Search code examples
powershellamazon-web-servicesinternet-explorerwindows-server-2016packer

Disabling Internet Explorer Enhanced Security Configuration using PowerShell in Packer on AWS Fails

I'm trying to disable Internet Explorer Enhanced Security Configuration using PowerShell in Packer on AWS when building a Windows Server 2016 instance from their latest AMI.

I'm calling the following function in PS from one of the packer provisioners:

function Disable-InternetExplorerESC {
   $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
   $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
   Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
   Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
   Stop-Process -Name Explorer -Force -ErrorAction Continue
   Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}

Disable-InternetExplorerESC

However, the Stop-Process -Name Explorer -Force throws the following error:

Stop-Process : Cannot find a process with the name "Explorer". Verify the process name and call the cmdlet again.

Remoting into the server and opening Server Manager and checking the Local Server settings reveals that IE Enhanced Security Configuration is "Off" but opening Internet Explorer still shows the settings as "On" and prevents downloads. I have tried restarting the machine after making the change however the setting is still in the ambiguous state. Is there a different way of turning off IE ESC that I can try or another way of going about this in Packer?

Solution

  • I was able to get this to work with the following PowerShell script being called as a provisioner with elevated permissions in the packer build script:

    function Disable-InternetExplorerESC {
   $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}"
   $UserKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}"
   Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 -Force
   Set-ItemProperty -Path $UserKey -Name "IsInstalled" -Value 0 -Force
   Rundll32 iesetup.dll, IEHardenLMSettings
   Rundll32 iesetup.dll, IEHardenUser
   Rundll32 iesetup.dll, IEHardenAdmin
   Write-Host "IE Enhanced Security Configuration (ESC) has been disabled."
}

Disable-InternetExplorerESC

    Here is the packer snippet for the provisioner:

    {
   "type": "powershell",
   "scripts":[
   "{{ template_dir }}/scripts/Disable-InternetExplorerESC.ps1"
   ],
   "elevated_user": "{{user `local_admin`}}",
   "elevated_password": "{{user `local_admin_password`}}"
}

    Additionally, this seems to only disable IE ESC for the elevated user that ran the script.