Audit Internet Explorer Usage with the Enterprise Site Discovery Toolkit
In this Ask the Admin, I’ll explain how you can determine what sites users are visiting using Enterprise Site Discovery in Internet Explorer.
Enterprise Site Discovery was first released in late 2014 and supported only IE11, but was updated in the March 2015 to support Internet Explorer 8, 9, and 10. With Microsoft keen for enterprises to move away from the Windows XP, which is no longer supported, and upgrade to the latest version of Internet Explorer for better compliance with web standards and improved security, Enterprise Site Discovery is designed to make it easier for organizations to gather information about the sites users visit and data on how IE renders pages so that potential compatibility problems can be weeded out before upgrading to a newer version of Windows or IE.
In conjunction with IE Enterprise Mode, which you can read about on the Petri IT Knowledgebase here: How to Enable Internet Explorer 11 Enterprise Mode and How to Configure Internet Explorer 11 Enterprise Mode Logging, Enterprise Site Discovery helps organizations understand which apps are being used so that they can be prioritized for testing, how in-house apps are rendered by IE’s different document modes, and the ActiveX Controls used so that an upgrade project to a newer version of Windows can be planned to avoid any nasty surprises.
Enable Enterprise Site Discovery
First you’ll need to download the Enterprise Site Discovery Toolkit. Bear in mind that the tool collects data using WMI and stores it in an industry standard .MOF file (Managed Object Format). Microsoft recommends that you use System Center 2012 R2 Configuration Manager (SCCM) to collect the .MOF file from client computers, but you can use any tool capable of reading WMI Objects to view the information on your client computers. Because not all Petri readers have access to SCCM, I’ll concentrate on using PowerShell to pull the telemetry data from the WMI namespace.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Once you’ve downloaded the toolkit, extract the contents of the zip file, and use the included PowerShell script to enable site discovery. Start by opening an elevated command prompt in Windows 8.1:
- Press the WINDOWS key, type cmd on the Start screen, and make sure that Command Prompt is highlighted in the search results. Press CTRL+SHIFT+ENTER to start command prompt with elevated privileges.
- Enter the credentials for an administrator account when prompted.
- In the command prompt window, change the working directory to the folder where you extracted the contents of the Enterprise Site Discovery Toolkit zip file. For example, cd “C:\Temp\IE Site Discovery Toolkit v2.0\RELEASE 2.0”.
- In the command prompt window, type the command below. Be warned that when you press ENTER, you will automatically be logged out, so make sure you save any open documents first.
powershell -ExecutionPolicy Bypass .\IETelemetrySetUp-Win8.ps1
The above command enables all the site discovery features for all users on the local machine. To turn off data collection, just add the –IEFeatureOff switch:
powershell -ExecutionPolicy Bypass .\IETelemetrySetUp-Win8.ps1 –IEFeatureOff
If you’d like to monitor only specific domains or Internet Explorer zones, you can add the –SiteAllowList and –ZoneAllowList parameters, respectively:
powershell -ExecutionPolicy Bypass .\IETelemetrySetUp-Win8.ps1 -SiteAllowList microsoft.com,google.com,dropbox.com
powershell -ExecutionPolicy Bypass .\IETelemetrySetUp-Win8.ps1 -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites
Reading Telemetry from the WMI Namespace
There are three WMI classes that Enterprise Site Discovery uses to store information: IEURLInfo, IESystemInfo, and IECountInfo. In the PowerShell command below, I use the Get-WmiObject cmdlet to query the IEURLInfo class on the local computer.
Get-WmiObject -Namespace ‘root/cimv2/IETelemetry’ -Class IEURLInfo
To make the output more useful and readable, here’s the same command using the Select-Object and Sort-Object cmdlets to refine the information:
Get-WmiObject -Namespace ‘root/cimv2/IETelemetry’ -Class IEURLInfo | Select-Object URL, NumberOfVisits, CrashCount | Sort-Object URL
The IESystemInfo class contains much less information, so there’s no need to filter and sort it:
Get-WmiObject -Namespace ‘root/cimv2/IETelemetry’ -Class IESystemInfo
Finally, the IECountInfo class provides a summary of the crash and hang counts:
Get-WmiObject -Namespace ‘root/cimv2/IETelemetry’ -Class IECountInfo