IE 10 Update Block

By giantsnyy
in Microsoft (Windows)

 Share

Recommended Posts

Mentor

giantsnyy

Posted
Posted

Hi Guys!

No matter what I try, I can't get the blocker gpo provided by Microsoft to work correctly. I installed it the exact same way I did the 9 blocker (replacing the adm file in the sysvol share), and I've even tried to run the startup script to prevent it but no matter what, it still installs on the client machines.

What do I do? It's such a pain. IE10's rendering engine breaks essentially all of the websites our dealerships use, including our web mail client.

Thanks,

Mike

Edit: Forgot to mention - all of the machines are running Windows 7 Pro SP1, on an AD domain powered by Windows Server 2003 (with Windows 2000 Mixed set as the functional domain level. Yes, I know that's outdated, but my supervisor won't allow me to upgrade it.)

Link to comment
Share on other sites
Proficient

lars77

Posted
Posted

re: the websites, do they work correctly if you set them to load in Compatibility Mode in IE 9/10? You'd be *way* better off upgrading the machines to IE10 if you can set the websites to work correctly in there. Also if the websites have particular ActiveX controls you may want to adjust those IE settings too.

Outside of that not too sure, do you know if the users have permissions to run Windows Update on their own and/or install permissions? I've used the IE9 blocker on a few machines & for the most part it works, but sometimes IE 9/10 would get installed anyway. I have a feeling it happened b/c the user maybe got a Windows Update prompt & manually triggered the update to IE 9/10. The blocker only seems to block automated updates to IE 9/10, but it doesn't seem to prevent a manual install AFAIK. (for my particular client this wasn't a big deal, though it meant I had to re-do their IE ActiveX & compatibility mode settings post-upgrade)

Link to comment
Share on other sites
Mentor

giantsnyy

Posted
  • Author
Posted

Unfortunately, no they don't render properly in compatibility mode. Also, IE10 seems to be stuck in 64 bit mode (no 32 bit option I've seen yet) and the proprietary plugins the vehicle manufacturers use bug out with 64 bit and ask to install themselves endlessly (I.e. BMW DealerSpeed and VW's SAGA app requires their version of Java 1.5.

These are automatic updates... None of these users have admin access, or even control panel access.

Link to comment
Share on other sites
Contributor

cluberti

Posted
Posted

IE10 on an x64 machine loads the frame process as 64bit (for security reasons), but tab processes should still be 32bit by default (hence why you don't easily find the IE 64bit binary, and even if you launch it, you still end up with 32bit tabs by default) unless you enable IE10's enhanced protected mode (which will give you a full 64bit experience, tabs included).

The IE10 blocker toolkit (or just the reg value "DoNotAllowIE10", technically, set to 1) should block delivery of IE10 via automatic updates - what specific behavior are you seeing, what update mechanism is in use for these machines, and is this registry value (under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\10.0) being set to 1 after the script runs?

Link to comment
Share on other sites
Mentor

AnotherITguy

Posted
Posted

I assume your machines are all WINDOWS 7 SP1 X64, right?, and also, how are you deploying the updates, via windows update or wsus?

Link to comment
Share on other sites
Mentor

giantsnyy

Posted
  • Author
Posted

I assume your machines are all WINDOWS 7 SP1 X64, right?, and also, how are you deploying the updates, via windows update or wsus?

Yes, they are. The updates are getting deployed via Windows Update. I can't deploy WSUS because I don't have any servers with hard drives larger than 40GB.

Link to comment
Share on other sites
Mentor

AnotherITguy

Posted
Posted

Giantsnyy, you could just tell the machine not to auto install all of the updates. Personally whenever I pickup a new client I stand down auto updating because it does create some headaches with custom apps the night after the updates if there are any issues. My advice, do the updates manually and tell windows update NOT to auto install all of the updates. Is it a little more overhead for you.... you bet!, will it give you a little more peace of mind in the end (specially with IE), in my humble opinion...YES

Link to comment
Share on other sites
Mentor

giantsnyy

Posted
  • Author
Posted

Yeah... it's a nightmare. They're all old athlon64's (single core's too) with 512mb ram and Windows 2003R2 mix of x64 and x86.

Giantsnyy, you could just tell the machine not to auto install all of the updates. Personally whenever I pickup a new client I stand down auto updating because it does create some headaches with custom apps the night after the updates if there are any issues. My advice, do the updates manually and tell windows update NOT to auto install all of the updates. Is it a little more overhead for you.... you bet!, will it give you a little more peace of mind in the end (specially with IE), in my humble opinion...YES

Not possible... trust me I'd love to... but manually updating 748 computers?

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing