Windows
View all Worklets
WindowsWindows

Windows - Software - Disable Internet Explorer

Disables the Internet Explorer optional feature on Windows endpoints to remove an end-of-life browser attack surface

Worklet Details

What the Internet Explorer disabler does

This Automox Worklet™ disables the Internet Explorer optional feature on Windows 8, Windows 10, Windows 11, and Windows Server 2012 and later endpoints. The evaluation script calls Get-WindowsOptionalFeature -Online -FeatureName Internet-Explorer* against the live OS image and inspects the State property of the returned feature object.

If the feature is missing or already Disabled, the Worklet exits 0 and no remediation runs. If the feature is Enabled, the Worklet writes a small configuration blob (the feature mask and the reboot preference) to HKCU:\Automox\WorkletConfig as a base64-encoded JSON value, then exits 1 to trigger remediation.

The remediation script reads that blob with Get-AXConfig, re-confirms the feature is still Enabled, and pipes the feature object to Disable-WindowsOptionalFeature -Online -NoRestart. The -NoRestart flag suppresses the immediate DISM reboot prompt so the Worklet can govern reboot timing through the reboot parameter. With reboot = $true (the default), the script calls Restart-Computer -Force after the feature is staged for removal; with reboot = $false, the Worklet exits 0 and the change finalizes during the next scheduled restart.

The Internet-Explorer* feature mask matches the Internet-Explorer-Optional-amd64 package on 64-bit Windows and the corresponding x86 package on 32-bit hosts, so a single policy covers both architectures without separate variables.

Why remove an end-of-life browser from your Windows fleet

Microsoft ended support for the Internet Explorer 11 desktop application on June 15, 2022. Since that date the MSHTML rendering engine, the Chakra JScript engine, and the legacy ActiveX surface have not received security fixes on consumer Windows builds. Any IE-only intranet app, IE-launched URL handler, or accidental click on iexplore.exe pulls the user into an unpatched browser. The catalogued IE exploit chains – including the MSHTML zero-day CVE-2021-40444 and the JScript9 type-confusion CVE-2022-41128 – continue to be tested by attackers because so many enterprises left the feature installed after retirement.

This Worklet runs Disable-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 on every Windows endpoint in scope, which retires the MSHTML rendering engine itself instead of relying on a group-policy block that users can route around. Remote and infrequently-online laptops that drift out of GPO scope still pick up the change on their next Automox check-in. The activity log captures the prior feature state per host, so the change-control record reflects which endpoints were already remediated and which still carried the legacy browser.

How Internet Explorer feature removal works

  1. Evaluation phase: The Worklet runs Get-WindowsOptionalFeature -Online -FeatureName 'Internet-Explorer*' to read the current feature state from the live image. A missing or Disabled feature exits 0 with no action. An Enabled feature triggers Set-AXConfig, which serializes a hashtable of featureMask = 'Internet-Explorer*' and reboot = $true to JSON, base64-encodes it, and writes it to HKCU:\Automox\WorkletConfig under the value name InternetExplorerRemoval. The script then exits 1 so Automox schedules remediation.

  2. Remediation phase: The Worklet calls Get-AXConfig 'InternetExplorerRemoval' to recover the feature mask and reboot preference, then re-queries Get-WindowsOptionalFeature. The matched feature object is piped into Disable-WindowsOptionalFeature -Online -NoRestart, which stages the IE package for removal from the component store. If reboot = $true, Restart-Computer -Force fires immediately and the feature unloads on the next boot. If reboot = $false, the Worklet exits 0 and the removal completes whenever the endpoint next restarts.

Internet Explorer removal requirements

  • Windows 8, Windows 10, Windows 11, Windows Server 2012, or Windows Server 2016+ endpoint with the Internet-Explorer optional feature package installed

  • PowerShell 3.0 or later (DISM cmdlets ship with every supported Windows release)

  • Administrator privileges (the Automox agent already runs as SYSTEM, which satisfies this)

  • Write access to HKCU:\Automox\WorkletConfig for the InternetExplorerRemoval handoff value between evaluation and remediation

  • Set $reboot = $true in evaluation.ps1 for immediate restart, or $reboot = $false to defer the restart to a scheduled maintenance window

  • Component store health: run DISM /Online /Cleanup-Image /CheckHealth before scheduling broad rollout if any endpoints have prior failed feature operations

Expected state after Internet Explorer removal

After the endpoint reboots, Get-WindowsOptionalFeature -Online -FeatureName 'Internet-Explorer*' returns a State of Disabled. The iexplore.exe binary is no longer present under C:\Program Files\Internet Explorer, the Internet Explorer entry is removed from the Windows Features (optionalfeatures.exe) dialog, and any pinned IE shortcuts on the Start menu or taskbar become orphaned. Application launches that previously forwarded http:// and https:// URIs to IE now route through the default browser (Microsoft Edge on modern Windows). Legacy IE-only intranet apps should be migrated to Edge IE Mode before broad rollout; configure the SiteList policy under HKLM:\SOFTWARE\Policies\Microsoft\Edge\InternetExplorerIntegrationSiteList in advance.

Validate the change with two commands: Get-WindowsOptionalFeature -Online -FeatureName 'Internet-Explorer*' | Select-Object State should print Disabled, and Test-Path 'C:\Program Files\Internet Explorer\iexplore.exe' should return False. Automox activity logs report exit code 0 from the remediation script alongside the message 'The Internet Explorer feature has been disabled' followed by either 'Proceeding to reboot, remediation complete' or 'Skipping reboot, remediation complete' depending on the reboot parameter. Re-running the evaluation script on the next policy cycle confirms compliance: the script finds State = Disabled and exits 0 without writing a new HKCU:\Automox\WorkletConfig handoff value, which is the steady-state signal that this Worklet is holding the configuration in place.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets