I'm trying to disable Internet Explorer Enhanced Security Configuration using PowerShell in Packer on AWS when building a Windows Server 2016 instance from their latest AMI.
I'm calling the following function in PS from one of the packer provisioners:
function Disable-InternetExplorerESC {
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
Stop-Process -Name Explorer -Force -ErrorAction Continue
Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}
Disable-InternetExplorerESC
However, the Stop-Process -Name Explorer -Force
throws the following error:
Stop-Process : Cannot find a process with the name "Explorer". Verify the process name and call the cmdlet again.
Remoting into the server and opening Server Manager and checking the Local Server settings reveals that IE Enhanced Security Configuration is "Off" but opening Internet Explorer still shows the settings as "On" and prevents downloads. I have tried restarting the machine after making the change however the setting is still in the ambiguous state. Is there a different way of turning off IE ESC that I can try or another way of going about this in Packer?
I was able to get this to work with the following PowerShell script being called as a provisioner with elevated permissions in the packer build script:
function Disable-InternetExplorerESC {
$AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
$UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
Rundll32 iesetup.dll, IEHardenLMSettings
Rundll32 iesetup.dll, IEHardenUser
Rundll32 iesetup.dll, IEHardenAdmin
Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}
Disable-InternetExplorerESC
Here is the packer snippet for the provisioner:
{
"type": "powershell",
"scripts":[
"{{ template_dir }}/scripts/Disable-InternetExplorerESC.ps1"
],
"elevated_user": "{{user `local_admin`}}",
"elevated_password": "{{user `local_admin_password`}}"
}
Additionally, this seems to only disable IE ESC for the elevated user that ran the script.