With the end of IE11 here, we’ve ensured any remaining Win10 boxes have the latest updates for Windows and Edge. Looking at the vulnerability ‘Obsolete MS Internet Explorer’ and it indicates that one of the indicators for the vuln is having a certain reg key present. Even with all the updates for Windows and Edge, we think that this reg key will remain present.
The only way to remove the regkey is to remove IE from the optional Windows features. Problem with doing that is it breaks IE Mode in Edge (something that may or may not be required by a user).
So I’m curious, how are other orgs are handling this vuln in their respective orgs? Just ignoring it while moving to Win 11?
I can’t speak to how all orgs are handling this but you are right in your thinking to how to handle it. For those Win10 boxes IE11 is essentially baked in and Windows does not make it easy to get rid of it. To handle this you could create a vulnerability exception on the ‘Obsolete MS Internet Explorer’ vulnerability with a scope of those Win 10 boxes. I would align the expiration of that exception with your goal to move everything to Win 11.
That could be a good way to go about it. I was looking at a remediation project with a dynamic scope, with the intent of making it so that it only shows assets without a certain edge version installed. Haven’t had luck with that so far, so maybe I’ll pivot.