Block Internet Explorer via Intune
Good day! Short and sweet post today, this post will detail the steps on how to block the Internet Explorer application via Intune.
First, why block Internet Explorer?
Internet Explorer has been around for 25 years now since its release in 1995 (I was four!), in a nutshell, it’s served its duty but it can no longer keep up with the more Modern Browsers, such as Microsoft Edge in terms of productivity and security. Also, from an IT professional perspective, Microsoft will end support for Internet Explorer 11 on June 15, 2022. Here is the official announcement from Microsoft and they do a great job in listing the reasons why Internet Explorer is being retired, including FAQ. As a special note, if your organisation still has websites that rely on Internet Explorer, take a look into IEMode which renders the IE11 engine within the Edge browser application.
Prerequisites
To be able to successfully block Internet Explorer via Intune, the following needs to be in place:
- Devices enrolled and licensed within Intune (Obviously!)
- The following Windows 10 versions and patch levels must be in place
- Windows 10 version 20H2, with KB4598291 or later
- Windows 10 version 2004, with KB4598291 or later
- Windows 10 version 1909, with KB4598298 or later
- Windows 10 version 1809, with KB4598296 or later
- Windows 10 version 1607, with KB4601318 or later
- Windows 10 initial version (July 2015): KB4601331 or later
- Microsoft Edge must be installed within the Stable channel.
Creating a custom profile
To block Internet Explorer via Intune, we need to create a custom policy (at the time of writing, I cannot see this option listed in the settings catalog), to do this, browse to the MEMAC portal, navigate to Devices, then Configuration Profiles and finally Create Profile:
Select Windows 10 and later for the platform, then a profile type of Templates and finally select Custom from the template list:
Insert an appropriate Name and Description:
On the next page, select Add:
Now we have a decision to make, when an end-user selects shortcuts or the IE app itself, a message can be displayed before redirecting them to Microsoft Edge, we can choose as the IT administrator how often or if the message is displayed at all. Here is the message box:
We have three options
- Never (Default option) – This does not show a message dialogue box informing users that IE11 is disabled
- Always – Display the message dialogue box every time a user is redirected to Edge.
- Once per user – Only display the message dialogue box once for the end-user in question.
For my demonstration purposes, I going to select the Once per User option, from a custom profile perspective, I will be selecting a value of “2”, so let’s explain which value correlate to the options above:
- “0” – Never
- “1” – Always
- “2” – Once per user
Select the value you wish to deploy in the below custom profile configuration, here’s my custom configuration profile (Note the value of “2” is inserted as I wish to display the message box only once per user):
Here’s a table with the same options as above (Beware of coping and pasting as formatting may change the contents):
Setting | Value |
---|---|
Name | Block IE11 App Access |
Description | Block IE11 App Access |
OMA-URI | ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp |
Data Type | String |
Value | <enabled/><data id=”NotifyDisableIEOptions” value=”2″/> |
Once inserted, deploy the custom profile to test users or devices to confirm that all is well.
Results
On my test device, attempting to open IE11 results in the following message being displayed and I’m redirected to Microsoft Edge:
Great stuff, we’ve just blocked Internet Explorer 11 via Intune which will improve productivity and better secure our endpoints and data, it’s a bitter sweet day.
References
https://docs.microsoft.com/en-us/deployedge/edge-ie-disable-ie11
Worked like a charm. Thank you for posting this!
You’re most welcome!
cool! just implemented and working, thanks!
Great stuff!
I followed your steps above but getting Not Applicable under check in status in endpoint manager?
Hi there,
What OS edition and version are you testing this on? Make sure you’re fully patched. If using windows 11 then IE isn’t installed so that might be why you’re still not applicable, if that is the case.
Thanks,
Alex