Microsoft has released an important update to the Intune security baseline for Windows, version 25H2, introducing a new setting to help secure your environment: Disable Internet Explorer 11 Launch Via COM Automation. This setting now has a baseline default of Enabled.
If you are managing Windows devices and heavily rely on Intune security baselines to enforce best practices, this is an update you need to be aware of—both for the security benefits and the potential impact on legacy applications.
What is the “Disable Internet Explorer 11 Launch Via COM Automation” Setting?
While Microsoft has actively deprecated Internet Explorer 11 (IE11) and disabled it as a standalone browser (redirecting users to Microsoft Edge), legacy COM (Component Object Model) automation provided a loophole. Legacy scripts, old line-of-business applications, and potentially malicious payloads could still invoke IE11 programmatically in the background using COM automation, completely bypassing the standalone browser block.
This newly added setting (DisableInternetExplorerLaunchViaCOM / InternetExplorer/DisableInternetExplorerLaunchViaCOM) definitively prevents IE11 from being launched via this method.
Why Was It Added Later?
This setting was initially excluded from the version 25H2 baseline at release due to a known issue. Now that the issue is resolved, Microsoft has updated the baseline to include this critical safeguard.
By enforcing this block, Microsoft closes a significant automation bypass channel that threat actors often exploit using legacy scripting methods. This aligns with modern security practices by fully cementing IE11’s deprecation and reducing the attack surface on managed devices.
How It Affects Your Organization
When this policy is set to Enabled:
- Enhanced Security: You are closing an often-overlooked attack vector. By blocking programmatic access to IE11, you restrict legacy exploits from running silently in the background.
- Impact on Legacy Apps: If your organization relies on legacy applications, VBScripts, or Office add-ins that still trigger IE11 via COM automation, these applications will experience silent failures or throw errors.
What You Need to Do
Because this is an update to an existing baseline version rather than a brand-new baseline, the setting won’t apply automatically to your existing 25H2 baseline profiles.
- Audit Your Environment: Before rolling this out broadly, ensure that no critical legacy applications or scripts in your environment rely on IE11 COM automation.
- Test and Validate: Use a pilot group to test the impact of enabling this setting on daily workflows and legacy software.
- Update Your Profiles: To add the setting to an existing 25H2 baseline profile, simply open the profile, select Edit, and then Save it. The new setting will appear with its default configuration. Once saved, Intune will deploy the setting to your assigned groups at their next device check-in. (If you create a new 25H2 profile, it will include this setting automatically.)
Taking action on this baseline update ensures your fleet stays hardened against legacy threats, bringing your endpoints one step closer to a true Zero Trust posture.
Stay tuned for more Intune updates, and as always, test thoroughly before deploying to production!