If you haven’t heard by now, only the latest versions of Internet Explorer are supported on all Windows operating systems as of January 12th, 2016.

Details here: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer

For most IT Pros, this means upgrading from IE8, IE9, or IE10 to IE11 on Windows 7. There are lot’s of ways to accomplish this; a patch, a package, an application, a task sequence, using the IEAK, or using the PowerShell ADT.

Each of the different methods have their pros and cons, and when I went to evaluate the method I wanted to use, I found none of them had a very good user experience.

Common Issues

Unnecessary bandwidth consumption downloading pre-reqs

IE force closes

User is forced to reboot immediately, no deferment

Multiple reboots are required

User is unable to work for X amount of time

Post-install patches are missing (Enterprise mode doesn’t work)

To work around a lot of these issues, I tested some of the methods above and decided on using a task sequence with a few tricks to get the best user experience possible. I wanted to ensure my users were not impacted when we upgraded them.

IE11 Install Method Matrix Method Interactive Reboot Multiple reboots Ent. Mode IE force closed User downtime Software Update No Based on client setting Yes No No No Standalone .exe No Immediate reboot No Yes Yes Yes IEAK No Immediate reboot No Yes Yes Yes Task Sequence No Delayed reboot No Yes No No

Originally I was using the task sequence with the standalone .exe, but could not get past the issue of IE being force closed. I even wrapped it in the PowerShell ADT and found a limitation that it would not run interactively even after specifying the -DeployMode Interactive parameter. I even tried ServiceUI and still had no luck. I wanted to emulate the experience that deploying as a software update would provide, so I resorted to DISM and using the extracted CAB file.

IE11 Pre-requisites

***WARNING*** The method below assumes you have all 9 pre-req patches already deployed, so the TS does not account for any pre-reqs. If you do not have the pre-reqs already installed, you can add them easily using Venu’s Singireddy’s method. This will require two reboots in your install though.

The Task Sequence

Internet Explorer 11 Task Sequence Step Package Details Set SMSTSErrorDialogTimeout No SMSTSErrorDialogTimeout = 1 IE11 Install Yes dism /online /add-package /packagepath:IE-Win7.CAB /quiet /norestart /logpath:C:\temp\IE11_install.log IE11 – KB3104002 Yes wusa.exe IE11-Windows6.1-KB3104002-x64.msu /quiet /norestart Set reboot to 8 hours No SMSRebootTimeout = 28800 Restart Computer No Timeout = 9999 Disable First Run No %windir%\system32\reg.exe add "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /t REG_DWORD /v DisableFirstRunCustomize /d 1 /f Disable HSTS x64 No %windir%\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_HSTS" /v iexplore.exe /t REG_DWORD /d 1 /f Disable HSTS x86 No %windir%\system32\reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_HSTS" /v iexplore.exe /t REG_DWORD /d 1 /f Array Compatibility Fix Yes powershell.exe -executionpolicy bypass -file Set-IECompatView.ps1

What it does:

Sets the SMSTSErrorDialogTimeout to 1 so users do not get a nasty popup if there is an error

Installs IE11 using DISM and the extracted .CAB files

Installs the latest IE Cumulative patch to enable Enterprise Mode (and for security)

Sets the Restart timer to 8 hours 9999 seconds/166.65 minutes/2.78 hours is the maximum by default, but you can override with this handy TS variable

Restarts the computer If user is logged on, prompts for 8 hours

Disables IE first run customization wizard Some users experience this wizard after the upgrade

Disables HTTP Strict Transport Security x86/x64 Some of our websites did not function with this enabled

Adds domain of your choice to compatibility view for all user profiles cached on the machine We needed this because of our web based VPN users They would get IE11 and the Ent. Mode patch, but because they were offline after the reboot, they could not download the Ent. Mode Site list, which contained compat settings needed to reconnect to the VPN! Chicken/Egg scenario

cached on the machine

Set-IECompatView.ps1

If you need to add a domain to Compatibility View without utilizing your Ent. Mode Site List, you can modify the below script and add it to your task sequence.

Open IE and add your domain(s) to Compatibility View under the Tools menu Browse to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData Export the key Modify the UserFilter below with your exported hex value

Reference: http://jeffgraves.me/2014/02/19/modifying-ie-compatibility-view-settings-with-powershell/

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Write-Output 'Creating HKU drive...' New-PSDrive -Name HKU -PSProvider Registry -Root Registry :: HKEY_USERS -ErrorAction SilentlyContinue | Out-Null Write-Output 'Parsing User SIDs...' $UserSids = ( Get-ChildItem HKU : | where { $_ . Name -match 'S-\d-\d+-(\d+-){1,14}\d+$' } ) . PSChildName foreach ( $SID in $UserSids ) { Write-Output "Updating SID: $($SID)" if ( test-path "HKU:\$SID\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData" ) { Write-Output 'ClearableListData found!' Set-ItemProperty -Path "HKU:\$SID\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData" -Type Binary -Name UserFilter -Value ( [ byte [ ] ] ( 0x41 , 0x1f , 0x00 , 0x00 , 0x53 , 0x08 , 0xad , 0xba , 0x01 , 0x00 , 0x00 , 0x00 , 0x32 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x0c , 0x00 , 0x00 , 0x00 , 0x0a , 0xdf , 0xe7 , 0xb9 , 0xc3 , 0x3d , 0xd1 , 0x01 , 0x01 , 0x00 , 0x00 , 0x00 , 0x0a , 0x00 , 0x68 , 0x00 , 0x75 , 0x00 , 0x6d , 0x00 , 0x61 , 0x00 , 0x6e , 0x00 , 0x61 , 0x00 , 0x2e , 0x00 , 0x63 , 0x00 , 0x6f , 0x00 , 0x6d , 0x00 ) ) -Force | Out-Null Write-Output 'Set Compat View to humana.com!' } else { Write-Output 'ClearableListData not found!' New-Item -Path "HKU:\$SID\Software\Microsoft\Internet Explorer\BrowserEmulation\" -ErrorAction SilentlyContinue | Out-Null New-Item -Path "HKU:\$SID\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData\" -ErrorAction SilentlyContinue | Out-Null New-ItemProperty -Path "HKU:\$SID\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData" -Type Binary -Name UserFilter -Value ( [ byte [ ] ] ( 0x41 , 0x1f , 0x00 , 0x00 , 0x53 , 0x08 , 0xad , 0xba , 0x01 , 0x00 , 0x00 , 0x00 , 0x32 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x0c , 0x00 , 0x00 , 0x00 , 0x0a , 0xdf , 0xe7 , 0xb9 , 0xc3 , 0x3d , 0xd1 , 0x01 , 0x01 , 0x00 , 0x00 , 0x00 , 0x0a , 0x00 , 0x68 , 0x00 , 0x75 , 0x00 , 0x6d , 0x00 , 0x61 , 0x00 , 0x6e , 0x00 , 0x61 , 0x00 , 0x2e , 0x00 , 0x63 , 0x00 , 0x6f , 0x00 , 0x6d , 0x00 ) ) -Force | Out-Null Write-Output 'Added humana.com to Compat View!' } }

The User Experience

Our deployment was non-interactive, so the files downloaded before executing the TS, IE11 installed, and the user is none the wiser until they get the below prompt!

This solution solved all our needs, IE is not force closed, user only has to reboot once, Ent. Mode is enabled immediately, and user downtime is basically just the time it takes to reboot.