Disable Internet Explorer Using Intune Group Policy Browser App

This post will guide you to disable Internet Explorer using Intune Portal (a.k.a Endpoint Manager portal). Microsoft recently announced that Internet Explorer 11 desktop application would be retired and go out of support on June 15, 2022, for certain versions of Windows 10.

Microsoft continues disinvesting from Internet Explorer 11 and Microsoft Edge Legacy towards the new MS Edge. The future of Internet Explorer on Windows 10 is in Microsoft Edge, recommending users switch to Microsoft Edge for a modern browsing experience with faster, more secure solutions.

Microsoft Edge has built-in Internet Explorer mode (IE mode) so that you can access legacy Internet Explorer-based websites and applications straight from Microsoft Edge. After configuring IE mode, you can disable IE11 as a standalone browser without affecting IE mode functionality across your organization.

Read More -> Why A Hotfix To Remove IE Browser App From Windows 10 Devices Is Needed

Patch My PC

Let’s check how to disable the Internet Explorer 11 Browser app using Intune and Group Policy. You can disable this using Group Policy, Intune, and Registry Entries as well. I have covered the Settings catalog option to disable IE 11 Browser.

NOTE! – Support for IE mode follows the lifecycle of current and future Windows client, Windows server, and Windows IoT releases (including Windows 11) at least through 2029.

Prerequisites to Disable Internet Explorer

The following Windows updates and Microsoft Edge software are required-

  • Windows updates
    • Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2: KB4598291 or later
    • Windows 10 version 1909, Windows Server version 1909: KB4598298 or later
    • Windows 10 version 1809, Windows Server version 1809, and Windows Server 2019: KB4598296 or later
    • Windows 10, version 1607, Windows Server 2016: KB4601318 or later
    • Windows 10 initial version (July 2015): KB4601331 or later
    • Windows 8.1: KB4601384 or later
    • Windows Server 2012: KB4601348 or later
  • Microsoft Edge Stable Channel

Disable Internet Explorer Using Intune Portal

You can use Intune Settings Catalog to Disable the IE11 (Internet Explorer 11) Standalone Browser application from Windows 10 devices.

  • Sign in to the Microsoft Endpoint Manager admin center
  • Select Devices > Configuration profiles > Create profile.
  • Select Platform: Windows 10 and later and Profile
  • Select Settings catalog (preview). Click on Create button.
  • Enter the Name of the Policy and Description.
    • Disable IE 11 Standalone Browser

You can click on the Next button to continue and select the settings.

Disable Internet Explorer Using Intune 1
Disable Internet Explorer Using Intune 1

From the Configuration settings page, select Add settings. Try searching Disable Internet Explorer from the Search box under Settings Picker and click on the Search button.

  • Click on Administrative Templates/Windows Components/Internet Explorer.
  • Select the settings name -> Disable Internet Explorer 11 as a standalone browser (User).
  • Enable the Slider to disable the IE11 standalone browser from Windows 10 devices.

You need to click on the NEXT button to continue with the creation and deployment (assignment of the policy).

NOTE! – Thanks to Steve Prentice for asking this question to MikeDonoski (Microsoft PM) and Mike confirmed that this settings catalog policy that Intune has now is only applying to Insiders (as of 17th June 2022). Microsoft is patching updated setting applicability and adding the /device scope one. More details are in this Tweet.

Disable IE 11 Browser using Intune 2
Disable IE 11 Browser using Intune 2

Group Policy Settings to Disable IE 11 Browser Application

This Group Policy lets you restrict the launching of Internet Explorer as a standalone browser. If you enable this policy, it:

  • Prevents Internet Explorer 11 from launching as a standalone browser.
  • Restricts Internet Explorer’s usage to Microsoft Edge’s native ‘Internet Explorer mode’.
  • Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
  • Overrides any other policies that redirect to Internet Explorer 11.

If you disable or don’t configure this policy, all sites are opened using the currently active browser settings.

NOTE: Microsoft Edge Stable Channel must be installed for this policy to take effect.

Group Policy Settings to Disable IE 11 Browser Application 1
Group Policy Settings to Disable IE 11 Browser Application 1

Let’s disable and redirect IE 11 Browser to Microsoft Edge. I recommend the Always option since IE 11 is going to decommission soon.

  • Never if you don’t want to notify users that IE11 is disabled.
  • Always if you want to notify users every time they’re redirected from IE11.
  • Once per user if you want to notify users only the first time they are redirected.
Group Policy Settings to Disable IE 11 Browser Application 2
Group Policy Settings to Disable IE 11 Browser Application 2

Custom Policy Creation to Disable IE 11 Browser from Windows 10 Device

Ensure you have the pre-requisite operating system updates. Let’s follow the steps to configure the Policy to disable Internet Explorer using Intune.

  • Sign in to the Microsoft Endpoint Manager admin center.
  • Navigate to Devices > Configuration Profiles >+ Create Profile
  • Select Platform as Windows 10 and Later
  • Select Profile as Templates, choose Custom from the available Template name and click on Create button.

Note – You can also create custom profiles, which are created similar to built-in profiles. Custom profiles are great when you want to use device settings and features built into Intune. These profiles include features and settings for you to control on devices in your organization. 

Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

In Basics, Specify a descriptive name for the policy, a description (optional), then select Next.

Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

In Configuration settings, Click on Add button. 

Disable Internet Explorer Using Intune | Endpoint Manager | Easy Steps
Configuration Settings – Add OMA-URI Settings Disable Internet Explorer Using Intune | Endpoint Manager | Easy Steps

We have three options for the custom profile configuration. For Example – We added value two as we want to notify users only the first time. Never (Value 0)- if you don’t want to notify users that IE11 is disabled.
Always (Value 1) - if you want to notify users every time they’re redirected from IE11.
Once per user (Value 2) – if you want to notify users only the first time, they are redirected.

Under OMA-URI settings, Enter the following settings –

  • Name: Enter a unique name for the OMA-URI setting. For Example – Disable Internet Explorer
  • Description: Enter a description that gives an overview of the setting.
  • OMA-URI: Enter the following OMA-URI. It’s case-sensitive
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
  • Data type: Select the String data type from the drop-down.
  • Value: Enter the following data value
<enabled/><data id="NotifyDisableIEOptions" value="2"/>

After specifying all details, Click Save.

NOTE! – David Allen confirmed in the Twitter that they ended up just using this for now and it is working: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp Data Type: String Value: <enabled/><data id=”NotifyDisableIEOptions” value=”0″/>

Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

Specified OMA-URI Settings you can see appear here, Review and Click Next.

Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

Add scope tags (if required) and click Next.

Under Assignments, Select Included groups and then choose Select groups to include one or more device groups. Select Next to continue.

Assignments - Included Groups
Assignments – Included Groups

You can add applicability rules, so the profile only applies to a specific OS version or Windows edition. Here I’m leaving it default and Clicking Next.

Intune Policy Applicability Rules
Intune Policy Applicability Rules Disable Internet Explorer Using Intune | Endpoint Manager | Easy Steps

In Review, review your settings. When you select Create, your changes are saved, and the profile is assigned. 

Review Configuration Settings - Disable Internet Explorer
Review Configuration Settings – Disable Internet Explorer

A notification will appear automatically in the top right-hand corner with a message. Here, the Profile “Disable Internet Explorer 11” was created successfully. Your groups will receive your profile settings when the devices check-in with the Intune service.

Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

End-User Experience

Let’s check the end-user experience, Once the policy settings configured above to disable Internet explorer is applied to target devices.

In Windows ten device, Lunch Internet Explorer, you see Prevents Internet Explorer launching. In addition, a prompt will appear with the message based on the above configuration, “The action is restricted. For more information, please contact your system administrator”.

When the user clicks on OK, It will automatically redirect to Microsoft Edge Browser, and users have the following experience –

  • The IE11 icon on the Start Menu will be removed, the taskbar icon will remain.
  • When users try to launch shortcuts or file associations that use IE11, they will be redirected to open the same file/URL in Microsoft Edge.
  • When users try to launch IE11 by directly invoking the iexplore.exe binary, Microsoft Edge will launch instead.
Disable Internet Explorer Using Intune | Endpoint Manager
Disable Internet Explorer Using Intune | Endpoint Manager

Resources

Disable Internet Explorer 11 as a standalone browser – https://docs.microsoft.com/en-us/deployedge/edge-ie-disable-ie11

Author

About Author – Jitesh, Microsoft MVP, has over five years of working experience in the IT Industry. He writes and shares his experiences related to Microsoft device management technologies and IT Infrastructure management. His primary focus is Windows 10 Deployment solution with Configuration Manager, Microsoft Deployment Toolkit (MDT), and Microsoft Intune.

11 thoughts on “Disable Internet Explorer Using Intune Group Policy Browser App”

  1. The Administrative Template option in MEM is not working for me. The report says “Not applicable” while all other settings and user settings apply successfully.

    I’m wondering about 2 things here:
    1.) Why isn’t there a device setting of the same option?
    2.) In the regular GPO I cannot simply turn on this setting, but I need to choose a Notification option (Never, Once per user, Always), which will determine the registry value data that is configured on the client. This setting is missing in MEM. Maybe that is the reason why the template isn’t working?

    Reply
  2. I get exactly the same behaviour.
    The Group policy for domain joined devices works exactly as intended, but neither of the options through Intune work.

    I get “Not applicable” for the Settings catalogue on all devices, and it just gives an Error if I use the custom OMA-URI settings.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.