Fix web app compatibility with Enterprise Mode
Articles,  Blog

Fix web app compatibility with Enterprise Mode

Hi, everyone. Today we’re gonna be covering
web app compatibility with Enterprise Mode for Internet
Explorer and Microsoft Edge. Although it’s a very small audience,
and I love getting very interactive, we are recording this session. So, I’d appreciate it if you
hold questions until the end. I promise you I’ll answer most
of your questions throughout the presentation. But I will stay at the end and I’ll stay afterwards as long as
it takes to answer questions. So if you talk to twelve different
consultants you’re likely to get twelve different answers for
how a project should go. But generally, there’s a phase
where you consider the product, you look at what available
products there are, look at the capabilities
of those products. There’s a phase where you plan and
evaluate your current inventory. There’s a phase where you test and
remediate applications. And there’s a phase where
you actually deploy and manage the software. Today’s session is going to be
really focused on testing and remediation, and
we wanna get as deep as we can, so I’m gonna be diving into
demos pretty quickly. But I also wanted to give you
some background as to why Internet Explorer has such great
backward compatibility and some of the features and tools that we have available to
help you at each of these phases. So first talking
about consideration. I know this is an eye chart but it’s
really helpful to understand where we came from to understand
where we’re going. These are the list of possible
supported operating systems for different versions of
Internet Explorer. Course Windows XP had IE6, 7, and 8. Windows Vista supported IE7,
8, and 9. Windows 7 supported four versions
of Internet Explorer, IE8, 9, 10, and 11. Windows 8 only had IE10, and
Windows 8.1 only supported IE11. On Windows 10 we have two
browsers and I should explain. Internet Explorer 11 is
supported primarily for backward compatibility, and we’re go into this in a lot
more detail as we go forward. Internet Explorer 11 is the last
major version of Internet Explorer and it will continue to get security
updates and technical support for the life of the operating
system on which it’s installed. So Internet Explorer 11 isn’t
going away any time soon, but all of our new development work, and all of our new standards work
is going into Microsoft Edge, which is a faster, safer browser
designed for Windows 10. Now of course,
looking at this chart, it makes sense that many customers
standardized on Internet Explorer 8. Because it was the only version of
Internet Explorer that was available on Windows XP, Windows Vista,
and on Windows 7. So as you migrated from Windows XP
up to Windows 7, many customers standardized on IE 8 because if you
could move to IE 8 on Windows XP, you were essentially doing some
of your migration ahead of time. Likewise, if you move to Internet
Explorer 11 now,and most of you hopefully already have, but if you’ve moved to IE 11
already on Windows 7, you’ve done some of your Windows
10 migration work ahead of time. Now this is the list of
currently supported browsers. As I said a moment ago, Internet Explorer 11 is the last
major version of Internet Explorer but it will continue to get security
updates and technical support and occasional minor compatibility
fixes where it makes sense. We do support IE11 on Windows 7,
on Wndows 8.1, and on Windows 10. Our message to customers about line
of business applications is that upgrading your line of business
applications to modern web standards obviously makes the most sense. But you can use backward
compatibility and continue to use Internet Explorer
11 as long as you need to. To put that differently, you can upgrade your web
applications on your own schedule and not on a migration schedule or
on Microsoft’s schedule. So we continue to support
Internet Explorer 11. Now, I should also explain, a moment
ago I said that we would occasionaly offer minor compatibility fixes
where it made sense to do so on IE11. What I meant by that is,
here’s an example, last January, we issued a cumulative security
update for Internet Explorer 11. And we found that it broke jQuery
for a certain number of customers. So in areas where we may issue
a cumulative security update for Internet Explorer 11, and
it may break something, we absolutely still wanna
be able to fix that. So that’s what I meant when
I said we’re offering minor updates for
Internet Explore 11 and of course, continuing to offer security and
technical support for the life of the operating
system on which it’s installed. At the same time, where we really
want to go is to Microsoft Edge. On Windows 10, Microsoft Edge
is a much faster, much safer, much more standards
compliant browser. And we have a lot of
evidence that’s starting to come out that supports that. So I’ll share with you just a little
bit of our vision for Windows 10 and where we wanna take Microsoft Edge
and where it is today. Now, I don’t have a lot of
slides on Microsoft Edge, if you’re really interested
in the deep dive, I encourage you to go watch my
session from Microsoft Ignite. Where I did a 75 minute
breakout on Microsoft Edge and it’s compatibility and
security and so on. But I did wanna share this with you. Just a couple things, one is we did
commission Forrester to go out and survey customers and find out from
large customers who had already deployed Microsoft Edge
what their experience was. Now frankly I’m in marketing
although I’m an IT pro, so I love getting surveys of real customers
because I can use this in two ways. If it’s negative about Microsoft and
about our product, I use it as a hammer against engineering
to go build a better product. If it’s positive for Microsoft,
then I get to use it for marketing material. And I’m very pleased to say, I
commissioned Forrester to go do this survey and said, I want the truth. Go talk to customers who’ve deployed
Microsoft Edge in 500 seats or more, in some case, they found out
more than 100,000 seats, in the US, UK, Germany, and Japan. They found 168 customers and
did a very in-depth survey and created an infographic for
us that gives the results. You can download this yourself if
you go to It’s available in, I think,
11 different languages. The net of all this is
the experience with Microsoft Edge is relatively positive. I say relatively because there are
some, there are some trade offs, and I’ll explain those. Over 90% of customers experienced a
positive return on their investment for deploying Microsoft Edge. A significant number found that
there were fewer successful phishing attacks, there were fewer
social engineered malware attacks. Many customers found that they were
more productive using Cortana, and they were more productive
having webpages load faster and have a much cleaner look and using
reading view and other features. Now the trade off is, customers
who deployed TH2, that is to say the Windows 10 November update from
over a year ago, generally had a lesser experience than customers
who were deploying Red Stone 1. Which is to say our Windows
10 anniversary update. Now if you think about
this it makes sense. Windows 10 November update
came over a year ago. Since we released Microsoft Edge
as part of Windows 10, we’ve gone through
three major updates and we’re coming up on
a fourth major update. So many of you are old school
Microsoft folks, and I respect that, and I think the old school mantra
was, you never deploy something until it’s at least service
pack one or service pack two. The easiest way to think about
Microsoft Edge is it is always up to date, and
that’s what we’re aiming for. But we’ve been through three
major revisions so far and we’re coming up on a fourth. So it is a much more mature product
than it was even a year ago. If you use the Windows
10 anniversary update, you’ll find that you a much better
experience with the product. And of course if you use
Red Stone 2, that’s coming up, the Windows 10 creator’s update, you’ll have an even better
experience with Microsoft Edge. Of course,
what do I mean by better experience? I mean compatibility
with the modern web. We want to make sure that Windows 10
Microsoft Edge is compatible with today’s websites and services. And so if you look at If you look at If you look at Kangax ECMAScript
scores, you’ll find that we’re very competitive with Chrome,
with Firefox, with other browsers. So we do have a horse in the game so
to speak now, we do a very successful product. All right, there is another resource
that I wanted to point you to and that’s browser security. NSS Labs is an independent security
firm that does testing on their own and then they release these reports
periodically about firewall safety, about Windows safety,
endpoint protection. One of the things they test
is browser security and specifically they
test phishing sites. And the ability to block
socially engineered malware. What they found on November 1st
of last year, they released two reports, one for phishing and
one for socially engineered malware. That found that Microsoft Edge not
only blocked more phishing sites and more socially engineered malware
than Chrome or Firefox, but they also found that Microsoft Edge
blocked that more consistently, and it blocked it faster
than other browsers. This is just a link to the reports, Microsoft didn’t commission
NSS labs to do those reports. This is just a quick link to
the NSS lab’s pages itself. If you to you can get a direct link to
those reports as well. What we suggest on Windows 10,
is that you standardize on Microsoft Edge for a faster,
safer browsing experience. And then you can fall back to
Internet Explorer 11 just for the sites that need
backward compatibility. A couple of the group policies
that I’ll be showing you, we introduced in the Windows 10
anniversary update this past summer. And in the Windows 10 anniversary
update we now have the ability to limit the use of Internet Explorer
11 just to the sites that are on you Enterprise Mode Site List. So, effectively, what we’re giving
you is least privilege browsing. We’re saying you can standardize
on Microsoft Edge and use that as your default browser and fall back to Internet Explorer 11
only for the sites you’ve approved. Now, of course,
if anyone goes to any other site, it switches right back
to Microsoft Edge. And I can anticipate at least one
question at this point, and that’s, we’ve had a number of customers
approach us and say, this works great, except when are we gonna have
the ability to keep favorites in synch between the two browsers so
my users aren’t confused? The good news is, that’s live in
the Windows Insider Preview, and it’s coming in Redstone 2. So that is a feature in a group
policy that we’re bringing in the Windows 10 Creators Update, to
be able to keep Internet Explorer 11 and Microsoft Edge favorites in
sync across the two browsers. Now, let’s go back a little
bit to explain document modes. Now, as I said before,
I’m an IT pro, I’m not a developer. What little development I did I
think is covered under the statute of limitations. But I do know something about
document modes having been in the space for five years now and having been in the industry for
almost 30 years, I think. When Microsoft shipped
Internet Explorer 5, we included a document mode for
IE 5 standards. Now some of these were tried and
true Internet standards, some of these were Microsoft
proprietary standards. In other words, we included
functionality in the browser, by customer request, that
enables you to do things in line of business applications and the web
went in a different direction. So if you think about it,
20 years ago, when we first shipped Internet Explorer, there weren’t
a lot of great web standards. In order to create really
compelling web applications, we needed to enable binary control. So we enabled ActiveX controls,
we enabled Java, we enabled Silverlight, and
other kind of binary technologies, those gave web applications
the power of your PC. But the web is gone in
a different direction now. And so, primarily, I think for security reasons, we now have
web standards like HTML5, CSS 3, WebGL, that give you a lot of power,
while at the same time, they don’t really expose your
PC to those binary extensions. So that’s the way that
modern browsers are working. But if we go back to IE5, IE5 supported a lot of technologies
that were proprietary to IE5, a lot of ways of doing things
that only worked in IE5. And, of course, a little later we
came out with IE6 and then IE7. In IE7, we realized that a lot of
applications had been written for IE5 standards, so we created something called a
document mode, an IE7 document mode. This included IE5 document mode for
those older applications and IE7 document mode for
newer applications. Now, this is an important
distinction because this is still true today. If a web page doesn’t have
a valid doc type in the header, it will automatically fall
back in Internet Explorer, any version of Internet Explorer, it
will fall back to IE5 quirks mode. And that’s an important
distinction because this is something that we can
control today thru Enterprise Mode, which we’ll talk about
more in a little bit. Now in IE8 we included IE5 Doc Mode,
IE7 Doc Mode, IE8 Doc Mode. If you look the timeline here,
this really explains it. When we came out with IE5,
it was 1999, IE8 came out in 2009. There were a lot of line of business
applications written in that ten year period. And many of these line of business
applications are still in use today. So when we came out with IE8, we also included something
called compatibility view. Compatibility view is
basically a switch. What it does is,
it puts a web page in IE7 mode, if there’s a valid doc type on the
page, and it falls back to IE5 mode, if there’s not a valid doc type. There’s a lot of confusion
about compatibility view and I want to make it very simple. Compatibility view,
even to this day, means you’ll either get IE7
doc mode, or IE5 doc mode. You can enable this in a variety of
ways, but what we recommend today is to use Enterprise Mode because that
gives you the most granularity. Now, of course,
there are some group policies. The problem with the group policies
is they work at the domain level. So if you set
in compatibility view that means everything
under is gonna show up in either IE5 or
IE7 mode. I have a lot of customers
who approach me and say, hey, this site works fine or
this web app works fine in Chrome. It doesn’t work in
Internet Explorer. The number one cause of that is that
you’re forcing Internet Explorer to try to run it in IE7 mode. And, of course, it’s not gonna work. So there are ways
of fixing this now, which I’ll talk about
in a little bit. First, IE9 included all
of those doc modes, plus IE9, IE10, plus IE10 doc mode. And in IE11, we had these document modes when we
first shift Internet Explorer 11. But some customers came to us and
said, you know what, it’s great that you
have all these document modes, but my web applications
still doesn’t work. You’ve turned off some things over
the years that we needed in IE5, or IE7 or IE8, and
those no longer work in IE11. So we worked with 90
customers in a pilot. And in April of 2014, we issued
something called Enterprise Mode. Now, Enterprise Mode is
higher fidelity emulation for older versions of Internet Explorer. Think of this as a better
emulation than the document modes that were built into IE11
when we first shipped it. IE8 Enterprise Mode is basically
trying as much as possible to emulate Internet Explorer 8. It pretends to be
Internet Explorer 8, and tells the website
it’s Internet Explorer 8. It uses the exact same original
user agent string that IE8 did. It even spoofs the version
number to ActiveX controls. So if an ActiveX control asks
the browser what version are you? It’ll say,
as far as you know I’m IE8, and most of those ActiveX controls
will continue to work. I say most, because we occasionally
run into something squirrely. We had one customer in Japan,
for example, who told us they had a custom
written ActiveX control that actually was set to query
the operating system and make sure that the operating
system was Windows XP. So in cases like that, it’s hard for
the browser to put a shim there, but in nearly all cases using
IE8 Enterprise Mode, you can get ActiveX controls to
work, where before they would fail. IE7 Enterprise Mode is, essentially, IE8 Enterprise Mode running
in compatibility view. So it’s IE8 emulation running
in compatibility view, which will obviously bring you
down to either IE7 document mode, or IE5 document mode. You can enable these things through
Enterprise Mode, and you can enable enterprise mode through group
policy, MDM or registry key. And I’ll show you those
methods in a few minutes. So these are the document
modes available in IE11 in Enterprise Mode. I talk to a lot of
customers who say, I pulled up my site in Internet
Explorer 11, it didn’t work so we just check a red X and
we move on. Let me encourage you to think about
testing these modes before you dismiss IE 11, especially for
backward compatibility. If you have a site that works
in IE5, IE6, IE7, IE8, IE9, IE10, and doesn’t work in IE11, chances are that it’s not running
in the right document mode. So, that’s what this
session is covering, is how you can assess which
document mode is being used today successfully by
your application, and how you can use enterprise mode to
set the document mode yourself. And how you can get this to work
in a Windows 10 environment, where you just fall back to IE11 for those sites that need this
backward compatibility. So let’s move on to planning and
evaluation. We have a few different tools that
you can use to be able to asses your current environment. I’m assuming that in some way your
web application works with some version of Internet Explorer. If you have a problem where you have
a web application that works with other modern browsers and does
not work with Internet Explorer, lets talk offline, because there are
some techniques that you can use. You can use some of these same
techniques, but this specific scenario that I am supporting
here is, you have an application, it works fine in IE five,
six, seven, eight, nine, ten. And for some reason you can’t
get it to work in IE11. So this can help you
with that scenario. One way you can test this is using
the F12 developer tools in IE8, 9, 10, or 11 and seeing what document mode is being
used today by the application. This is a manual effort, but
it doesn’t require too much work. So there are customers who have
trained a few people to go test. And you can build a spreadsheet or build a database of
that pretty quickly. Now a little bit easier is
Enterprise site discovery. We built some hooks into IE 8,
9, 10, and 11 that are turned
off by default. But if you choose to enable them,
you can collect information from your machines and I have a
slide later about what’s collected. But you can collect
information very selectively. You can choose to collect
information only about certain sites or the intranet as opposed
to the internet at large. And it will tell you things like
what document mode is being used by what page. And then finally upgrade analytics. If you’re using upgrade analytics
today to assess your, let’s say, Windows 7 environment to
upgrade to Windows 10. There is a way that you can turn on
enterprise site discovery telemetry inside upgrade analytics and take
a look at what your users are doing. What websites are they going to, and
what document modes they’re using. And of course we do obfuscate
some of that information, so there’s still privacy. But I encourage you to check the
local privacy laws before enabling enterprise site discovery,
or upgrade analytics to make sure that you’re not
doing something you shouldn’t, or collecting information
that you shouldn’t. And of course, you can scope this,
again, just to your intranet sites, or just to a certain set of domains. So the F12 developer tools
are relatively simple. All we’re doing in this context is
looking at the emulation tab and looking at what document mode is
being used by this site and for what reason. In this case we can see that the
document mode being used is IE 7 and it’s being used because there’s and XUA compatible meta tag
on the site itself. In other words, the webpage itself
is asking for IE 7 document mode. Now there are customers
out there that for years have had, including
the XUA compatible meta tag for IE 8 as part of their
developer standards. So I’ve talked to many
large customers who say we’re creating new webpages that
work fine in other modern browsers, and they don’t work
in Internet Explorer. This could be a reason because
the developers themselves have hard coded the site to ask for
IE 7 document mode. Now the good news is Enterprise mode overrides what the site
itself is asking for. So even if a site has an XUA
compatible meta tag on the site saying I wanna be in
IE 7 document mode. Enterprise mode has
the ability to override that. It essentially gives more
control back to the IT pros, like myself as opposed to the
developers who may have five years ago may have asked for an IE 8
document mode, when it made sense. But it no longer makes sense
in today’s environment. Enterprise site
discovery I mentioned. These are hooks that are again
turned off by defaults, available in IE 8, 9, 10 and 11. You can collect information,
collect it via WMI or XML. If you’re using
System Center Configuration Manager, there’s a tool kit you can download
that contains some sample queries. So you can gather information
from the machines themselves, collect it in SCCM and
then display that. Or you can collect it using
whatever tool you like. A few output to XML you can
pull it to spreadsheet. Whatever is easiest for you. This is the information that
Enterprise Site Discovery actually collects. You’ll see on most versions
of Internet Explorer. We collect the document code, the document reason, even hangs or
crashes associated with the site. So if users tell you,
well the site works fine in IE8 or IE9 you may be able to tell them,
well it only works half the time, it does crash sometimes,
even in your native environment If you’re interested in more
information about Enterprise site discovery, we do have a lot
of information on Tech Net, and do a search on Enterprise
site discovery toolkit for a downloadable toolkit that contains
some sample PowerShell scripts and some SECM sample queries. And of course, you can also plug
this into upgrade analytics, as I mentioned before. This can gather information about
what sites are being visited and what document modes those
sites are being rendered in. I do wanna emphasize one thing
about the last two methods though, enterprise site discovery and
upgrade analytics and that’s that this is really,
it’s not a web crawler. So this is a way of creating
a data driven picture of your web environment, but
it may not be holistic. In other words, I did a lot of
ERP deployments in the 90s and I know from working with
accountants that sometimes they had functions that they only
ran once a year, for year end or once a quarter for
quarter runs. So if you’re using this kind of tool
to gather information from your users about what applications
are being used when that may not necessarily indicate the importance
of some applications and you may miss some web
applications entirely. On the plus side having
a better data driven picture of your web
environment can help you. For example, even within Microsoft,
we found that there was an application that a lot of
the engineering team was using that was actually hosted
under somebody’s desk. So this can help IT kind of corral
those kinds of applications and figure out what really belongs
in the cloud, what should have much better data redundancy or
data support. So if that workstation
under a desk goes down, you’re not killing
your productivity. Right, next let’s talk about
testing and remediation. This is where we’re gonna
drive into some demos. I mentioned before,
you can use the F12 developer tools, not only to assess your environment,
but also in IE11, to test the modes that
an application can use. It’s our recommendation that you
test using IE11 document mode. And then IE10 document mode and
so on down the list. And then fall back to IE8 Enterprise
Mode or IE7 Enterprise Mode. And that’s for a couple of reasons. One is performance, there is gonna be a little bit of
a hit running in enterprise mode. Because of course, you’re running in a much higher
fidelity emulation for IE8. So it still is going to
run much faster than IE8. Remember IE8 didn’t have any
hardware acceleration whatsoever. So in IE11 running in enterprise
mode you’re still going to be an order of magnitude faster
than running in IE8 natively. I ran SunSpider myself just out of
curiosity and on my own tests I found that IE8 ran Sun Spider on my
test machine in about eight seconds. In IE11 Enterprise mode, it ran in
about 800 milliseconds, and running natively in IE11 document mode, it
ran in less than 200 milliseconds. So that gives you
an idea of the scale. Now if all of the regular
document modes fail, you test Enterprise mode by
changing the browser profile. And I’ll show you how
to do this in a second. And then you have available within
that enterprise mode IE8, IE7, and IE5 document modes just as you
would if you were running IE8. Once you know which sites
run in which document modes, then you can create
an enterprise mode site list. Now there’s a tool that we use for creating this today called the
enterprise mode site list manager, and I’ll show you that tool. We’re also working on a web portal
that will make it much easier, and I have some screen shots of
that web portal to show you. This is a little bit easier, by the way, than the original schema
that we came out with in 2014. This new schema is
supported by IE11. If you’ve taken the cumulative
security updates from last June, June 2016, or later then your environment
can use this new V2 schema. And the v2 schema
basically uses a site tag. Within a site you can chose
a compatibility mode and which browser to open it in. So you can specify Microsoft Edge, you can specify IE11 and this is
a much more extensible system. So down the road we may add other
functions into this because the schema is much
more easily extensible. I did update this slide a little
bit from when I presented a similar session on Microsoft Ignite. This is a one stop cheat sheet for
all of the group policies and registry keys associated with
Internet Explorer 11 and Microsoft Edge. So obviously, this is for
Windows 7, IE11, Windows 8.1 or Windows 10 for
either browser. And the slides are available online
or you’re welcome to take a picture. I’ll walk you through this, though,
in a lot more detail right now. Whenever I do demos,
I like to explain my environment. There’s no smoke or mirrors here. I’m simply running a Windows 7
Service Pack I machine, a VM. And I’m also running a Windows
10 anniversary update machine so Redstone 1 machine. I”m gonna switch over
to those right now. Let’s start on Windows 7 and I’ll go full screen make
it a little bit easier. All right, so That’s all right. So in this environment if I
pull up Internet Explorer and I set up a local host machine that
has some IE 7, IE 5 applications. So think of these as
your own applications. And in this case,
I pulled up an application and you’ll notice that
something’s wrong. The buttons seem to be in
the upper left corner. There was a web standard back
around IE5, IE6, IE7, IE8, called CSS Expressions. Now again, I’m not a developer but
CSS Expression was a way of putting things in a static location on
a page so of course a lot of developers use CSS Expressions for
things like buttons. If you pull up a website in
immediately everything is in the upper left corner,
this is a drop dead giveaway that probably they’re
using CSS Expressions because CSS Expressions was
not adopted as a W3C standard. So we dropped it in IE9. So if you are trying to
run this site in IE 11 and then everything appears in
the upper left hand corner, it’s because IE 11 doesn’t know
where to put those objects. Now if I’m troubleshooting these,
I would go into the F12 developer tools into the emulation tab, and
I would change the document mode. Now, this is a little bit of
a misnomer, because for years, we’ve called the latest document
mode to that browser, Edge. So it’s a little bit confusing. But Edge, in this context,
is IE11 document mode, and it has nothing to do with
Microsoft Edge, the browser. In this context IE11, Document
mode is this which is the default. We can try switching back it IE10,
still doesn’t work. We can try switching back to IE9,
still doesn’t work, and so on and if we get all
the way through this and find that none of these
document modes work. That’s when we try enterprise mode. That’s when we try the higher
fidelity emulation of IE8. And the way you go about trying this
is by switching the browser profile. Let me scroll down a little bit so
you can see the whole dialog box. Changing the browser
profile to enterprise. And we don’t have an enterprise here
so it’s a bit of a trick question. By default enterprise
mode is turned off. So this is where we get
a little more technical and we start diving into
registry keys and so on. And I’m gonna pull up GPedit.MSC
because I wanna show you where this is. If I’m looking at group policy,
I would go into Administrative Templates,
Windows Components, Internet Explorer, and I’m gonna change this to standard just so
we can see more of the window here. Remember right now we’re just
troubleshooting compatibility. We’re not setting the enterprise
mode sight list yet, we’re just troubleshooting compatibility and
there are a couple of settings here. One is, let users turn on and use
enterprise mode from the tools menu. You need to enable this if
you wanna be able to see the enterprise as
a browser profile option. In other words just for
testing you need to enable this for your testers to be able to
turn on enterprise mode. The other group policy that we’ll
look at in a little bit later is use the enterprise
mode IE website list. This is the actual pointer
to where the list resides. So let’s go ahead and
turn this one on. I’m going to enable it. Okay, And of course I can now
do GP update force. The alternative method is I
can create a registry key. And I wanna show you that as
well while this is running. So the registry key,
I gonna look at HKLM, SOFTWARE, policies, and this is tricky
because some people call me and Hey I couldn’t find the Regkey. It’s under Policies not SOFTWARE. And then Microsoft Internet
Explorer, Main and now, we have these keys now but I wanted
to show you, if for some reasons, Enterprise mode doesn’t exist,
you can simply create it. Simply create the Enterprise mode
key and then create, Enable, that’s just a regular string. So if the enable string exists,
now when I start up. And I do have to restart
my browser here. So I’m gonna restart
internet explorer. We’ll go back to our page and
I’m gonna go to localhost.po. Hit F12 Now we should see
enterprise as an option, under desktop profiles. So now if I choose enterprise
we got our buttons back. Our buttons are now in
the right place on the page. You’ll notice this
is CSS expressions. If I-. If I close out the F12
developer tools and scroll, the buttons stay in the same
static location on the page. But now that I’ve got
everything running I see that the document mode is
actually five that’s working. Now this is interesting because I
could either use IE8 Enterprise mode Or I could use IE7 enterprise mode,
because apparently this page doesn’t have a valid doc type anyway,
so it doesn’t matter. I could use either of those doc
types because it’s gonna fall back to IE5 document
mode either way. Doesn’t really matter. All right, so now I know which
document mode to use for this particular site. And I can close this out and
let’s go ahead and run the Enterprise Mode Site List
Manager to create an Enterprise Mode site list. Now I’m gonna cheat a little bit
by running this as administrator. You don’t ordinarily
need to do this. Actually, that’s okay. All right. What I’m gonna do here
is add local host. Actually I don’t have it there so
I need to add it. Now this is a very simple
tool with some caveats. The tool here basically
lets me enter in a url, and I can enter in any string. It can be a web path. It can be a domain where it
can be a longer web path. In this case,
I’m just gonna enter localhost. And I’m gonna say to use
IE8 Enterprise Mode. These are my options, they should
be familiar to you by now. IE11 Enterprise Document Mode,
IE10 all the way through IE5. And then we have our
higher fidelity emulation. There’s also defaults if
you simply wanted to switch browsers you can
leave it in defaults. If you want to use the enterprise
mode site list to actually just switch browsers and
not change the document mode. In this case we’re gonna
use IE8 document mode and I can tell it which
browser to open it. This is available,
whether you’re using Windows 7, Enterprise Mode Site List Manager,
or on Windows 8.1, or on Windows 10, because, of course, as you move
to a Windows 10 environment. We’d like for you to start doing
some of that work ahead of time, and, if you’re already using
the Enterprise Mode Site List in a Windows 7 environment,
like I said, you’ve already done
part of your migration. So I’m gonna say to open in IE11,
we’ll save this, it’ll validate it. By the way,
this tool is good and bad. The good news about this tool is
it will keep you from stepping on yourself. It will create valid XML,
it will automatically test a link. So if you’re actually sending
it a link that forwards to a different link. It will find that and it will
suggest that you include both links. The downside of this tool is it’s
really designed for a single user. So I talked to a lot of customers
who have a large environment and they may have multiple
people getting in and using this tool at the same time. That’s why we’re working on the web
portal which I’ll close with the talk with at the end. The web portal is more
of self-service portal. Line of business application
owners can submit requests, you can improve them, and
you can publish to production or you can publish to testing. So there’s a lot of
flexibility with that tool. This one obviously
has some limitations. With that said, I can go ahead and
save to xml I know that it’s going to create a site list that’s pretty valid and now that I’ve saved that
let’s go ahead and copy it over. Again I’m just using in this
case I’m using my local IIS so I’m going to copy the site lists. And paste it into C inetpub root and
it will prompt me for administrative permissions
in a second. There we go. Okay. So I’ve replaced the site list. Now just to make sure that
we can see it I’m gonna pull the site list up here. Localhostsitelist.xml. This is the .xml file
that we just created. So this is the file that
includes the sites, so there’s a little bit
of metadata here. Who created the list, when was
it created, what version is it. What is the site URL? What is the mode that
we’re opening in and what is the browser
that we’re opening in? So, it’s really straightforward. Now let’s go ahead and create the group policy
that points it to the list. So I’m gonna use
the Enterprise Mode Site List, enable this, and point it to
localhost sitelist dot xml. And then click the OK button. All right, and I’ll go ahead and
do another GPUpdate /force. Now, just as a best practice, you can put this Enterprise
Mode Site List on a DFS share. You can put it locally
on the machine. You can put it on an intranet or
extranet site. We do recommend that you put it on
a website, and let me explain why. When we go out and pull down
the site list for the first time, Internet Explorer and Enterprise
Mode, and Microsoft Edge, for that matter, will actually create
a locally cached copy of that list. So it’s going to continue to
use that locally cached copy. Although when you start
Internet Explorer for the first time, after you have a
locally cached copy, it’s going to, again, check and see if there’s a
later version of the Enterprise Mode site list available and
pull that one down. If it fails, it will fail silently. So the user never sees a warning. They never see anything. But if you’re sharing
this file on a DFS share, or you’re sharing it on a network
share, it has to pull down the entire file before it does
a comparison of the version numbers. If the version numbers
are different, it will try to
incorporate the new file. The reason we suggest sharing it on
a web share is simply that it will just pull down the header to
the file, the first few lines, and compare the version number, without
having to pull down the entire file. Now, I realize in many environments,
this is irrelevant. If you just have a few hundred
entries, it may not matter to you. But for customers who have thousands
of entries, it’s a little more efficient for their network to
share it on an intranet site or an extranet site that’s
available to their clients. So that when the client
machine hits it, they’re just pulling down the first
few lines of the header to see if there’s a different version number. By the way, I should also mention,
the version number doesn’t matter, it’s only looking for
it to be different. So if you have locally cached
version two of your Enterprise Mode site list, and you have version
one being hosted somewhere. It’s going to pull
down version one and override the locally hosted version. All right, so
let’s look at a couple things here. One is, if I hit Refresh on this screen now,
we should see another registry key. Yep, so we have SiteList,
localhost/sitelist, so we know that the group policy
was implemented correctly. We also can double check this, and I wanted to give you
a little more detail here. If I go into HKEY_CURRENT_USER, and go into Software>Microsoft
>Internet Explorer>Main>EnterpriseMode,
watch what happens. There’s not a key there right now. If I start up Internet Explorer,
remember, it knows to go look for a site list. It pulls down the site list, and
then it updates CurrentVersion 1. Normally, if I close down Internet
Explorer now and I restart it, it will actually wait 65 seconds
before checking for a new site list. So when you’re doing
some troubleshooting, I wanted to make you aware of that. You have a couple choices. You can either wait 65 seconds,
and the reason for that is, we still have
customers who are using VPNs. We still have customers
who are using dial-up. We had numerous customer requests,
please let Internet Explorer wait before checking for
the presence of that site list. Because we have to establish
a connection to our home server. So we do that, we wait 65 seconds. If you’re doing troubleshooting and you don’t wanna wait the 65 seconds,
one way to cheat is to write a little script that will delete
this current version key. If the current version key doesn’t
exist, Internet Explorer will check immediately for that list,
so it’ll save you minutes. All right, now, Internet Explorer
should be using this site list. So now if I type in localhost/po,
we’re now using Enterprise Mode. So we’ve just enabled
Enterprise Mode for my IE 11 environment using
the settings that we were able to establish using
the F12 developer tools. And we can continue this. We lather, rinse, repeat. We take the next application
that’s having problems. We find a document mode that works. We add it to
the Enterprise Mode Site List, publish it out to
production after testing. And once it’s published
to production, the users shouldn’t have to know anything,
they shouldn’t have to do anything. They’re just automatically put
into the right mode that works for the web application. So within Internet Explorer, hopefully users aren’t gonna
be stepping on themselves. You’re forcing the right
document mode. And again, whatever document mode
you set in Enterprise Mode is going to override what the site
itself is asking for. So even if the site itself has hard
coded to ask for XUA compatible IE 7, if you tell it to run in IE 8 or
you tell it to run in IE 9 or IE 10, it’s going to run in
that document mode. All right, any questions about
the Windows 7 environment? I am gonna switch over to my, I’m switching over now to my, Well,
let’s see if I can get it here. All right, Michael, it got me. How do I switch out
of a full screen VM? No, I think it’s Windows+Shift+Esc. All right, anyway,
I can always shut it down. [LAUGH] All right,
we’re gonna cheat here. I’m gonna just shut
down my Windows 7 VM. All right, so I’m gonna switch
over to my Windows 10 VM. There is a way of doing this,
and it’s a, there we go. Okay, so now I am going to pull up
my Windows 10 VM and go full screen. Just aside, Ctrl+Alt+Break
if this happens to you. Ctrl+Alt+Break apparently
is what I needed to hit. All right. Okay, so in Windows 10, we’re
using the same registry keys that we used and the same policies that
we used for IE 11 on Windows 7. There is one difference, and I wanted to point this
out to you before we dive in. If I go into gpedit, and
again, I’m going into the Administrative Templates
>Windows Components. And we’ll check
Internet Explorer first. So these are the same group policies
that we had on IE 11 for Windows 7. There’s one exception. I already have enabled, Let users
turn on and use Enterprise Mode. I’ve enabled Use
the Enterprise Mode IE website list. And as a best practice, I should mention, you can set
this to the same exact location. So on Windows 10, whether you’re
using Microsoft Edge or IE 11, you can point it to the same
Enterprise Mode Site List that you’ve already been
using on Windows 7. Even if you’re using the V1 schema,
whether it’s V1 or V2 schema, you can still point this to
the same Enterprise Mode Site List. But we do have one group policy
that’s different in this context. And that’s,
Send all sites not included in the Enterprise Mode Site List
to Microsoft Edge. This is a policy we added as part of
the Windows 10 Anniversary Update. I have lots of customers say, okay,
I know you showed this on stage, but where do I find it? It’s a little tricky, because this
is in the Internet Explorer section, it’s not in the Microsoft Edge
section of group policy. So if I enable this, and
it’s already enabled here. But if I enable this,
what this means is, I can only use Internet Explorer 11 for sites that
are on my Enterprise Mode Site List. Any other site that I go to,
whether it’s a favorite, or whether I just type it into the the
address bar, I will automatically be switched back to Microsoft Edge for
a safer, faster browser experience. And in Microsoft Edge, I’ll show you the other
policy that’s relevant here. You do have to point
Microsoft Edge to the site list. So there are two site list pointers,
one is from IE 11, one is coming from Microsoft Edge. And if I go to Configure the
Enterprise Mode Site List, again, as a best practice, I can point this
to the same exact location that I use for my IE 11 policy. All right, so
once I have those policies in place, this is what the experience
should look like for a user. For a user,
I have my Microsoft Edge icon here. If I go to a site that requires
Internet Explorer 11, and in this case,
I’ve added it to my Favorites bar. I click on PO Requisition, it switches me to
Internet Explorer 11 automatically. Another feature that we brought in
the Windows 10 Anniversary Update is, there’s no interstitial
page by default. Some of you may have seen,
we used to have a policy so that in Microsoft Edge, you would see a page
that said, your administrator has configured this site to open
in Internet Explorer 11. By the end of the day, you may have
had 30 or 40 of those tabs open. So it was a very frustrating
experience for some users. We turn that off by default now,
although the policy still exists. And we do have a few customers who
say they wanna put the pressure on the line of business owners to
upgrade their applications, so they work within Microsoft Edge. So it’s completely up to you, the default behavior now is there’s
no interstitial page whatsoever. Now once I finish doing my
work with Internet Explorer, now if I type in any other page,
let’s go to TechNet here. If I type in TechNet and hit Enter, it’s going to continue my browsing
session within Microsoft Edge. Now I don’t want to get across the
idea here that IE 11 is not secure. But the fact is, because we’re
running it in 32-bit mode, because we’re running generally
with ActiveX controls, we’re running it outside
of App Container. App Container is a feature in
Windows 8 and higher that really provides more of a sandbox for
your browsing environment. But the bad news is, App Container is not compatible
with most ActiveX controls. It’s not compatible with all but
the latest couple versions of Java. It’s not compatible with all but
the latest version of Silverlake. So you can configure Internet Explorer 11 to
run much more securely. You can configure to run
IE 11 in 64-bit mode. You can configure it to run within
App Container using something called enhanced protected mode. But the fact is, if you do that,
you’re gonna break compatibility. So the easiest way to think about
this, and what I would encourage you to tell your users is, Microsoft
Edge is the safer, faster browser. And we’re falling back to IE 11 for
compatibility. That’s why we wanna continue to
support IE 11 for the life of Windows 7, Windows 8.1 and Windows
10, for that backward compatibility. Now over time, today, Internet Explorer 11 still has
pretty good support for HTML 5, although Microsoft Edge has much
better support for modern standards. But I think over time, more and more people will just use
Internet Explorer 11 just for backward compatibility with their
line of business applications. And that’s really the role that
it’s being relegated to over time. All right, there’s just
a couple other things I wanted to share with you here. If I type in about:compat, and
this works, whether I’m in IE 11, any version, Windows 7,
Windows 8.1, or Windows 10, or, it works in Microsoft Edge. But, about:compat shows
me a couple things. It shows me the Microsoft
hosted compatibility view list. And it also shows me
the Enterprise Mode Site List. Now, the Microsoft Hosted list we
should talk about for a second. For years, there have been
some sites out there that ran better if they were in
IE 8 document mode, or IE 9 document mode, a specific
document mode, public websites. So we have a list
that Microsoft hosts of websites that run
best in certain modes. Today, the list on Microsoft Edge
of the list of sites that require ActiveX, or
require Internet Explorer, for some reason, are fewer than
2,000 sites worldwide. But there are still some sites out
there, for example, in Korea and in Brazil, that require
ActiveX as part of their PKI, as part of their public
key infrastructure. So there are still some sites
out there that ask for IE11. Now, if I’m encountering one of
those sites in Microsoft Edge that’s on this compatibility view list,
I still will get prompted. We don’t wanna automatically
switch the user from a safer, faster browser over to a less
safe browser automatically. So, if I encounter a site that’s on
this list, and I will be prompted. And it will say, this site runs
best in Internet Explorer, do you wanna launch
Internet Explorer? And the user will be
prompted every time. We don’t wanna automatically launch
a site unless you’ve approved it and added it to your
Enterprise Mode Site List. Now, all of that said, you can turn
off the compatibility view list, there is a group policy for that. We encourage you to leave it on for
compatibility’s sake. But if we just look at
the Enterprise Mode Site List, this will show you exactly
what the browser thinks as part of its
Enterprise Mode Site List. So you can either look at
the current version registry key, or you can look at this. And yes, we are adding the current
version number to this page, I think this is coming in RS2 too. So we’ve already had the request
to add the version of the Enterprise Mode Site List
that this browser is using, right onto this page, to make it a little
bit easier for you troubleshoot. In other words,
if somebody calls and says, hey, this application isn’t running, and
you quickly figure out it doesn’t seem to be running in the right
mode, or it’s not switching over to Internet Explorer 11 properly,
this can help you troubleshoot. It’s about:compat. Now another question that I
always get is, if I’m running in Microsoft Edge and I encounter
a page that’s on this localhost, let’s say I’m troubleshooting
localhost/travel. Well, I’m gonna switch automatically
over to IE 11 because, again, I added localhost. I added the parent domain. So everything below that domain is
gonna be switched over to IE 11. But wait, I wanna try it, I wanna troubleshoot it
within Microsoft Edge. How do I do that without making
a request from a group policy folk? Well the good news is, if I switch
back over to Microsoft Edge, I can type about:flags. about:flags include
some developer flags, including use
the Enterprise Mode Site List. So I can deselect that and
then I have the ability to go to localhost, let’s say travel,
and troubleshoot it here, and make sure, try to see if I can get
it to work within Microsoft Edge. And yes, before you ask,
there is a group policy for Microsoft Edge to
disable about:flags. So you can choose who has
the ability to enable or disable these
experimental functions. But this is something that I do
occasionally, I step on myself. I will disable the Enterprise
Mode Site List from myself, and then I wonder, of course,
why it’s not working. So I wanted to mention it to you,
because if you start using this feature, this is something that
might happen to you as well. All right, that was the experience
that I wanted to show. So I’m gonna switch
back to my slides now. But I will take questions at
the end, or stay after and we can try some things in
the VMs if you want to. So I’ve just shown
you how to test and remediate applications within
Internet Explorer 11 and Microsoft Edge using
the Enterprise Mode Site List. Now let’s talk about deployment and
management. Now, of course, Microsoft Edge
is a part of Windows 10. We recommend that you don’t
disable Microsoft Edge or the EdgeHTML Engine. Because the EdgeHTML Engine is
responsible for not just rendering web pages for Microsoft Edge, the
browser, but it’s also responsible for rendering any HTML or JavaScript
for universal Windows apps. So, if you have store apps like
Calendar or Weather, these may render HTML content, and they
require the EdgeHTML engine to run. So think of the EdgeHTML engine as
being part of the operating system, much as the Trident engine was for
Internet Explorer. And Edge, the browser,
Microsoft Edge, the browser, is more like an application, a wrapper that
goes around that platform engine. Microsoft Edge, the engine, EdgeHTML will continue to get
updates through Windows Update. So just as you do today, you’ll have the ability to test
these updates before the point. I think this is important for
compatibility resake. Just as you do today with
Internet Explorer 11 updates, you have the ability to test and
update and make sure it works in your environment before
you deploy it to your users. Microsoft Edge, the browser,
that is to say the shell and the navigation controls that
surround the Edge engine, will eventually be updated
through the Microsoft Store. And so, we look forward to being
able to offer much more frequent feature updates. And when I say feature updates, I mean things like
Cortana Integration, things like reading view,
things like PDF functionality. Nothing that would break
compatibility with a web application. Sorry, I misspoke.
The PDF functionality would be part of the platform. What we’re really talking
about is updates to the Microsoft Edge application. Not updates to the engine that
would come through the Store. IE 11, no change. IE 11 will continue to get updates
through Windows Update for the application and for the
underlying web engine, mshtml.dol. The Enterprise Mode Site List
Manager, I talked about earlier, there are some advantages to this. It’ll create error free XML code. The disadvantages, the biggest one
is that it’s really designed for a single user. So, if you have two people editing
the list at the same time, one person might step
on the other person. Generally, companies that use
this tool have either worked out a process to avoid that. Or, in some cases, they’ve
looked at the XML schema, and they’ve created their own tools for
managing this process. Now MS IT similarly created their
own tool for managing this process, and enabling line-of-business
applications owners to be able to submit their own requests,
to say I own this HR application, this HR application should
be in this document mode. And so we’ve created this tool and we do plan on releasing this
through open source on GitHub. Engineering is working on
the screen changes right now and making sure that it has a good look
and feel and everything for users. So we’re making sure that it has a really good state before we
publish it to open source. But you’ll have the ability
to manage approvals and decide which ones you wanna approve,
which ones you wanna test and then what you publish to production. So think of it as a much more robust
enterprise mode site list manager. We’re talking about the naming
conventions right now. It’s likely to be
named something like the Enterprise Mode
Site List Portal. Something along those lines. And this should be available, hopefully, within
the next few months. So our final guidance is that
Microsoft Edge is the faster, safer browser designed for
Windows 10. We suggest that you standardize
on Microsoft Edge and fall back to IE11 just for the sites
that need backward compatibility. Of course, upgrading to modern apps,
modern apps to modern standards is the best long-term solution but
you can continue to use backward compatibility and
upgrade on your own schedules. Some additional resources
that we wanted to share, the Edge Infographic is at The Microsoft Edge Developer Center,
the Tech Center, there’s a Dev Blog that
talks about recent updates. And there will be a series of
security blogs coming out over the next few weeks that talk about
some of the security improvements we’ve made in Microsoft Edge. You may have seen there was
an end of year Windows wrap-up report from ESET. And an ESET researcher again
confirmed that Microsoft Edge is making great security strides,
by saying that they haven’t seen any in-the-wild
exploits of Microsoft Edge. And we know that some of the
features that we’re coming out with in RS2 in the Windows 10 Creators
Update will make some of those exploits even more difficult. So we’re continuing to combat
entire classes of attacks, like heap spraying attacks,
use after free attacks, remote code execution,
elevation of privilege, and so on. So we’re really targeting
entire classes and not just specific mitigations for
specific attacks. So expect to hear more about that
in the blog over the coming couple of months. All right, please join
the Microsoft Tech Community. And then finally,
there will be a Microsoft Experts reception tonight in Hall D1. Well, let me go ahead and
take any questions, we do have about ten
minutes left and I wanna make sure I address
all of your questions. So, anyone? I apologize, I can’t see
the audience but, Hopefully, I addressed most of your questions
throughout the presentation. All right, I’ll stay in case
there are any additional ones. But thank you very much for
your time.>>[APPLAUSE]
>>Thank you.>>[APPLAUSE]
>>What is still the most used Internet
Explorer version that you guys see?>>That’s a great question, so.>>Like crippled, or
>>It’s->>[INAUDIBLE]>>Well, it’s IE11, but so->>So they got up to that.>>They got up to that,
they got up to that. So I’ll give you
the longer answer now. In August 2014, we announced
that starting January 12, 2016 we were gonna be deprecating
support for older versions of IE. Of course, we don’t get telemetry
from most large customers. So we asked our ATSs and TAMs to go out and talk to customers
and see what they’re actually using. About 18 months ago, we found out
that 25% were on IE11, about 25% were on IE, I mean there were
four versions, do the math right? The good news is by
the time we hit January 12, it was over 80% had
upgraded to IE11. We asked them to stop tracking it,
frankly, the last quarter. But the last number I had from
the end of September suggests that almost 90% of EP GPCs,
of enterprise PCs, had been successfully
upgraded to IE11.>>[INAUDIBLE]
>>Not enterprise. It’s interesting, because this is
primarily an enterprise problem. We have been pushing IE9, IE10, IE11, out through
Windows Update automatically. So smaller customers that don’t
host their own web applications, have just been taking
the updates automatically. So we did have telemetry from
consumers that suggested 97 plus percent of consumer devices, outside
of a couple of locales like China, for different reasons, but
most consumer devices worldwide had taken the upgrade
to IE11 successfully. So if you think about this problem, it really was focused on
the top enterprise customers who were hosting their own line of
business applications and couldn’t upgrade to later versions of IE
because they had those dependencies. And there’s some SMB, obviously. I did a lot of mid-market work
with manufacturing customers. And most of those
manufacturing customers also hosted their own line of
business applications. But I think the larger the company, the more likely they were
to have this problem.>>When you guys announced
the end of support for previous versions of IE,
that really lit a fire, at least at my company for
that because, before that, trying to get a to say hey,
you have to upgrade your product. You try to get somebody
to upgrade [INAUDIBLE].>>Right, right.>>Because we wanted to
use a later browser.>>If it ain’t broke,
don’t fix it yeah [LAUGH].>>And Microsoft’s saying okay,
no more security updates for IE 9 then all of a sudden it’s like
our compliance is saying all right, you guys all have to upgrade your
enterprise applications [INAUDIBLE].>>Yeah, I don’t ever wanna suggest
that that was easy cuz I know it was a huge pain in the neck. But we had many customers who
told us that upgrading from these older versions to IE11 was
easier than their old upgrades. I had a guy,
down the street from us, at a large company in Washington,
who said, I was hoping to retire before I had
to upgrade Internet Explorer again. But once we got through the IE11
migration, he came to me again and said, okay, it wasn’t as bad
as I thought it would be. So I don’t wanna, again,
I don’t wanna make light of it, cuz I’ve been there, done that.>>It was work, but it was not as
much work as we thought it would be->>Okay, okay, okay, good, cuz that’s, I think,
where most folks net it out.>>Could just drop
the JRE then I’d be.>>The Enterprise Site Discovery,
I’ve been told by some customers that they found ten
different versions of JRE, through Enterprise Site Discovery. Because it’ll tell you the GUID.>>Nexus already tells me I have to.>>Yeah, yeah, yeah. But, yeah, for security reasons,
some of these companies are saying, look we’re trying to get it down
to 4 [LAUGH] from 12 [LAUGH]. All right, hey, really appreciate
your time, thanks for coming.>>Thanks a lot,
this was really good.>>Good, good, thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *