Microsoft has confirmed that a security hardening change introduced for Windows 11 version 24H2 in July 2025 is breaking older applications and web components that rely on the legacy JScript9 engine. The modification, which disables persistent JScript execution by default, was carried forward into Windows 11 25H2 and affects enterprise line-of-business apps, internal tools, and even some web-based interfaces built on aging Microsoft technologies. The company has acknowledged the compatibility fallout and published a registry-based workaround that IT administrators can deploy to restore functionality while maintaining most of the security benefits.

Details emerged via Microsoft’s official release health dashboard, where the issue is cataloged as a known problem stemming from a cumulative update delivered in the July 2025 Patch Tuesday cycle. The change specifically targets the “JScript9Legacy” component—an older scripting engine that persists from the Internet Explorer era and is still invoked by certain applications, COM objects, and WebBrowser controls. By cutting off the engine’s ability to maintain state across invocations, Microsoft aimed to close a vector that attackers could exploit to run malicious scripts in trusted contexts.

For many organizations, the fallout was immediate. Reports from IT forums and social media describe applications that silently fail to load dynamic content, forms that no longer submit correctly, and internal portals that render blank pages. “Our entire invoice processing system ground to a halt after the July update,” one IT manager wrote in a Microsoft community thread. “The app uses a WebBrowser control that runs JScript—without it, none of the client-side validation works.” Similar stories have surfaced in healthcare, manufacturing, and government sectors where custom software built on now-obsolete frameworks remains critical to daily operations.

What Is JScript9Legacy and Why Does It Still Matter?

JScript9Legacy is the scripting engine component that powered Internet Explorer’s final versions and was embedded deep into Windows to support web-based UI elements in desktop apps. It is distinct from the modern JScript9 (Chakra) used by the Edge browser and Universal Windows Platform apps. Many legacy applications, particularly those written in Visual Basic 6, C++ with ActiveX WebBrowser controls, or .NET programs embedding IE frames, call JScript9Legacy to evaluate JavaScript on the fly—for form validation, data manipulation, or rendering dynamic HTML.

Microsoft has been systematically stripping out Internet Explorer dependencies for years. IE11 was formally retired for most Windows 10 SKUs in June 2022, and Windows 11 shipped without it. But the underlying scripting infrastructure remained accessible to developers who explicitly instantiate the engine through COM interfaces like ScriptControl or MSScriptControl.ScriptControl. Many enterprise developers did just that, choosing simplicity and rapid development over the overhead of integrating a modern web stack.

The JScript9Legacy engine persists only because Microsoft has maintained it for backward compatibility, but its attack surface is well-documented. By removing persistent execution capabilities, Microsoft forces the engine to reset completely between script invocations—a move that breaks workflows where scripts write to global objects or store state across multiple calls. This is precisely the behavior that many older applications rely on.

The July 2025 Security Change: A Hardening with Consequences

The update in question, likely KB503XXXX (the exact KB number may vary by system configuration), applied a security hardening to the jscript9.dll library that governs the legacy engine. The change prevents the engine from retaining any script-created objects, variables, or execution context after a script finishes executing. In technical terms, it forces a hard re-initialization on every call, equivalent to unloading and reloading the DLL each time.

Microsoft’s documentation describes this as an improvement to “reduce the attack surface for script injection and state-based exploits.” The rationale is sound: if an attacker manages to inject malicious JScript into a process, the script’s ability to persist, escalate, or communicate with other calls is severely limited. However, the change also eliminates legitimate use cases where developers intentionally used persistent state to cache data, maintain counters, or keep objects alive across multiple interactions with the same script host.

The breakage was not immediately obvious during Insider testing because the Windows Insider Program typically includes a mix of modern and legacy configurations, but the sheer variety of custom enterprise applications made it impossible to catch every edge case. Once the July update rolled out broadly, help desks began fielding calls about broken apps that hadn’t been touched in a decade.

Which Applications Are Affected?

Impacted applications share a common trait: they use the WebBrowser control or a similar COM-based JavaScript host that invokes JScript9Legacy and assumes persistent state. Examples include:

  • VB6 applications using the ScriptControl object to execute JScript for business logic.
  • .NET Framework apps (Windows Forms or WPF) hosting a WebBrowser control that loads local HTML/JS files for UI rendering.
  • C++ MFC/ATL applications embedding the browser control for reporting dashboards.
  • Older versions of Dynamics CRM clients that rely on script-based customization.
  • Third-party ERP and accounting software that generate dynamic forms using JScript.
  • Internal web applications designed for Internet Explorer compatibility mode and still accessed through custom wrappers.

In most cases, the symptoms are subtle: drop-down menus don’t populate, grid views appear empty, or progress spinners never disappear. Users may see script error dialogs referencing “Object expected” or “Undefined is null or not an object.” Because these applications often lack modern debugging facilities, troubleshooting can be time-consuming.

Microsoft’s Registry-Based Fix

To address the compatibility gap without rolling back the security hardening entirely, Microsoft published a registry key that IT administrators can deploy. The key re-enables persistent script execution specifically for the legacy JScript9 engine while leaving other hardening measures intact.

How to Apply the Fix

The fix involves adding a DWORD value to the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\

Under this path, administrators must create a new key named FEATURE_ENABLE_JSCRIPT9_PERSISTENCE and set its value to 1. The exact procedure is:

  1. Open Registry Editor (regedit.exe) with administrative privileges.
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl.
  3. Right-click on the FeatureControl key, select New > Key, and name it FEATURE_ENABLE_JSCRIPT9_PERSISTENCE.
  4. Inside that new key, create a DWORD (32-bit) Value named * (a single asterisk) and set its value to 1.
  5. Restart the affected application or the entire system for the change to take effect.

For enterprise deployments, this setting can be pushed via Group Policy Preferences, a scripted .reg file, or Microsoft Endpoint Manager. The asterisk (*) wildcard applies the setting to all processes, but Microsoft recommends targeting specific executable names where possible to limit the exposure surface.

Caveats and Precautions

Enabling this persistence reopens a portion of the attack surface that the hardening intended to close. Microsoft warns that organizations should only apply the registry key after testing that the affected application works correctly and that no alternative exists. The company also advises using AppLocker or Windows Defender Application Control to restrict which processes can load the JScript9Legacy engine, minimizing risk.

It is important to note that this registry fix is considered a temporary workaround. Microsoft’s long-term guidance steers developers toward modern scripting alternatives like PowerShell, .NET’s JavaScript interop libraries, or fully migrating to web-based UIs hosted in WebView2—the Chromium-based control that replaces the old WebBrowser in modern Windows development.

Enterprise Impact and Response

The break-fix cycle has reignited conversations among IT professionals about the costs of maintaining legacy software. Many organizations still run applications that were written during the Windows XP era, and while they have been stable for years, security changes like this one expose their fragility. “We have hundreds of these LOB apps,” said a senior systems engineer from a mid-sized financial firm. “We can’t just rewrite them overnight. The registry fix is a lifeline, but we’re accelerating our migration plan.”

Some enterprises have responded by wrapping the affected applications in compatibility shims or virtualizing them in Windows 10-based virtual machines until they can be retired. Others are using the registry workaround as a bridge while they port critical business logic to modern frameworks. Microsoft has published guidance on how to detect which applications are using JScript9Legacy by enabling script-related auditing in Windows Event Logs or by scanning for registry keys associated with the legacy engine.

From a compliance perspective, enabling the persistence feature may raise flags during a security audit. Organizations that must adhere to strict hardening baselines—such as those mandated by DISA STIGs or CIS benchmarks—should document the exception and implement compensating controls. Microsoft’s documentation explicitly states that the setting is not intended for permanent use and should be removed once the dependent applications are updated or replaced.

The Broader Story: Legacy Components Under Pressure

The JScript9Legacy case is not an isolated incident. Microsoft has been gradually removing or locking down legacy Windows components that pose security risks. Recent examples include:

  • VBScript deprecation: VBScript is being phased out, starting with Windows 11 24H2, where it is an optional on-demand feature.
  • TLS 1.0/1.1 disablement: Older encryption protocols have been switched off by default in several cumulative updates.
  • SMB1 removal: The notoriously vulnerable SMB version 1 is now disabled by default in recent Windows releases.
  • MSXML3 hardening: Similar registry-controlled hardening changes have been applied to the Microsoft XML parser.

Each of these moves has provoked similar reactions from enterprises dependent on legacy code. The pattern is clear: Microsoft is prioritizing security at the cost of backward compatibility, forcing organizations to finally modernize long-neglected software stacks.

What Comes Next

Microsoft has indicated that future Windows releases will continue to chip away at legacy extensibility points. The company’s developer blog and Windows IT Pro blog frequently emphasize migration to WebView2, the Windows App SDK, and .NET MAUI for building modern, secure applications. For businesses still reliant on JScript9Legacy, the clock is ticking.

In the short term, administrators can use the registry workaround to keep their applications running on Windows 11 24H2 and 25H2. They should, however, begin inventorying all software that touches the legacy scripting engine and develop a remediation roadmap. Microsoft offers tools like the Desktop App Assure program to help enterprises address compatibility issues at no additional cost for qualifying subscriptions.

The July 2025 security hardening and its aftermath serve as a potent reminder that clinging to outdated technology carries a tax—one that eventually comes due in the form of emergency patches, workarounds, and frantic rewriting. For many IT departments, that bill has now arrived.