Use PowerShell DSC to Configure Internet Explorer


Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Desired State Configuration to configure Internet Explorer on servers.

Microsoft Scripting Guy, Ed Wilson, is here. This morning I decided to use my single-cup tea infuser to make a cup of Orange Cream tea using some leaves I brought back from Germany. I then decided to add a lemon slice to the cup. I should have known better. I won’t say I ruined my cup of tea—OK, I will say that. But I still drank it because I hate to waste a nice cup of tea, and I especially don’t want to waste the leaves that I cannot find here in Charlotte.

Speaking of things I don’t like to, or don’t want to do again…

I personally do not like having a web browser on a server. Of all the potential security risks, this one is a biggie. This is why I love the Enhanced Security Configuration in Internet Explorer. As far as I know, it means that Internet Explorer doesn’t work—at least not very well. I cannot even surf over to TechNet or to the Script Center Repository with this thing turned on. Cool.

Of course (in my humble opinion), the best configuration for servers is Server Core mode, and then use Windows PowerShell to do everything. This is where Windows PowerShell comes to the rescue if I have servers with the GUI still installed.

I can ensure that at least Internet Explorer is running with Enhanced Security Configuration. By default, when I finish installing my Windows Server software (beginning with Windows Server 2008), Enhanced Security Configuration is set for Internet Explorer. This means that if it is turned off, someone (with Administrator rights) has turned it off. I can confirm this by looking in Server Manager. This is shown here:

Image of menu

Create and apply the configuration

The first thing I do is create a configuration. I specify the name, and I import the Desired State Configuration (DSC) Resource Kit. I then specify my servers and the node as shown here:

Configuration EnableIEEsc

{

    Import-DSCResource -Module xSystemSecurity -Name xIEEsc

    $server = @('s1','s2')

    Node $server

    {

Next I use xIEEsc to enable the Enhanced Security Configuration. I want to do this for Administrators and for normal users, so I actually have to specify the call twice. This is shown here:

xIEEsc EnableIEEscAdmin

        {

            IsEnabled = $True

            UserRole  = "Administrators"

        }

        xIEEsc EnableIEEscUser

        {

            IsEnabled = $True

            UserRole  = "Users"

The parameters are pretty self-evident. But if I did not know what the parameters were, or if I was unclear as to what the parameter wanted, I can use IntelliSense. I highlight xIEEsc, and then either press Ctrl + Spacebar, or right-click and choose Start IntelliSense from the action menu. This provides IntelliSense for the options available.

When I am done, I close out the braces, call the configuration, and start DSC. Here is that portion of code:

  }

    }

}

EnableIEEsc -OutputPath c:\dsc\IEESC

Start-DscConfiguration -Path c:\dsc\ieesc -Wait -Verbose

The complete configuration script is shown here:

Configuration EnableIEEsc

{

    Import-DSCResource -Module xSystemSecurity -Name xIEEsc

    $server = @('s1','s2')

    Node $server

    {

        xIEEsc EnableIEEscAdmin

        {

            IsEnabled = $True

            UserRole  = "Administrators"

        }

        xIEEsc EnableIEEscUser

        {

            IsEnabled = $True

            UserRole  = "Users"

        }

    }

}

EnableIEEsc -OutputPath c:\dsc\IEESC

Start-DscConfiguration -Path c:\dsc\ieesc -Wait -Verbose

The script and its associated output are shown here:

Image of command output

I navigate to one of my remote servers to see if it worked. As shown here, it worked fine:

Image of menu

That is all there is to using DSC to configure Internet Explorer Enhanced Security Configuration on servers. This also concludes DSC Resource Kit Week. Join me tomorrow when I will discuss "Why learn Windows PowerShell?"

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (2)

  1. Looks like DCS rocks!

  2. Chen V says:

    Declarative and focused. Both DCS and your article 5 *

Skip to main content