How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations

How Internet Explorer Enhanced Protected Mode (EPM) is enabled under different configurations


EPM was first introduced in Internet Explorer 10, which provides the next level of protection to web users via below approaches:

·         64-bit processes

·         Leverage the new AppContainer Integrity level in Windows 8 to provide sandboxed HTML5

For more information, please read Understanding Enhanced Protected Mode

Observe EPM

When EPM is enabled for a website, you will see “Protected Mode: Enhancedin IE’s File->Properties dialog box.

And Process Explorer can show us the bitness and integrity level information of the IE processes. As you can see in the following screenshot, it is possible that the frame (manager) iexplore.exe process launches multiple tab (content) child processes, of different bitness and integrity levels. It is also possible that not 64bit and AppContainer are both enabled, even when IE shows protected mode is “Enhanced” for the webpage. IE goes through several configuration points in order to decide how to enable EPM.



EPM or not?

Firstly the traditional protected mode should be enabled for the website. By default protected mode is turned off for the Local Intranet and Trusted Sites zones; but the Internet zone has protected mode enabled. Of cause UAC should not be turned off completely, otherwise protected mode won’t be available.

Secondly desktop IE’s EPM is disabled by default in Internet Options. Desktop IE won’t use EPM, unless you turn it on. More accurately speaking, the original version of IE11 in Windows 8.1 RTM enabled it actually. It should have been turned off, if you have installed the recent IE11 accumulative updates.

I’ll focus on desktop IE in this post.

Next EPM can be disabled per domain. If a website requires an add-on that is incompatible with EPM, you can turn EPM off for the whole domain of that website.

This per domain configuration is located in registry, path HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabProcConfig. As shown in the screenshot below. Each domain is configured by a DWORD value. Different DWORD values have different effects on EPM. The most common value is 0x47b, which means to use 32bit process & load incompatible add-ons. If a domain is given that 0x47b value, you will see protected mode as “On”, not “Enhanced”.

This per domain configuration is also pushed via the iecompatdata.xml files, in the <EPMCompatMode> section.












Enable EPM

Finally suppose IE has gone through all the above configuration points and decide to enable EPM for the webpage, it will still need to check the following conditions, in order to decide how EPM should be enabled.

Windows 8/8.1:

·         Is the Windows 8 OS 32bit or 64bit?

64bit process is not available in 32bit OS, so EPM only means the AppContainer IL of sandboxed HTML in 32bit Windows 8.

·         Is it IE10 or IE11?

The final decision will be 64bit process + AppContainer IL, if it is IE10.

·         However if it is IE11, it will check if “Enable 64-bit processes for Enhanced Protected Mode*” is enabled in Internet Options.

It will be 64bit, only when this feature is checked, otherwise IE will still use a 32bit process.

Windows 7:

It’s simplified for IE10 and 11 in Windows 7. The sandbox IL, AppContainer, is not available in Windows 7, hence EPM only makes sense in Windows 7 64bit.  In Windows 7 64bit, IE11 doesn’t provide the “Enable 64-bit processes for Enhanced Protected Mode*” feature, for the same reason. All EPM processes are 64bit with the Low IL in Windows 7.

All of the above discussion can be summarized by the following 2 charts.




JunTao Zhu from GBSD DSI Team





Comments (4)

  1. Karthik says:

    Now that's what I call amazing

  2. --- says:

    Nice explaination.

    I have a one query with IE11 for Windows7:

    For first IE11 instance system creates 2 process(one 32bit iexplore.exe and one 64bit iexplore.exe), for next new IE instance it creates only one process(32bit iexplore.exe). Is this a right behavior? I can see different behavior in my near workstation (2 process each instance one 32bit iexplore.exe and one 64bit iexplore.exe)

    Does it managed through TabProcConfig settings, If yes then what would be the values. Thanks

  3. Dave says:

    I would love to see an update on this for Windows 8/10. We have issues with proxy software that sites come up fine in Win7, but not Win8/10. Turning off our EPM GPO fixes the issue. Using the TabProcConfig key in Win8 is a workaround, but that key does not exist in Win10. I’ve so far been unable to find how to use that functionality in Win10. Thanks!


    1. Wes says:

      I second Dave’s request. We are working through some compatibility issues with EPM in Win10 and the TapProcConfig key does not seem to help.

Skip to main content