notify values as found in the admx file. Change this to your needs.
Finish setting up the configuration wizard by assigning the profile to a security group of choice.
End-user experience
The Internet Explorer shortcut is removed from the start menu, but IE can still be found under Program Files. Depending on the choice of the notification you made, the below notification is shown to the end-user.
End after that the Edge browser is started.
That`s it for this post. Keep in mind this settings is just released in preview.
Happy testing!
I see this policy in my local GPO, but not domain GPOs, and ive copied over the latest 20H2 ADMX files. Any idea why?
Running 20H2, event logs suggest that the system cannot find the OMA URI of ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
Any ideas?
Are you running at least 19042.804?
Thanks for the post Peter.
I am having a similar issue as Andy above. I am logged into our DC but I do not see this GPO option either on the COMPUTER or USER configurations.
DC = Windows Server 2019 STD
However, on my local GPO I do see this option. Locally I am running Windows 10 version 20H2
My question is how do I enable this policy on the domain level?
Our DC is in-house and we do not use InTunes.
Thanks in advance for your reply and again this article.
Hi Dennis,
You could give this a try;
First, check the inetres.admx file on your local system. If it contains the DisableInternetExplorerApp setting, you should copy that file to your central store or PolicyDefinition folder.
But I’ve not tested that, as I’m using Intune to manage the devices.
I’m also struggling to get this to work from domain group policy. I tried your suggestion and it throws an error when editing policy thereafter!?
What I did was…
1) Confirmed my DC C:\Windows\PolicyDefinitions\inetres.admx file does indeed contain the “DisableInternetExplorer” setting.
2) Backed up my SYSVOL\PolicyDefinitions\inetres.admx copy and replaced it with the local copy from above.
3) Try and create a new GPO via group policy editor and it throws out and error.
Resource ‘$9string.AllowSaveTargetAsInIEMode)’ referenced in attribute displayName could not be found
File
\\MyDomain.com\SysVol\MyDomain.com\Policies\PolicyDefinitions\inetres.admx, line 35191, column 278
Is this potentially because I have a mixture of Server 2016 and Server 2019 domain controllers? The domain is running at 2016 functional level.
Or perhaps do you need to install Edge before this will work?
What would the process be to revert and enable IE again through a config profile? I’ve tried both removing the device group from the profile and setting the profile to .
same. not sure if I need it yet, but I can’t deploy the disable and then find out someone need IE, and it’s irreversible. Excluding things from the OMA URI Policy works, but in order to do that I’d have to know every device that needs IE in advance. I can’t go through 5000 devices to figure out which one needs IE.
Same for me. I tried with the value a disable but the deployment fails. I would really like to find a fallback method.