This post will guide you to disable Internet Explorer using Intune Portal (a.k.a Endpoint Manager portal). Microsoft recently announced that Internet Explorer 11 desktop application would be retired and go out of support on June 15, 2022, for certain versions of Windows 10.
Microsoft continues disinvesting from Internet Explorer 11 and Microsoft Edge Legacy towards the new MS Edge. The future of Internet Explorer on Windows 10 is in Microsoft Edge, recommending users switch to Microsoft Edge for a modern browsing experience with faster, more secure solutions.
Microsoft Edge has built-in Internet Explorer mode (IE mode) so that you can access legacy Internet Explorer-based websites and applications straight from Microsoft Edge. After configuring IE mode, you can disable IE11 as a standalone browser without affecting IE mode functionality across your organization.
Read More -> Why A Hotfix To Remove IE Browser App From Windows 10 Devices Is Needed
Let’s check how to disable the Internet Explorer 11 Browser app using Intune and Group Policy. You can disable this using Group Policy, Intune, and Registry Entries as well. I have covered the Settings catalog option to disable IE 11 Browser.
- Configure Enterprise Mode Site List To Use IE Mode Using Intune
- Enable Internet Explorer Mode in Microsoft Edge
NOTE! – Support for IE mode follows the lifecycle of current and future Windows client, Windows server, and Windows IoT releases (including Windows 11) at least through 2029.
Prerequisites to Disable Internet Explorer
The following Windows updates and Microsoft Edge software are required-
- Windows updates
- Windows 10, version 2004, Windows Server version 2004, Windows 10, version 20H2: KB4598291 or later
- Windows 10 version 1909, Windows Server version 1909: KB4598298 or later
- Windows 10 version 1809, Windows Server version 1809, and Windows Server 2019: KB4598296 or later
- Windows 10, version 1607, Windows Server 2016: KB4601318 or later
- Windows 10 initial version (July 2015): KB4601331 or later
- Windows 8.1: KB4601384 or later
- Windows Server 2012: KB4601348 or later
- Microsoft Edge Stable Channel
Disable Internet Explorer Using Intune Portal
You can use Intune Settings Catalog to Disable the IE11 (Internet Explorer 11) Standalone Browser application from Windows 10 devices.
- Sign in to the Microsoft Endpoint Manager admin center
- Select Devices > Configuration profiles > Create profile.
- Select Platform: Windows 10 and later and Profile
- Select Settings catalog (preview). Click on Create button.
- Enter the Name of the Policy and Description.
- Disable IE 11 Standalone Browser
You can click on the Next button to continue and select the settings.
From the Configuration settings page, select Add settings. Try searching Disable Internet Explorer from the Search box under Settings Picker and click on the Search button.
- Click on Administrative Templates/Windows Components/Internet Explorer.
- Select the settings name -> Disable Internet Explorer 11 as a standalone browser (User).
- Enable the Slider to disable the IE11 standalone browser from Windows 10 devices.
You need to click on the NEXT button to continue with the creation and deployment (assignment of the policy).
NOTE! – Thanks to Steve Prentice for asking this question to MikeDonoski (Microsoft PM) and Mike confirmed that this settings catalog policy that Intune has now is only applying to Insiders (as of 17th June 2022). Microsoft is patching updated setting applicability and adding the /device scope one. More details are in this Tweet.
Group Policy Settings to Disable IE 11 Browser Application
This Group Policy lets you restrict the launching of Internet Explorer as a standalone browser. If you enable this policy, it:
- Prevents Internet Explorer 11 from launching as a standalone browser.
- Restricts Internet Explorer’s usage to Microsoft Edge’s native ‘Internet Explorer mode’.
- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
- Overrides any other policies that redirect to Internet Explorer 11.
If you disable or don’t configure this policy, all sites are opened using the currently active browser settings.
NOTE: Microsoft Edge Stable Channel must be installed for this policy to take effect.
Let’s disable and redirect IE 11 Browser to Microsoft Edge. I recommend the Always option since IE 11 is going to decommission soon.
- Never if you don’t want to notify users that IE11 is disabled.
- Always if you want to notify users every time they’re redirected from IE11.
- Once per user if you want to notify users only the first time they are redirected.
Custom Policy Creation to Disable IE 11 Browser from Windows 10 Device
Ensure you have the pre-requisite operating system updates. Let’s follow the steps to configure the Policy to disable Internet Explorer using Intune.
- Sign in to the Microsoft Endpoint Manager admin center.
- Navigate to Devices > Configuration Profiles >+ Create Profile
- Select Platform as Windows 10 and Later
- Select Profile as Templates, choose Custom from the available Template name and click on Create button.
Note – You can also create custom profiles, which are created similar to built-in profiles. Custom profiles are great when you want to use device settings and features built into Intune. These profiles include features and settings for you to control on devices in your organization.
In Basics, Specify a descriptive name for the policy, a description (optional), then select Next.
In Configuration settings, Click on Add button.
We have three options for the custom profile configuration. For Example – We added value two as we want to notify users only the first time. Never (Value 0)- if you don’t want to notify users that IE11 is disabled.
Always (Value 1) - if you want to notify users every time they’re redirected from IE11.
Once per user (Value 2) – if you want to notify users only the first time, they are redirected.
Under OMA-URI settings, Enter the following settings –
- Name: Enter a unique name for the OMA-URI setting. For Example – Disable Internet Explorer
- Description: Enter a description that gives an overview of the setting.
- OMA-URI: Enter the following OMA-URI. It’s case-sensitive
./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp- Data type: Select the String data type from the drop-down.
- Value: Enter the following data value
<enabled/><data id="NotifyDisableIEOptions" value="2"/>After specifying all details, Click Save.
NOTE! – David Allen confirmed in the Twitter that they ended up just using this for now and it is working: OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp Data Type: String Value: <enabled/><data id=”NotifyDisableIEOptions” value=”0″/>
Specified OMA-URI Settings you can see appear here, Review and Click Next.
Add scope tags (if required) and click Next.
Under Assignments, Select Included groups and then choose Select groups to include one or more device groups. Select Next to continue.
You can add applicability rules, so the profile only applies to a specific OS version or Windows edition. Here I’m leaving it default and Clicking Next.
In Review, review your settings. When you select Create, your changes are saved, and the profile is assigned.
A notification will appear automatically in the top right-hand corner with a message. Here, the Profile “Disable Internet Explorer 11” was created successfully. Your groups will receive your profile settings when the devices check-in with the Intune service.
End-User Experience
Let’s check the end-user experience, Once the policy settings configured above to disable Internet explorer is applied to target devices.
In Windows ten device, Lunch Internet Explorer, you see Prevents Internet Explorer launching. In addition, a prompt will appear with the message based on the above configuration, “The action is restricted. For more information, please contact your system administrator”.
When the user clicks on OK, It will automatically redirect to Microsoft Edge Browser, and users have the following experience –
- The IE11 icon on the Start Menu will be removed, the taskbar icon will remain.
- When users try to launch shortcuts or file associations that use IE11, they will be redirected to open the same file/URL in Microsoft Edge.
- When users try to launch IE11 by directly invoking the iexplore.exe binary, Microsoft Edge will launch instead.
Resources
Disable Internet Explorer 11 as a standalone browser – https://docs.microsoft.com/en-us/deployedge/edge-ie-disable-ie11
Very good article. Thank you.
Good to hear Tushar, Appreciate your inputs!
Amazing post, Is there any way to revert this and enable the IE again.
Hello Umang, Glad you like it. Can we know why would you want to revert?
Did not work for me and I get an error.
what is the error
The Administrative Template option in MEM is not working for me. The report says “Not applicable” while all other settings and user settings apply successfully.
I’m wondering about 2 things here:
1.) Why isn’t there a device setting of the same option?
2.) In the regular GPO I cannot simply turn on this setting, but I need to choose a Notification option (Never, Once per user, Always), which will determine the registry value data that is configured on the client. This setting is missing in MEM. Maybe that is the reason why the template isn’t working?
I get exactly the same behaviour.
The Group policy for domain joined devices works exactly as intended, but neither of the options through Intune work.
I get “Not applicable” for the Settings catalogue on all devices, and it just gives an Error if I use the custom OMA-URI settings.
Thanks to Steve Prentice for asking this question to MikeDonoski (Microsoft PM) and Mike confirmed that this settings catalog policy that Intune has now is only applying to Insiders. Microsoft is patching an updated setting applicability and adding the /device scope one.
https://twitter.com/MikeDanoski/status/1537861555655614464?s=20&t=gMXERCIMb8hImzOSl9eCzg
Thank you very much for the update!
It works fine with the OMA-URI, Thanks.
The documentation is not complete on the Microsoft site.
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-internetexplorer#internetexplorer-disableinternetexplorerapp
If I need to re-enable Internet Explorer, as a fallback method, could I change the value to ?