Hi all-

I think this is a pretty simple question but I want to ask it to make sure this isn't a problem when we begin patching. Some of the applications are business use is very dependent on us using either Internet Explorer 8 or 9. What I'm trying to avoid is during patching, having our machines encounter any chance where they can be automatically updated to a higher version of Internet Explorer. In my subscription settings on the K1000, I currently have it setup as

Security Patches - Checked

Application Patches - Checked

Non-Security Patches - Checked

Application Patches - Checked

Include Software Installers - Unchecked

As long as I have that last option unchecked, will the IE browsers in my network never update automatically through patching or am I misinformed and should be looking elsewhere at making changes?

Thank you all!

Answer Summary:
4 Comments   [ - ] Hide Comments


  • We ran into problems with ie 11 not working on our people soft and other apps. So we wanted to block it also, but when we added our site and the sister site to the compatibility list in ie 11 the apps worked fine.
  • Yeah, we've added one of our web-based applications that "requires" Internet Explorer 8 into the Compatibility List in IE 11 and observed that most of the functionality works however the vendor will not offer us support even in that particular configuration because it vehemently goes against their "official" compatibility documentation.
  • ...these vendors. I get it to a point, but come on, IE8? Update your code...sheesh.
  • I have one Line of Business web application that works in any flavor IE, Chrome, Firefox, Opera, and I'm pretty sure Netscape Navigator and then I got this guy who will only work in IE8. It's......lovely....yeah, that's the word I'm looking for.
Please log in to comment

Community Chosen Answer



I would manually disable those patches in your patch listing just to be sure they don't deploy. It is flagged as an Application patch.

Answered 02/19/2014 by: jegolf
Red Belt

  • agree
  • Thanks, jegolf. This seems to be the solution we will adopt as well to ensure we don't get any unwanted IE upgrades. Thank you!
Please log in to comment
Answer this question or Comment on this question for clarity



We also disabled it via the K1000 patch listing and through our AD Group Policy using the Policy definitions (ADMX files) retrieved from the central store.

Windows Components/Windows Update/Automatic Updates Blockers v3hide
Policy                                                                                                 Setting
Do not allow delivery of Internet Explorer 10 through Automatic Updates Enabled 
Do not allow delivery of Internet Explorer 11 through Automatic Updates Enabled 
Do not allow delivery of Internet Explorer 9 through Automatic Updates   Enabled 

We use the K1000 to patch our systems but we allow our Tech Team to go to Windows Update as needed so we needed to block the IE update as we too have specific browser version needs in our agency.

Answered 02/19/2014 by: RaquelS
Orange Belt

Please log in to comment

We've got the same issues with IE. We're running with the tick boxes as you suggest and also a patch smart label like:


Basically what you get then is all OS patches (Mac and windows), but no upgrades. So no manual work and no worries about the next IE etc.

Also you have to add application patching (e.g. Java, Adobe etc.) as needed through adding more smart labels to the patching task.


Best regards


Answered 02/20/2014 by: adam_nerell
Yellow Belt

Please log in to comment