Internet Explorer 11 is disabled or removed.

Property	Value
ISM Control	ISM-1654
Revision	0
Updated	Sep-21
Guideline	Not provided
Section	Operating system hardening
Topic	Hardening operating system configurations
Essential Eight	ML1, ML2, ML3
PSPF Levels	NC, OS, P, S, TS

Summary

ISM-1654 disables or removes Internet Explorer 11 to reduce exposure to legacy vulnerabilities and ensure use of supported browsers¹. Implement this by deploying the UserApplicationHardening-RemoveFeatures.ps1 script via the Intune Scripts option with the following settings: Run this script using the logged on credentials: No, Enforce script signature check: No, Run script in 64-bit PowerShell Host: No; the script also disables .NET Framework 3.5 and Windows PowerShell 2.0¹.

Platform status:

OS	IE 11 status
Windows 11	IE 11 desktop app is not shipped. `iexplore.exe` exists only as the MSHTML/Trident engine used by Edge IE mode. Any launch automatically opens Edge.
Windows 10 (SAC, 20H2+)	A retirement update (Feb 2023) began disabling IE 11 and redirecting launches to Microsoft Edge. The icon may remain visible until the first launch attempt.
Windows 10 LTSC / Server LTSC	IE 11 remains fully functional. The standard retirement update does not apply. Use AppLocker or WDAC to block `iexplore.exe` on these builds.

[!WARNING] Disabling IE 11 as a standalone app does not fully eliminate risk. The MSHTML (Trident) engine remains in the OS for Edge IE mode and continues to be exploited — e.g., CVE-2023-35628 (zero-click RCE via MSHTML) and CVE-2024-21513 (security-feature bypass, actively exploited). Full patching of Windows is required alongside this control.

Justification

Disabling Internet Explorer 11 as a standalone browser reduces reliance on a legacy browser while preserving compatibility through Microsoft Edge IE mode where required²³. Where complete removal is required, the Microsoft-provided script aligns with Essential Eight implementation guidance¹.

Design Decision

[!NOTE] The UserApplicationHardening-RemoveFeatures.ps1 script will be deployed via the Intune ‘Scripts’ option to disable Internet Explorer 11 as a standalone browser.

Prerequisites

Licensing: Appropriate Microsoft Intune licensing is required if Intune is used for implementation.
Dependencies:
- Devices must be enrolled in Microsoft Intune and enrolled in Entra ID and/or hybrid Azure AD joined for script deployment via Intune.
- Use the UserApplicationHardening-RemoveFeatures.ps1 as a PowerShell script with the following options:
  - Run this script using the logged on credentials: No
  - Enforce script signature check: No
  - Run script in 64-bit PowerShell Host: No
- Deploy the script via Intune ‘Scripts’ option.

Implementation Steps

Disable Internet Explorer 11 as a standalone browser via Settings Catalog

Create a new Settings Catalog policy.¹
Browse by category, and search for: Disable Internet Explorer 11 as a standalone browser (User).¹
Go to Administrative Templates\Windows Components\Internet Explorer and select the setting: Disable Internet Explorer 11 as a standalone browser (User).¹
Enable the setting Disable Internet Explorer 11 as a standalone browser (User).¹
Deploy the policy to a set of devices or users.¹

Alternative: Deploy via Intune Custom OMA-URI

In Intune, create a Device configuration → Custom profile.
Add a new OMA-URI setting:
- Name: Block IE11 App Access
- OMA-URI: ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableInternetExplorerApp
- Data type: String
- Value: <enabled/><data id="NotifyDisableIEOptions" value="0"/> (use 0 = Never show dialog / silent redirect; 1 = Once per user; 2 = Always)⁴
Assign the profile to the target device or user group.
Verify on a test machine: launching iexplore.exe should open Microsoft Edge with the original URL.

Remove Internet Explorer 11 completely using UserApplicationHardening-RemoveFeatures.ps1 script via Intune Scripts

Add the UserApplicationHardening-RemoveFeatures.ps1 as a PowerShell script with the following options:
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64-bit PowerShell Host: No¹
Assign the script to a deployment group.¹
Note: This script also disables .NET Framework 3.5 (includes .NET 2.0 and 3.0) and Windows PowerShell 2.0.¹

Edge-based IE11 disable guidance covers disabling Internet Explorer 11 as a standalone browser and migrating to Edge Disable Internet Explorer 11 ²
Lifecycle guidance for Internet Explorer and Microsoft Edge including IE mode and end-of-support timelines Lifecycle FAQ - Internet Explorer and Microsoft Edge ³
Policy CSP - InternetExplorer details the DisableInternetExplorerApp policy to prevent launching Internet Explorer 11 Policy CSP - InternetExplorer ⁴
Redirection from Internet Explorer to Microsoft Edge for compatibility with modern web sites Redirection from Internet Explorer to Microsoft Edge for compatibility with modern web sites ⁵
ASD Blueprint for Secure Cloud’s User application hardening section outlines controls aligned to Essential Eight guidance ASD Blueprint: User application hardening ⁶

🛡️ Essential 8 Guide