Windows - Software - Disable Internet Explorer

What the Internet Explorer disabler does

This Automox Worklet™ removes the Internet Explorer optional feature from Windows endpoints running version 8 or later. The Worklet queries the system for the presence of the Internet-Explorer feature and verifies its current state before proceeding with removal.

The Worklet uses PowerShell to interact with Windows Feature Management, a built-in Windows component that controls optional features at the OS level. This approach removes the browser completely rather than merely hiding or blocking it by policy.

The Worklet examines registry keys including HKCU:\Automox\WorkletConfig.

You can configure the Worklet to reboot endpoints immediately after feature removal or to defer the reboot, allowing you to coordinate the timing with your maintenance windows.

Why disable Internet Explorer on your network

Internet Explorer reached end-of-life on June 15, 2022, and receives no further security updates from Microsoft. Organizations that continue to allow access to Internet Explorer expose their endpoints to exploits targeting known, unfixed vulnerabilities in the browser engine, rendering engine, and JavaScript parser.

Disabling Internet Explorer eliminates the attack surface entirely and prevents legacy applications from defaulting to the browser when http or https links are clicked. This is particularly important in environments where users may access untrusted websites or receive phishing emails that exploit browser vulnerabilities.

Many compliance frameworks, including CIS Benchmarks and NIST guidelines, recommend or require the removal of Internet Explorer from Windows systems. Disabling the feature helps your organization meet these compliance requirements and reduce your security posture risk assessment score.

How Internet Explorer feature removal works

1. Evaluation phase: The Worklet retrieves the current state of the Internet-Explorer optional feature using Get-WindowsOptionalFeature. If the feature is not present or is already disabled, the Worklet exits successfully without taking any action. If the feature is enabled, the Worklet stores the configuration settings (reboot preference and feature mask) in the Windows registry under HKCU:\Automox\WorkletConfig, using base64 encoding and JSON serialization to preserve the settings for the remediation phase.

2. Remediation phase: The Worklet retrieves the stored configuration from the registry and verifies that the Internet-Explorer feature is still enabled. It then calls Disable-WindowsOptionalFeature with the -Online flag to disable the feature without requiring a reboot during the remediation operation. After disabling the feature, the Worklet checks the reboot preference setting. If reboot is set to true, the Worklet immediately initiates a system reboot using Restart-Computer -Force. If reboot is set to false, the Worklet completes without restarting, deferring the reboot to a scheduled maintenance window.

Internet Explorer removal requirements

• Windows 8, Windows 10, Windows 11, or Windows Server 2012 and later

• PowerShell 3.0 or later (included on all supported Windows versions)

• Administrator privileges required to modify Windows optional features

• Registry write access to HKCU:\Automox\WorkletConfig for configuration storage

• The Internet-Explorer optional feature must be installed on the endpoint (removal only works on systems where the feature is present)

• Configurable reboot preference allows you to schedule reboots during defined maintenance windows

Expected state after Internet Explorer removal

After successful remediation, the Internet Explorer optional feature is completely disabled on the endpoint. You can verify this by checking that Internet Explorer no longer appears in the Windows Features list or Start menu. The iexplore.exe application will no longer launch, and the Internet Explorer icon is removed from the Start menu and any pinned locations. Users cannot access Internet Explorer through the Windows Features control panel or by launching the application directly.

If the Worklet is configured to reboot immediately (the default behavior), endpoints will restart automatically after the feature removal completes. If deferred reboot is enabled, the feature is disabled but the reboot is postponed, allowing you to control when endpoints restart. You can verify the feature is disabled by checking the Windows Features control panel, where Internet Explorer will no longer appear in the optional features list.

How to validate disable internet explorer changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable internet explorer.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Internet-Explorer, Set-AXConfig, Split-Path.

4. Validate remediation effects from script operations such as ConvertTo-Hashtable, Select-Object, Get-AXConfig, then rerun evaluation for compliance.