NanoToolkit Blog

The Way to Keep in Touch.

IE 11 Turns on Enhanced Protected On By Default

Microsoft introduced Enhanced Protection Mode in IE 10. The Funny thing is on Most PCs Shipped withWindows 8 Home Edition orWindows 8 Pro or Windows 8 Enterprise Edition. Even if you Installed Internet Explorer 10.0 On Windows7 you would have noticed that Enhanced Protection Mode was by default off. I always wondered why Microsoft introduced a Feature and chose not to enable that feature out of gate. Well It turns out that with Internet Explorer 11.0 Microsoft went ahead and enabled Enhanced Protection Mode (EPM). I only noticed this difference because I noticed that with my Machines running IE10 UAC Virtualization is enabled for Internet Explorer Tab Container Processes. To be clear the process that runs any given Tab had User Account Control Virtualization Enabled. When Enhanced Protection Mode is off and there by UAC virtualization is enabled for IE all files that IE Add-ons (BHO, ActiveX, Toolbars, Menus, Accelators) would try to write to some location would be redirected to some folder under %UserProfile%\AppData\LocalLow\Microsoft\Internet Explorer.

See Figure 1: IE10 UAC Virtualization Enabled When Enhanced Protection Mode is Off.

IE11 Enhanced Protection Mode Disabled

See Figure 2: IE10 UAC Virtualization is Off When Enhanced Protection Mode is On.

Internet Explorer 10.0 Enable Enhanced Protection Mode and UAC Virtualization gets turned off.

So Effectively with IE10 the UAC Virtualization and Enhanced Protection Mode have an inverse relationship.

As you can see in the figures below IE11 keeps the same behavior except that IE 11 by default has Enhanced Protection Mode on so that means Internet Explorer 11 by default has UAC Virtualization Off.

Figure 3: IE 11 UAC virtualization Disabled when Enhanced Protection Mode is Enabled.

Internet Explorer 11.0 turning on Enhanced Protection Mode and turns off UAC Virtualization.

Figure 4: IE 11.0 User Account Virtualization is On When Enhanced Protection Mode is off

Internet Explorer 11.0 Disabling Enhanced Protection Mode and Enabling UAC Virtualization.

But IE11 has a welcome feature. In IE10 if you were to Enable EPM (Enhanced Protection Mode) IE Would force the Container Process or all Tabs to be upgrade to 64-bit as well (of course that is only true on 64-bit machines) but the issue was that Most IE plugins such as Activex Controls do not provide a X64 Edition of their product. So IE11 has a welcome feature that decouples Enhanced Protection Mode from 64-bit Tab Container Processes. Internet Explorer 11.0 effectively by default enables Enhanced Protection Mode but it does not force 64-bit Tab Container Processes along with it.

Figure 5: Internet Explorer 11.0 Option for Enabling 64-bit Child Processes.

Internet Explorer 11.0 Enabling 64-bit Tab Process. Windows 8.1 IE11 by Default has child 64-bit processes off.