Blocking Windows Update - Just stopping it completely

[britechguy]

All I can tell you is what Microsoft itself states. And when they make a clear statement that ActiveX is supported, I believe them. It may require a tweak somewhere. I, personally, don't particularly care as I'm not ever going to stick with any website that would require this.

Why they would state, in a bullet point list of features of IE Mode in Edge, that ActiveX is supported if it is indeed not is beyond me. It's also in at least one other piece of documentation I reviewed, but I didn't keep track of where.

And it's clear that the configuration process for sites to be used in IE Mode is arduous and finicky by design.

 

[Markverhyden]

Er, yes, it does. Straight from the horse's mouth: What is Internet Explorer mode? | Microsoft Docs

Beat me to it. I'll have to get some of my customers try that method as well. But it looks like you have to specify which sites to open in IE Mode.

 

[Sky-Knight]

Beat me to it. I'll have to get some of my customers try that method as well. But it looks like you have to specify which sites to open in IE Mode.

Yep, which requires either a GPO or an XML file in a folder somewhere which is annoying... but just also brilliant in a way. Techs can do this, but end users mostly won't... it limits use.

That is until someone writes a catch all XML file and turns Edge into IE. We'll see where that goes...

 

[britechguy]

Well, it appears that Edge IE Mode is truly intended to be a "last gasp tide-me-over" for those who are caught in the unenviable position of having to use a website that's not being maintained and is still back in the dark ages coding wise.

I'm thrilled that it's not "an easy fix" or the problem on the website side as far as making the necessary updates, where those sites are still in real existence rather than a form of abandonware, would just be allowed to drag out even longer. And it should have been gone long, long before now.

What I'm wondering is what option(s) Win10 Home folks end up having.

 

[Sky-Knight]

With less control over Windows update? They'll have to use the XML file method, either that or wait until someone figures out the registry settings the GPOs morph into... Those should work on Home as well as Pro, the catch is determining exactly what those are.

 

[britechguy]

Those should work on Home as well as Pro, the catch is determining exactly what those are.

I have to imagine that those who do this sort of thing, and I'm well aware they exist because I've used the information they provide myself, must have some sort of "dump and diff" process for the entire registry where the before and after "dumped" versions of the system registry are compared after making only the changes one is focused on and where you know those changes had not ever been made before. All of us here should be more than well aware that the Windows registry is somewhat like the Hotel California: Things can check in any time they like, but they can never leave.

Some, of course, do leave if they're related to Settings that have been changed or if the uninstallers actually do what they should do and remove all traces of whatever had been installed. We all know that the latter frequently is not the case.

 

[Diggs]

Then there are extensions for Edge to emulate IE that support ActiveX. Hmmm...... It's just not going to die a peaceful death......

 

[Sky-Knight]

Then there are extensions for Edge to emulate IE that support ActiveX. Hmmm...... It's just not going to die a peaceful death......

Nope, it'll go kicking and screaming into the void... slightly behind the anti-vaxers... and for much the same reasons.

@britechguy Or simply using regmon while a GP update happens... but yes. I could go get this information from one of my own networks, it's just not worth the time to me. But someone will do it, because they always do!

 

[britechguy]

@Sky-Knight and @Diggs

As is virtually always the case with all things Windows (and even MS-produced applications) there are always the proverbial many roads to Rome. It's a matter of picking your favorite.

With regard to Edge extensions, if such are created and "allowed" (for lack of a better way of putting it), you can bet that users of all sorts are likely to bastardize Edge with these rather than going the official IE Mode under Edge route. They're likely to be much easier to install and just "enable it all, everywhere" in one fell swoop. Damn the security torpedoes, full speed ahead!!

 

[Sky-Knight]

@britechguy Yeah, but you know... from a cost / benefit reality that extension linked above is a darned fine way to deal with the problem without having to jump through the flaming hoops Microsoft made.

I'm not saying it's a great idea, but then again we're talking about a long series of means to get to the same not so ideal place of using IE still. The fact that this situation exists at all on Windows 10 means that much less security for everyone. There's no sense in security theater and wasting time doing it the hard way.

 

[britechguy]

There's no sense in security theater and wasting time doing it the hard way.

I presume it's not "security theater" and "doing it the hard way" is actually a part of keeping the added security that's likely "baked in" for handling this unfortunate exception condition. But I absolutely could be wrong.

 

[Sky-Knight]

I presume it's not "security theater" and "doing it the hard way" is actually a part of keeping the added security that's likely "baked in" for handling this unfortunate exception condition. But I absolutely could be wrong.

If that extension works, then the New Edge has all the old stuff baked into it. I presume Microsoft has sandboxed things... but the entire reason ActiveX was abandoned was that it was considered insecurable.

Which brings us to the ugly place where as long as this technology exists on the platform at all, it's a liability. Ease of use is irrelevant against state sponsored actors producing malware.

So what I'm saying is, save yourself the time and headache, if you need IE mode, use the extension. It cannot be more dangerous than the Microsoft methods unless the extension itself is malware. And in the trade, you time... which is good for you and your customers.

 

[britechguy]

A big "if."

But regardless, your final paragraph is correct. And that's one of the reasons I strongly support real drop-dead dates, with sufficient time between announcement and occurrence for any sane individual or organization to make the needed changes.

I also have no problem saying that if the site(s) you're currently using are abandoned, then you had darned well better be prepared to abandon them yourself. And I don't say that lightly, or not having experienced the pain of having to sever something I loved, found very useful, and had been using for years. It happens sometimes, and the security not only of my own systems but in cyberspace in general takes precedence over me and my individual needs. Sometimes that hurts, but doing what's right very often will hurt someone, and often, but not always, that someone is the person or entity that cannot be dragged, even kicking and screaming, into the present. Their recalcitrance cannot dictate anything for the rest of us.

 

[Markverhyden]

So it looks like Home users won't have any problems. Yet. A W10 Home running 20H2 has the option available. But the instructions I saw online didn't match what I was seeing. If they load "edge://settings/defaultBrowser" that's bring them to the IE mode config page. On mine it's got IE mode enabled by default on pages that require it but had to toggle reload webpage on if it needs IE to on.