Disable IE10 Automatic Update via Group Policy

In this post we will see the steps to disable IE10 automatic update via group policy. Microsoft distributes Internet Explorer 10 as a high-priority update through Automatic Updates for Windows 7 Service Pack 1 (SP1) x86 and x64, and Windows Server 2008 R2 SP1 x64. To disable IE 10 automatic update via group policy we can make use of a toolkit provided by Microsoft called IE 10 Blocker Toolkit which is intended for organizations that would like to block automatic delivery of Internet Explorer 10 to machines in environments where Automatic Updates is enabled.

Few things to consider before you download IE 10 Blocker Toolkit.

Do not deploy the IE 10 Blocker Toolkit in environments managed with an update management solution such as Windows Server Update Services or System Center Configuration Manager.

Also this toolkit is supported by OS – Windows 7 Service Pack 1 and higher, Windows Server 2008 R2 Service Pack 1 and higher. Download Internet Explorer 10 Blocker Toolkit

Once you download the IE 10 blocker toolkit, run the toolkit and provide a folder where the contents of toolkit are extracted. This toolkit contains two components: An executable blocker script (IE10_Blocker.cmd) and a Group Policy Administrative Template (.ADM file) (IE10_Blocker.adm)

If you want to disable IE10 automatic update via group policy then you can make use of IE10_Blocker.adm template. We will use the same template to disable IE10 automatic update. But before that let’s understand what the executable blocker script contains.

When you execute the IE 10 automatic update blocker script, the script creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 10 on either the local machine or a remote target machine.

Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSetup10.0

Key value name: DoNotAllowIE10

If the DoNotAllowIE10 value is set to 0 then the distribution is not blocked and if its set to 1 then the distribution is blocked.

In the script there is a parameter called <machine name> which is optional. If it’s not specified, the action is performed on the local machine.

@echo off

Echo MICROSOFT TOOL KIT TO DISABLE DELIVERY OF 
Echo MICROSOFT INTERNET EXPLORER 10
Echo.
Echo Copyright (C) Microsoft Corporation.  All rights reserved.
Echo.

set ProductName=Internet Explorer 10
set REGBlockKey=HKLMSOFTWAREMicrosoftInternet ExplorerSetup10.0
set REGBlockValue=DoNotAllowIE10

set RemoteMachine=%1

if ""=="%1" goto Usage
if "/?"=="%1" goto Usage
if /I "/H"=="%1" goto Usage
if /I "/B"=="%1" goto LocalMachine
if /I "/U"=="%1" goto LocalMachine
set RemoteMachineName=%1
set Action=%2

:Parse
if /I "/B" == "%Action%" goto Block
if /I "/U" == "%Action%" goto UnBlock
goto Usage

:Block
Echo Blocking deployment of %ProductName% on %RemoteMachineName%
REG ADD "%RemoteMachine%%REGBlockKey%" /v %REGBlockValue% /t REG_DWORD /d 1 /f
goto End

:UnBlock
Echo Unblocking deployment of %ProductName% on %RemoteMachineName%
REG DELETE "%RemoteMachine%%REGBlockKey%" /v %REGBlockValue% /f
goto End

:LocalMachine
echo LOCAL!
set Action=%1
set RemoteMachine=.
set RemoteMachineName=the local machine
goto Parse

:Usage
Echo.
Echo This tool can be used to remotely block or unblock the delivery of
Echo %ProductName% via Automatic Updates. 
Echo.
Echo ------------------------------------------------------------
Echo Usage:
Echo %0 [machine name] [/B] [/U] [/H]
REM [machine name] [/B|U|H]
Echo B = Block %ProductName% deployment
Echo U = Allow %ProductName% deployment
Echo H = Help
Echo.
Echo To block or unblock installation on the local machine use
Echo period ("." with no quotes) as the machine name
Echo.
Echo Examples:
Echo %0 mymachine /B (blocks delivery on machine "mymachine")
Echo.
Echo %0 /U (unblocks delivery on the local machine)
Echo ------------------------------------------------------------
Echo.

:End

Disable IE10 Automatic Update via Group Policy

In this section we will make use of the Group Policy Administrative Template .ADM file (IE10_Blocker.adm)– which allows administrators to import the new Group Policy settings to block or unblock automatic delivery of Internet Explorer 10 into their Group Policy environment, and use Group Policy to centrally execute the action across systems in their environment.

Log on to the domain controller, launch the Group Policy Management tool, right click on the domain name and create a new group policy. Right click the policy and click Edit.

In the Group Policy Management Editor, expand Computer Configuration, expand Policies, right click Administrative Tools and click Add/Remove Templates.

Note – This setting is available only as a Computer setting, there is no Per-User setting.

In Add/Remove Templates window, click on Add and import the IE10_Blocker.adm template. Click Close.

After you import the template navigate to Computer Configuration > Administrative Templates > Classic Administrative Templates > Windows Components > Windows Update > Automatic Updates Blockers v3.

Right click on the policy setting Do not allow delivery of Internet Explorer 10 through Automatic Updates and click Edit.

This policy setting allows you to disable delivery of Internet Explorer 10 via Automatic Updates. Click Enabled. Click OK.

Note – This setting does not disable Automatic Updates or access to Windows Update. Nor does it prevent delivery of updates other than Internet Explorer 10 through Windows Update or Automatic Updates.