No announcement yet.

upgrade ie9 to ie11 by WSUS

  • Filter
  • Time
  • Show
Clear All
new posts

  • upgrade ie9 to ie11 by WSUS

    I am preparing for upgrading IE to IE11.
    I have tested IE10 to IE11 from WSUS. This run absolutely smooth.
    Saw some articles on web that IE9 should be uninstalled prior to pushing IE11.
    Sure it will create a hussle... First, need to identify machines with IE9 and etc...
    1. can somebody share his/her experience with upgrading to IE11 from below than IE10.
    Or I can just push IE11 to all machines. Workstations are Windows7.
    2. Probably I will see bunch of IE11 patches after deployment. What will be the right strategy for approving appropreate patches for IE11. Would just latest cumullative update (let say from MAY 2016) be enough for bringing new IE11 to optimal security level?
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    IE upgrade is trivial. If you are using WSUS it is even simpler.
    A recent poll suggests that 6 out of 7 dwarfs are not happy


    • #3
      Like your answer...
      ​as I mentioned 10 to 11 is practically invisible...
      did you have any experience with 8 or 9 to 11?
      Sure I will test but may be you did it already...
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis


      • #4
        I run a customer's network which has been held back to IE9 for some time. We started rolling out IE11 using WSUS, and the install is painless. Simply approve the base IE11 for Windows 7 update item, then the latest cumulative update for IE11 on Windows 7 (don't have the KB #s in front of me, sorry). To find either, in your WSUS console use the Search box to find 'Internet Explorer 11'. It'll take a minute or 3 to display the results, and there will be a lot of entries. Scroll through the alphabetical list to find just the 'Internet Explorer for Windows 7' entry (or words to that effect), and then look through the section titled 'Cumulative Update' for IE11 on Windows 7, and approve the one with the highest KB #. Your clients will install each one on a single pass so 2 passes are needed, because the cumulative update won't show as applicable to the clients until after IE11 is installed. But your problem won't be the installs. Your problem will be how you enforce any settings thru Group Policy.

        The old way of setting things like proxy info, etc., was thru the policy settings at 'User - Policies - Security Settings - Internet Explorer Maintenance'. That whole section has been thrown out by MS. You can still see the settings when you look at a policy, but if you open the editor to change things, that section no longer appears to be edited. So there's no way to remove those old entries. In order to get rid of those settings from view, you have to create a completely new policy and start over. And the settings that are being applied have moved in the registry, as well. MS gives you 2 options: use Group Policy Preferences, or use the IE Administration Kit. Each has its benefits, and its pitfalls. You'll want to verify what settings you apply now, and work out how you want to apply them when you roll IE 11 out. I've been advised by colleagues to stay away from the IEAK because the settings don't always apply, for reasons yet unknown. So I haven't tried it; if anyone else has better info, speak up.

        If you stick with GPP to apply settings as I did, they will apply; but there are issues to be aware of as well:
        • First, when you create a new Internet Options GPP entry (Users - Preferences - Control Panel - Internet Options), what you see in the editor will vary depending on where you run the GPMC from. On Server 2008R2 or Windows 7 with RSAT, even after IE11 is installed, you'll only see the options to create IE settings for versions up to IE8, maybe 9. IE11 will not be listed--this is down to the version of MMC being run on the machine, not the version of group policy template files (i.e. inetres.admx) you've got installed. If you want to see IE10 or IE11 listed, you'll have to run the GPMC on at least a Server 2012 box. Srvr 2012 will give you up thru IE10, 2012R2 will give you up thru IE11.
        • Second, the Internet Options dialog will look just like the Internet Options window you see when run from inside IE itself from the Tools dropdown menu, or by opening Internet Options from Control Panel. But there is 1 critical difference in the GPP editor window, colored lines underneath the various entries. Those lines represent which items are being enforced--green lines mean that item is enforced, red-&-white lines means nothing is applied. You control the state of those colored lines using F5-F6-F7-F8 buttons. If a field is blank, and the line is green, you will be pushing a blank value to the users. If the field is filled with your desired values but the line is red-&-white, your values are not pushed to the clients.
        • Third, since these are Preferences being pushed, they are not locked down and enforced continuously. They are set whenever the policy is applied, but the user can change them. At next policy application, your Pref settings will be applied again, overwriting the user's choices if they are different. So when you look at what you want to set, you'll also want to think about whether you want the users to be able to change those settings. The simplest way to prevent user changes is to set GP items which are not preferences (Users - Administrative Templates - Windows Components - Internet Explorer), but which take away the various tabs in Internet Options so the users have no access. But that's a management/policy decision.
        I cannot stress strongly enough to do some research on the pitfalls I identified above, it's taken me some painful time to get my head around it all. You really want to experiment a little with the F5--F8 buttons thing so you're sure what you're applying, before you roll IE11 out to your user population. Cause if it breaks badly, imagine how popular you'll be when any web page external to your own environment stops working.
        Last edited by RicklesP; 29th May 2016, 13:16.
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **


        • #5
          RicklesP, thanks for just excellent answer. Sure, I will test properly IE9 to IE11.
          As mentioned from 10 to 11 don't see any problem. We have at least 20% of the large park on IE11.

          Our existing IE GPOs (couple of them) are pretty heavy for accommodation of all browser versions and different external web applications. Unfortunately, this is the reality of large environment.
          Of course for this project I will use new GPO.

          Thanks again.
          "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis