Disabling Internet Explorer Enhanced Security Configuration using PowerShell in Packer on AWS Fails

Question

I'm trying to disable Internet Explorer Enhanced Security Configuration using PowerShell in Packer on AWS when building a Windows Server 2016 instance from their latest AMI.

I'm calling the following function in PS from one of the packer provisioners:

function Disable-InternetExplorerESC {
   $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
   $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
   Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
   Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
   Stop-Process -Name Explorer -Force -ErrorAction Continue
   Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}

Disable-InternetExplorerESC

However, the Stop-Process -Name Explorer -Force throws the following error:

Stop-Process : Cannot find a process with the name "Explorer". Verify the process name and call the cmdlet again.

Remoting into the server and opening Server Manager and checking the Local Server settings reveals that IE Enhanced Security Configuration is "Off" but opening Internet Explorer still shows the settings as "On" and prevents downloads. I have tried restarting the machine after making the change however the setting is still in the ambiguous state. Is there a different way of turning off IE ESC that I can try or another way of going about this in Packer?

Answer 1

I was able to get this to work with the following PowerShell script being called as a provisioner with elevated permissions in the packer build script:

function Disable-InternetExplorerESC {
   $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
   $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
   Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
   Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
   Rundll32 iesetup.dll, IEHardenLMSettings
   Rundll32 iesetup.dll, IEHardenUser
   Rundll32 iesetup.dll, IEHardenAdmin
   Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}

Disable-InternetExplorerESC

Here is the packer snippet for the provisioner:

{
   "type": "powershell",
   "scripts":[
   "{{ template_dir }}/scripts/Disable-InternetExplorerESC.ps1"
   ],
   "elevated_user": "{{user `local_admin`}}",
   "elevated_password": "{{user `local_admin_password`}}"
}

Additionally, this seems to only disable IE ESC for the elevated user that ran the script.

Answer 2

The other way(without using powershell) is to use Server Manager to turn IE Enhanced security off. I am posting this answer as this is the first answer that pop up when you search "how to turn off IE Enhanced Security Configuration in AWS"

Open your server manager > Local Server > Find IE Enhanced Security configuration > Turn it off by clicking "On" (You can turn it off only for Administrators or for all the users)

or you may run the below script in powershell, if you only have access to PowerShell

Disable IE ESC for administrators

$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
New-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -PropertyType DWord

Disable IE ESC for users

$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1AA-37EF-4b3f-8CFC-4F3A74704073}"
New-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -PropertyType DWord