Deploying IE11 with SCCM for the best user experience!

If you haven’t heard by now, only the latest versions of Internet Explorer are supported on all Windows operating systems as of January 12th, 2016.

Details here: https://support.microsoft.com/en-us/lifecycle#gp/Microsoft-Internet-Explorer

For most IT Pros, this means upgrading from IE8, IE9, or IE10 to IE11 on Windows 7. There are lot’s of ways to accomplish this; a patch, a package, an application, a task sequence, using the IEAK, or using the PowerShell ADT.

Each of the different methods have their pros and cons, and when I went to evaluate the method I wanted to use, I found none of them had a very good user experience.

Common Issues

  • Unnecessary bandwidth consumption downloading pre-reqs
  • IE force closes
  • User is forced to reboot immediately, no deferment
  • Multiple reboots are required
  • User is unable to work for X amount of time
  • Post-install patches are missing (Enterprise mode doesn’t work)

To work around a lot of these issues, I tested some of the methods above and decided on using a task sequence with a few tricks to get the best user experience possible. I wanted to ensure my users were not impacted when we upgraded them.

IE11 Install Method Matrix
Method Interactive Reboot Multiple reboots Ent. Mode IE force closed User downtime
Software Update No Based on client setting Yes No No No
Standalone .exe No Immediate reboot No Yes Yes Yes
IEAK No Immediate reboot No Yes Yes Yes
Task Sequence No Delayed reboot No Yes No No

Originally I was using the task sequence with the standalone .exe, but could not get past the issue of IE being force closed. I even wrapped it in the PowerShell ADT and found a limitation that it would not run interactively even after specifying the -DeployMode Interactive parameter. I even tried ServiceUI and still had no luck. I wanted to emulate the experience that deploying as a software update would provide, so I resorted to DISM and using the extracted CAB file.

IE11 Pre-requisites

***WARNING*** The method below assumes you have all 9 pre-req patches already deployed, so the TS does not account for any pre-reqs. If you do not have the pre-reqs already installed, you can add them easily using Venu’s Singireddy’s method. This will require two reboots in your install though.

The Task Sequence

IE11-TS-main

Internet Explorer 11 Task Sequence
Step Package Details
Set SMSTSErrorDialogTimeout No SMSTSErrorDialogTimeout = 1
IE11 Install Yes dism /online /add-package /packagepath:IE-Win7.CAB /quiet /norestart /logpath:C:\temp\IE11_install.log
IE11 – KB3104002 Yes wusa.exe IE11-Windows6.1-KB3104002-x64.msu /quiet /norestart
Set reboot to 8 hours No SMSRebootTimeout = 28800
Restart Computer No Timeout = 9999
Disable First Run No %windir%\system32\reg.exe add "HKLM\Software\Policies\Microsoft\Internet Explorer\Main" /t REG_DWORD /v DisableFirstRunCustomize /d 1 /f
Disable HSTS x64 No %windir%\system32\reg.exe add "HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_HSTS" /v iexplore.exe /t REG_DWORD /d 1 /f
Disable HSTS x86 No %windir%\system32\reg.exe add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_HSTS" /v iexplore.exe /t REG_DWORD /d 1 /f
Array Compatibility Fix Yes powershell.exe -executionpolicy bypass -file Set-IECompatView.ps1

What it does:

  • Sets the SMSTSErrorDialogTimeout to 1 so users do not get a nasty popup if there is an error
  • Installs IE11 using DISM and the extracted .CAB files
  • Installs the latest IE Cumulative patch to enable Enterprise Mode (and for security)
  • Sets the Restart timer to 8 hours
    • 9999 seconds/166.65 minutes/2.78 hours is the maximum by default, but you can override with this handy TS variable
  • Restarts the computer
    • If user is logged on, prompts for 8 hours
  • Disables IE first run customization wizard
    • Some users experience this wizard after the upgrade
  • Disables HTTP Strict Transport Security x86/x64
    • Some of our websites did not function with this enabled
  • Adds domain of your choice to compatibility view for all user profiles cached on the machine
    • We needed this because of our web based VPN users
    • They would get IE11 and the Ent. Mode patch, but because they were offline after the reboot, they could not download the Ent. Mode Site list, which contained compat settings needed to reconnect to the VPN!
    • Chicken/Egg scenario

Set-IECompatView.ps1

If you need to add a domain to Compatibility View without utilizing your Ent. Mode Site List, you can modify the below script and add it to your task sequence.

  1. Open IE and add your domain(s) to Compatibility View under the Tools menu
  2. Browse to HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation\ClearableListData
  3. Export the key
  4. Modify the UserFilter below with your exported hex value

Reference: http://jeffgraves.me/2014/02/19/modifying-ie-compatibility-view-settings-with-powershell/

The User Experience

Our deployment was non-interactive, so the files downloaded before executing the TS, IE11 installed, and the user is none the wiser until they get the below prompt!

IE11_Restart

This solution solved all our needs, IE is not force closed, user only has to reboot once, Ent. Mode is enabled immediately, and user downtime is basically just the time it takes to reboot.

11 thoughts on “Deploying IE11 with SCCM for the best user experience!

  1. Sri

    Great blog. I am not able to get SMStimereboot to work ? Can you pls provide screenshots with the conditions set ?

    Thanks in advance

  2. Thank you for the article!
    You can inject IE11 pre-req’s using DISM and do not need two reboots in this case. I guess it would make your Task Sequence even nicer.

    • Really? That is not what we saw in testing. You can inject the pre-reqs, install IE11, and install the post-install CU, without a reboot? How are you installing IE11 and the post-install CU?

      • I am using WUSA and DISM to inject pre-req and in this case I do not need to reboot the machine before IE11 installation (via DISM). As soon as IE11 is installed I am rebooting (same way as you). I did not try to install the post-installation update on top though.

  3. Nick Laing

    I have followed your guide exactly; used a TS just like you advise as i wish SCCM TS engine to control reboots, but after the IE11 install ( dism /online /add-package /packagepath:IE-Win7.CAB /quiet /norestart ), my deployment ALWAYS reboots and the timer is 30 secs. the /norestart switch is not obeyed.

    Any ideas?

    • Hmm, check the dism.log on the machine to confirm it’s causing the restart. Sometimes it may kick it off if there is already a pending reboot.

  4. Ankit

    Hello, I’m trying to configure automatic restart of machine after the patch deployment. How to do that in SCCM. Is there any option I’m missing?

    Thanks in advance for your assistance on this.

    • Hi Ankit, if you are using a task sequence you just add a restart computer step.

      If you are deploying via software updates the client settings control the restart timers and such.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">