Internet Explorer begins blocking out-of-date ActiveX controls

As part of our ongoing commitment to delivering a more secure browser, starting September 9th Internet Explorer will block out-of-date ActiveX controls. Note: The original post stated that the ActiveX blocking would begin on August 12th. Please refer to the addendum for further details.

ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely.

For example, according to the latest Microsoft Security Intelligence Report, Java exploits represented 84.6% to 98.5% of exploit kit-related detections each month in 2013. These vulnerabilities may have been fixed in recent versions, but users may not know to upgrade. To help avoid this situation with ActiveX controls, an update to Internet Explorer on August 12, 2014 will introduce a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

• Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
• Interact with other parts of the Web page that aren’t affected by the outdated control.
• Update the outdated control, so that it’s up-to-date and safer to use.
• Inventory the ActiveX controls your organization is using.

We wanted to share some guidance ahead of next week’s update, to help you understand this feature and decide the best course of action. If you are an end user and see the notification bar, we suggest updating to the latest version. If you are an IT Pro, you can decide how to implement this feature.

Supported Configurations

The out-of-date ActiveX control blocking feature works with:

• Internet Explorer 8 through Internet Explorer 11 on Windows 7 SP1 and up
• Internet Explorer 8 through Internet Explorer 11 on Windows Server 2008 R2 SP1 and up
• All Security Zones—such as the Internet Zone—but not the Local Intranet Zone and the Trusted Sites Zone

This feature does not warn about or block ActiveX controls in the Local Intranet Zone or Trusted Sites Zone.

What does the out-of-date ActiveX control blocking notification look like?

It is important to note that, by default, this feature warns users, with options to update the control or override the warning. When Internet Explorer blocks an outdated ActiveX control, you will see a notification bar similar to this, depending on your version of Internet Explorer:

Internet Explorer 9 through Internet Explorer 11

Internet Explorer 8

From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version. Optionally, in managed environments, IT can configure the feature to block—and not just warn—a user from running out-of-date ActiveX controls.

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a Web page tries to launch specific outdated apps, outside of Internet Explorer:

How does Internet Explorer decide which ActiveX controls to block?

Internet Explorer uses a Microsoft-hosted file, versionlist.xml, to determine whether an ActiveX control should be stopped from loading. This file is updated with newly-discovered out-of-date ActiveX controls, which Internet Explorer automatically downloads to your local copy of the file. We are initially flagging older versions of Java, but over time will add other outdated ActiveX controls to the list.

As of September 9, 2014, this feature will provide users with notifications when Web pages try to load the following versions of Java ActiveX controls:

• J2SE 1.4, everything below (but not including) update 43
• J2SE 5.0, everything below (but not including) update 71
• Java SE 6, everything below (but not including) update 81
• Java SE 7, everything below (but not including) update 65
• Java SE 8, everything below (but not including) update 11

You can view Microsoft’s complete list of out-of-date ActiveX controls at Internet Explorer version list.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether. For enterprise readiness guidance, please refer to Microsoft Knowledge Base Article 2991000.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

• Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
• Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
• Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
• This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

Please see the complete technical documentation here. You can also download updated Internet Explorer administrative templates, including these new settings, from the Administrative Templates for Internet Explorer page.

Stay up-to-date with Internet Explorer

We know that many organizations still rely on the capabilities of ActiveX controls, but out-of-date ActiveX controls are a risk today. By helping consumers stay up-to-date—and enabling IT to better manage ActiveX controls, including those that are compatible with Enhanced Protected Mode—Microsoft is helping customers stay safer online. This is another example of delivering on the promise to help get users current with a safer, more secure Internet Explorer.

Finally, thank you to the Java engineering team for partnering with us on delivering this feature. This partnership shows that the Java and IE goals are the same regarding keeping users up-to-date and secure!

Addendum - 8/10/14

We have received several questions about this update, and would like to clarify these as well as make a quick announcement.

Based on customer feedback, we have decided to wait thirty days before blocking any out-of-date ActiveX controls. Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th. Microsoft will continue to create a more secure browser, and we encourage all customers to upgrade and stay up-to-date with the latest Internet Explorer and updates.

Below, please find the answers to some frequently asked questions about this update.

FAQ

Which outdated ActiveX controls are covered in this update?

No ActiveX controls will be affected when the feature is initially released in August. In September, only out-of-date Oracle Java ActiveX controls will be affected. All other ActiveX controls will continue existing behavior.

Will this update affect applications which use out-of-date Java outside of Internet Explorer?

No. This feature will only prompt the user when an out-of-date version of Java is loaded as an ActiveX control in Internet Explorer.

Will this update apply to Internet Explorer on server as well as client SKUs?

Yes.

Will this feature be part of the August Cumulative Update or be released as a separate Hotfix?

This feature will be part of the August Internet Explorer Cumulative Security Update, but no out-of-date ActiveX controls will be blocked for thirty days in order to give customers time to test and manage their environments.

Does this feature help protect against active attacks targeting outdated Java controls?

Yes, installing the most current version of the Java runtime significantly improves user security. Additional details on specific CVEs are outlined on the Microsoft Security Blog – “Keeping Oracle Java updated continues to be high security ROI” and in the Microsoft Security Intelligence Report.

Can end users choose to override the prompt if a trusted application requires out-of-date Java use?

Yes, users can choose the “Run this time” option for internet sites requiring out-of-date ActiveX control use.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Intranet zone or Trusted Sites zone, will those be affected by this update?

No, sites in the Intranet or Trusted Sites zone will continue to function as usual after applying this update. Intranet websites accessed through fully-qualified a domain name or IP address are considered to be within the internet zone and will be affected by this update. Please see the following knowledge base article for a full discussion and suggested workarounds. In addition, it should be noted that no out-of-date ActiveX controls will be affected for thirty days, in order to give customers time to test and manage their environments.

My enterprise has line-of-business web sites that depend on out-of-date Java ActiveX controls in the Internet zone, will they be affected?

Out-of-date Java ActiveX controls will not be initially affected, giving customers thirty days to test and manage their environments. After September 9, when end users attempt to load the out-of-date Java ActiveX control, a prompt will be shown to the user (as described in earlier in the post). The end user will be able to click the “Run this time” option to load the out-of-date Java ActiveX control. Once loaded, the Java out-of-date ActiveX control will work as usual.

Can this feature be disabled if my enterprise requires an older version of the Java runtime?

Yes, there are several ways to disable this feature. Microsoft provides updated IE group policy administrative templates which include 4 new group policies to control this feature*. Two of these group policies can be used to disable this feature on a per domain basis or entirely.

If you do not wish to use the group policy administrative templates to disable the feature, you can use the following registry keys that can be set via group policy (the process is described in more detail here and here). All keys can be set in HKLM or HKCU (HKLM will take preference over HKCU).

Policy	Registry setting
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain" /v contoso.com /t REG_SZ /f
Turn off blocking of outdated ActiveX controls for Internet Explorer	reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext" /v VersionCheckEnabled /t REG_DWORD /d 0 /f

If none of the above options work, the address of the site which needs to use an out-of-date Java ActiveX control can be added to the Trusted Sites zone.

Can this feature be disabled without administrative access?

Yes. This can be done by deleting any previously downloaded versionlist.xml files and instructing IE to stop updating the XML file. This can be done by running the following commands in a command window:

1.  reg add "HKCU\Software\Microsoft\Internet Explorer\VersionManager" /v DownloadVersionList 
   /t REG_DWORD /d 0 /f
   

2.  del “%LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml”
   

How does Internet Explorer obtain, update and use the versionlist.xml file?

Supported versions of Internet Explorer will download the initial version of the versionlist.xml file within 12 hours of installing the August Cumulative Update and starting Internet Explorer. The versionlist.xml file will be downloaded from here to: %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml.

Once the file is downloaded the feature will become enabled and Internet Explorer will start blocking out of date Java ActiveX controls in accordance to the data present in the versionlist.xml file. Internet Explorer will then check for updates to this file on a regular cadence. If Microsoft updates the file, Internet Explorer will download a new version of this file. Note that the file will not block out-of-date ActiveX controls for the first thirty days, to give customers time to test and manage their environments.

Can an enterprise disable or override the URL to which a user is taken when the Update button is clicked on the out-of-date ActiveX prompt?

The URL that the user is taken to when the Update button is clicked is stored in the versionlist.xml file and while this URL can be changed in the file any future updates to the versionlist.xml will override those changes.

Is out-of-date Java the only ActiveX control being blocked by this feature in September?

In September, yes, only out-of-date Oracle Java ActiveX controls will be blocked by this feature. However, Internet Explorer will consider blocking additional common, but out-of-date ActiveX controls in future updates.

*Where can I find additional documentation about this feature and the group policy administrative templates?

Additional TechNet documentation and the group policy administrative templates will be available on TechNet and Download Center respectively on 8/12.

— Fred Pullen, Senior Product Manager, Internet Explorer

— Jasika Bawa, Program Manager, Security

Comments

• Anonymous
  August 06, 2014
  woot!

• Anonymous
  August 06, 2014
  Will you be blocking controls that are frustrating DEP/ASLR protection in the browser ?

• Anonymous
  August 06, 2014
  MS Internet Explorer should have a popup anytime a program tries to change the default start page or tries to make changes to the Manage Add-ons section. This is a welcomed change, need more!

• Anonymous
  August 06, 2014
  @Arnold - Agree on that! Would be wonderful if Internet Explorer first asks if a program changing browser settings is actualy allowed or not. Anyway, nice to see you guys keep improving the secutiry. Keep up the good work!

• Anonymous
  August 06, 2014
  Yay go Microsoft! =D

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  Yeah, bring on more popups so that all everyone ever talks about is how to disable them. This will definitely help.... Not. Right now IE is blocking things for our organization and not even Microsoft can figure out what is being blocked and for what reason. Browser is not antivirus/antimalware. Stop pretending that it is and focus on delivering website content.

• Anonymous
  August 06, 2014
  @User You're in a managed environment. This doesn't impact you at all. Computer security is an issue that plagues society. Your self-centered view is ridiculous. This is a great improvement.

• Anonymous
  August 06, 2014
  Why give us the link to the administrative templates, if you aren't going to release the updated ones until next week? It would be nice to have them now so we can begin preparing for the update.

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  What out-of-date ActiveX is?

• Anonymous
  August 06, 2014
  Great idea, will make my life simultaneously easier and harder! As a developer of a corporate ERP system with many thousands of extranet users, I need to support backwards compatibility (see activeX) and the latest tech. If IE is going to start blocking these backwards compatible activeX controls in the internet zone, I hope they are going to push a little harder to get people (including corporates) off of anything less than IE 10.

• Anonymous
  August 06, 2014
  @NP - The posts says - "From the notification about the outdated ActiveX control, clicking “update” will take you to the control’s Web site to download its latest version". It will take you to the website, it will not update the control automatically.

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  Why not just block all ActiveX controls? They are an abomination that should have been left in the 90s

• Anonymous
  August 06, 2014
  @rachel - Because IE has proven to be the best browser when it comes to blocking malware and is very good at security - better then other browsers - in general.

• Anonymous
  August 06, 2014
  How about some notice before doing it!!! The idea is good, but documentation released 7th and implementation of security update on Aug12th? What person made that stupid decision? Most large enterprises are still trying to get apps remediated for Java signing introduced in Update 51 - and Update 65 was only released the other day with Update 67 a bug fix update the week after. Java isn't just a patch to deploy, its a whole application. I don't remember seeing an advisory that this was coming? I hope its a GENERAL update and not rolled into an IE cumulative security update. Enterprise environments have testing and change control workflows which shouldn't have to invoke emergency board procedures for this. If the group policy settings are in the main IE policy, that's also an issue for a lot of people because of MS deprecating IE Maintenance Mode meaning the template can't just be thrown into AD, especially if you have different IT areas supporting different policies and the central IT function has no control over a couple of areas that self-govern. You have to co-ordinate the change over so they convert to proxy settings to GPO preferences at the same time. The process of upgrading from IE8 to IE10/11 can be painful for large organisations as intranet apps written over many years may not work - so that's takes time to get them changed as some may not have readily available recoding support or money has to be agreed from the business to upgrade - that all takes some time. In an ideal world, funding would be available and everyone would change their code to work with new versions ASAP, but this doesn't happen in most organisations. Going from IE8 to IE10/11 is quite a step because of the fact that MS have made the browser more stringent to standards, and lost some of the "old IE ways" - hence why there is a pain point for making existing stuff compatible, but once this is done our future upgrades would be easier for newer IE versions. I hope the change is a general update rather than lumped into a security update seeing as there hasn't been much time given? I guess we will have to rush a GPO Preference out to set the reg key to disable the function.

• Anonymous
  August 06, 2014
  @rachel Indeed, you're not funny. And your comment makes you look uneducated (regarding to browser security). IE has been a pretty secure product for a while (more than Firefox). And with EMET installed it is actually hard to beat! Apparently you have not heard the results of this year's Pwn2Own browser hacking contest. Every major web browser was hacked several times. Even ChromeOS! IE11 with EMET was the only target to resist despite the highest reward of the contest for anyone pwning it. the point is that if you follow good security practices (EMET, EPM, ...) IE can provide you a very secure browsing experience.

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  sigh. "And with EMET installed.." "..if you follow good security practices.." Also, if you unplug the ethernet cable ... IE has only just decided to block out of date plugins/activex. In 2014. Also, the difference between ActiveX controls and NPAPI plugins is (dumbed down) an NPAPI plugin is to be manually installed on your system, from a known source. Where ActiveX controls aren't (quite) - the location of it is specified by the web page. They are not plug-ins. Plug-ins are plug-ins. People like YOU are the reason the rest of us still need to use IE for testing.

• Anonymous
  August 06, 2014
  *(@Julien)

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  @Numbstill You're wright about market share, but ChromeOS was hacked despite having less than <0.1% market share. As for EMET4/5 I've never heard about any attack in the wild (heard about PoC against EMET4 though), despite being used by more and more users/enterprises. About ActiveX controls, since XP SP2, IE no longer displays a window asking the user if he wants to install a control. Now the user has to manually click the information bar and select install. If you can convince someone to do that, you might as well ask him to download and run a .exe file. So there is nothing less secure in ActiveX than in NPAPI. Claiming ActiveX is an abomination is just a nonsense. Enterprise still use them for perfectly legit reasons.

• Anonymous
  August 06, 2014
  thank you Microsoft, this is a nice feature and will help people to maintain part of his software updated.

• Anonymous
  August 06, 2014
  The comment has been removed

• Anonymous
  August 06, 2014
  Calm down, fanboy. It's only a browser. It's not as though it's merged in with the operating system. Oh...

• Anonymous
  August 06, 2014
  This is great but... Does anyone still use IE? www.w3schools.com/.../browsers_stats.asp

• Anonymous
  August 06, 2014
  @Dave Yes, to download a decent browser

• Anonymous
  August 06, 2014
  @Julien Once I too used to love everything that came from Microsoft. Give it a few years.. you'll stray and try some competing technology. Then you'll stop and think to yourself "why have I been accepting such mediocrity for so long?" We've all been there.

• Anonymous
  August 06, 2014
  @Dave, only about 60% of the world (about 50% if mobile Web market share is counted alongside PC Web market share). arstechnica.com/.../android-passes-ios-on-the-web-windows-8-still-plateaued

• Anonymous
  August 06, 2014
  @anon, I guess it depends on which statistics you consider credible.  One company with a vested interest or 3 independent sources that all say IE usage is trending into non-existence. http://gs.statcounter.com/ www.w3counter.com/globalstats.php www.w3schools.com/.../browsers_stats.asp

• Anonymous
  August 06, 2014
  @Dave, the statistics you linked to completely ignore non-Western market share so they're not representative of the worldwide situation.

• Anonymous
  August 06, 2014
  @anon, That's not correct.  The first link goes to Worldwide statistics.  Even if you change the Region to Asia or Europe the trend shows the same as Worldwide. You can deny it all you want but the evidence points to a declining trend in IE usage.

• Anonymous
  August 06, 2014
  @tour-of-Utah, I took a look at the url you provided in Internet Explorer and Chrome but failed to notice any differences between the two experiences. At your convenience, would you be able to email me (josamp[at]microsoft) additional details about what, specifically, I should be looking for? I look forward to hearing from you! Jonathan Sampson PM, Internet Explorer

• Anonymous
  August 07, 2014
  Publish a public list of ActiveX controls that are blocked.  Let us block java for all sites except for 1 or 2 known ones.

• Anonymous
  August 07, 2014
  SO just as followup the admin templates are going to be upgrade for IE 9-11 ?

• Anonymous
  August 07, 2014
  I'm reading conflicting reports. Is this an actual PATCH that is coming down on Tuesday or will a feature that is already in IE be enabled on that day? If it's a true patch, can we get it early to test the new behavior in large environments? If it's just a feature that will be enabled, is there a way we can enable it early, again to test the new behavior in large environments? Thanks.

• Anonymous
  August 07, 2014
  @Dave, I'm not denying anything. The sources I quoted use count actual users instead of website hits. Stop projecting your prejudice of IE on others.

• Anonymous
  August 07, 2014
  For those who use EMET. It needs to be fixed. bromiumlabs.files.wordpress.com/.../bypassing-emet-4-1.pdf

• Anonymous
  August 07, 2014
  Can IT people  block that UPDATE button in the warning at all if this is enabled?  The last thing I need are VP's insisting we need to upgrade when in reality we cannot because we have some important applications that will break (and have nearly zero control over fixing). I like the idea of putting in logging for the first month, adding the sites we need to Trusted Sites, and then turning this on.  But, if general web surfing generates calls to the Help Desk from angry users saying they want to upgrade Java then that is a big problem. Lastly I hope the logging feature is clear to setup on the back end, unlike the IE11 enterprise mode logging (which had near zero information available when it was first released)

• Anonymous
  August 07, 2014
  The comment has been removed

• Anonymous
  August 07, 2014
  @Bruce S. - Yes, using Group Policy, you can disable the feature altogether, or disable the ability to update (it will just be blocked and that is it). The post mentioned this.

• Anonymous
  August 07, 2014
  @Ron - Look at the links mentioned in the post, you can get to the public list easily. Same regarding allowing ActiveX in certain websites - add them to the Trusted Sites.

• Anonymous
  August 07, 2014
  @anon, Evidence != prejudice.  I'm not projecting anything.  I cited Worldwide statistics that can be easily verified. There's no point in me continuing this discussion with someone who can't comprehend the facts.

• Anonymous
  August 07, 2014
  @NumbStill, granted the W3Schools statistics are primarily developers but that is more of a meaningful indicator than a disqualifier seeing as how developers write code that attempts to run in browsers so they are more informed than casual users. I also cited 2 other links that are more indicative of Worldwide usage.

• Anonymous
  August 07, 2014
  The comment has been removed

• Anonymous
  August 07, 2014
  Earlier I commented on Java having issues installing on 64-bit systems.  This is the bug tracker for that problem, and you have to read their "customer work around" - it will take your breath away.  bugs.java.com/.../view_bug.do  

• Anonymous
  August 07, 2014
  IE is becoming irrelevant. I only use it in a VM to test my site. In fact, I reckon that's what the majority of IE hits are - people constantly hitting F5 as they debug their pages in IE.

• Anonymous
  August 07, 2014
  The comment has been removed

• Anonymous
  August 07, 2014
  Nice!!! I enjoy seeing these kinds of changes. Keep up the great work!

• Anonymous
  August 07, 2014
  Interesting idea, similar to what Oracle is doing with old versions of the JRE. But -- I did notice something related to Java. A lot of corporate customers are stuck on JRE 6 for whatever reason. The latest publically available JRE 6 release on Oracle's website is JRE 6 Update 45 (www.oracle.com/.../java-archive-downloads-javase6-419409.html) According to your matrix, you are warning users about anything older than JRE 6 Update 81. Gaining access to any versions of JRE 6 newer than update 45 requires a support contract from Oracle -- it's usually bundled with whatever Oracle product or middleware requires it. So, it sounds like the end users that this block is targeting will be prompted to upgrade to JRE 7 or 8, which may very well break (badly written corporate) applications. Any idea what large companies should be doing for a BYOD or home-worker style environment??

• Anonymous
  August 07, 2014
  Hey, fanboys: technet.microsoft.com/.../ms14-aug Good luck with IE over the weekend. Again.

• Anonymous
  August 07, 2014
  Microsoft cannot even upgrade my browser to version 10. They should concentrate on fixing this rather than just stopping support answers.microsoft.com/.../0bade040-76b3-429d-9eff-dc85afa74dc0

• Anonymous
  August 07, 2014
  I used the link to the Downloads page, but was only able to download the .admx file. Is there no corresponding .adml file?

• Anonymous
  August 07, 2014
  We don't see the options for the four new policies in the ADM when imported ? are there any caveats to see these 4 new policies?

• Anonymous
  August 07, 2014
  The templates are not available yet: "Starting on August 12, you can also download updated Internet Explorer administrative templates ....". It would be better if this was available before the update. You can also make your own policy for the key “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExtVersionCheckEnabled"

• Anonymous
  August 08, 2014
  Can we say .net only........ Living in a ms world....

• Anonymous
  August 08, 2014
  OK, it's now August 8th, still no update to the documentation.

• Anonymous
  August 08, 2014
  @DB I was just wondering that too. came here to see if anyone had a link to just the changes. nothing i guess so far

• Anonymous
  August 08, 2014
  Any compatibility issues with using per site ActiveX to block Java in the internet zone or should we remove that configuration before deploying this? blogs.msdn.com/.../controlling-java-in-internet-explorer.aspx

• Anonymous
  August 08, 2014
  The link : "Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here." doesn't link to the 2008 .admx files, but to the 2003 .adm files

• Anonymous
  August 08, 2014
  Life without technology is like earth without human

• Anonymous
  August 10, 2014
  new GPO incl this new settings arrived www.microsoft.com/.../details.aspx

• Anonymous
  August 11, 2014
  where are the settings in the gpo?

• Anonymous
  August 11, 2014
  Its just a browser people. Take it easy.

• Anonymous
  August 11, 2014
  The comment has been removed

• Anonymous
  August 11, 2014
  The comment has been removed

• Anonymous
  August 11, 2014
  The comment has been removed

• Anonymous
  August 11, 2014
  Any idea where the local logs are kept for policy option "Turn on ActiveX Control logging in Internet Explorer?  

• Anonymous
  August 11, 2014
  I see we have an update here, with some more details...  the log will be stored locally on the PC?  So if I have 1000 Pc's in the company and have no idea which Java applet people might be using I have to use Procmon to figure out where this log file is, and then go grab it from  the 1000 pc's and read them all.  Is there going to be a way to aggregate these and maybe someone could let us know where this log file can be found?

• Anonymous
  August 11, 2014
  We are running Windows 2012R2 (fully patched) domain controllers and 2012R2 domain functional level and I do not yet see the extra controls in Group Policy. Do I have to add something manually to my domain controllers or do I need to do something else? This page  www.microsoft.com/.../details.aspx   says they are already installed but I don't see them? Any help? thanks. Windows Server 2012 R2:   The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed.  

• Anonymous
  August 11, 2014
  If you have multiple copies of Java installed, say, the latest version of 7 and an older version of 6, will this trigger the notification?  We're migrating away from 6, but until it's on every PC, we can't uninstall.

• Anonymous
  August 11, 2014
  @RJC, Bruce S: The logs are kept in “%LOCALAPPDATA%MicrosoftInternet ExplorerVersionManager.  You should just be able to copy them off to a share and run through them with a powershell script.  This is all documented in the article here: technet.microsoft.com/.../dn798785.aspx @TMZ: As the blog post says, these are not officially live until 8/12 so what you are seeing hasn't yet been updated.  Stay tuned. @Glenn: Depends on which version of Java IE tries to load.  If it tires to load an outdated version you will get a prompt.  If its the latest version then you won't get a prompt.

• Anonymous
  August 11, 2014
  Numbstill, Fully aware of Enterprise Mode, it doesn't fix all compatibility issues though does most. We were already in flight with IE10 when IE11 was released and the project funding for compatibility testing was already in flight. We can't suddenly deploy IE11 within a few days before this change went ahead. And Java is Java, most LARGE organisations have had trouble with getting MANY apps signed to work post Java 7 Update 51. This is the difference between the "ideal" world where funding is always flowing and everyone does not have internal politics etc and the "real" world where in large organisations you can't always get things moving as quickly as you want even if you pounce on it when its released. The only thing that gets out quickly is security updates for OS.

• Anonymous
  August 11, 2014
  why

• Anonymous
  August 11, 2014
  First--delaying this from 8/12 until 9/9 is 28 days, not 30. Second--will this be enabled by another update released on 9/9 (Patch Tuesday) or will the patch released on 8/12 include date-triggered functionality?

• Anonymous
  August 11, 2014
  @TZM Here is a blog about How to manage the new "blocking out-of-date ActiveX controls" feature in IE blogs.msdn.com/.../how-to-manage-the-new-quot-blocking-out-of-date-activex-controls-quot-feature-in-ie.aspx

• Anonymous
  August 12, 2014
  What KB Article or bulletin # will this be pushed out in?

• Anonymous
  August 12, 2014
  Well the AuditMode doesn't work in IE9 on Windows 7 x86. Installed update KB2976627, registry key set to enable logging in both HKCU and HKLM but no logfile was written to %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode.

• Anonymous
  August 12, 2014
  Found the solution: copy versionlist.xml from go.microsoft.com/fwlink to %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml. Now it's working. I was too fast, it takes a while before IE will download the first versionlist.xml

• Anonymous
  August 13, 2014
  What's the best way to test this today?  I have the update applied, the xml file copied over, and logging turned on.  I'm running Java 6.43.  Looking at the VersionAuditLog all the lines are showing "Version not in blocklist".  

• Anonymous
  August 13, 2014
  Installed KB2976627 on a Win7 computer with IE10. Checked the local group policies and the new policies do not exist. Installed KB2976627 on a Win7 computer with IE11 and the policies are there.   What's up with that?

• Anonymous
  August 13, 2014
  What Corey said... So we now know that logging will not function unless %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml has been copied to the users profile.  So you have to wait for IE to download versionlist.xml or manually copy the file. But isn't logging worthless if it doesn't identify what will be in the blocklist.  All we will see is "Not in blocklist" or "Version not in blocklist" until Sept 9th?  This doesn't help us identify what will be blocked based on the latest versionlist.xml. So we are left with the criteria that old versions of Java will be blocked unless your site is in the Intranet or Trusted site zone.  That doesn't help us validate our configurations when the block list changes on sept 9th.  Even if I add non Intranet sites into the Trusted site zone I have no way of verifying this configuration. How about provide us with the versionlist.xml that will be used on Sept 9th so we can test and validate our Java based web applications to actually see the behavior of out-of-date Active X blocking?  Otherwise logging doesn't not help us prepare for what will be blocked in September.  Am I missing something here?

• Anonymous
  August 13, 2014
  I agree completely with what Smelly posted belo... While I can get AuditMode to work by copying "versionlist.xml" from the various locations provided, I cannot actually get IE to block any outdated versions of Java in my test environment.  I have tried editing the xml file with no success.  Pages requiring java just hang with custom xml files.  Has anyone met with any success in either editing the version list.xml file, or successfully triggering a "block" event to test against?

• Anonymous
  August 13, 2014
  I agree completely with what Smelly posted belo... While I can get AuditMode to work by copying "versionlist.xml" from the various locations provided, I cannot actually get IE to block any outdated versions of Java in my test environment.  I have tried editing the xml file with no success.  Pages requiring java just hang with custom xml files.  Has anyone met with any success in either editing the version list.xml file, or successfully triggering a "block" event to test against?

• Anonymous
  August 13, 2014
  For those looking for a PowerShell Script to get the log contents, here it is. www.verboon.info/.../powershell-script-to-retrieve-content-from-internet-explorer-activex-blocking-log

• Anonymous
  August 13, 2014
  The comment has been removed

• Anonymous
  August 14, 2014
  Two things.

1. Why is inetres.admx & adml not applied with IE 8?  I see on my IE 11 systems that the new GPO template is there but not with IE 8.0.
2. How do we test this beforehand if it is not enabled until Sept 8th.  I'm looking for the setting but it is not obvious.

• Anonymous
  August 14, 2014
  Removing the "latestgroup = "1"" from the xml file didn't do anything for me.  We need a way to reliably test this on our environments.

• Anonymous
  August 14, 2014
  The comment has been removed

• Anonymous
  August 14, 2014
  What rights or permissions are needed to see the activeX blocking notifications?  Would a standard user have these rights?  What about installing the updated control?

• Anonymous
  August 14, 2014
  This is fantastic news- thanks for the information and strategy to help protect users from exploit kits

• Anonymous
  August 14, 2014
  Question:  how big is the log file voing to be? I notice that my log contains several lines with the same value, so i wonder if we enable this permanently how much this file will grow. Is there any hard coded limit where it starts overwriting? Just thinking loud. Why was not the same logging option considered as exist for enterprise mode? I mean with log file stored locally in the users profile i end building a process collecting these files for 15000 clients spread all over the world. Last but not least. If MS could setup a test page with older versions to ensure all works as expected that would be grat. Kind regards Alex

• Anonymous
  August 14, 2014
  The comment has been removed

• Anonymous
  August 14, 2014
  Make sure to only remove the first occurrence of latestgroup="1" not all of them.  If you remove all of them IE will block the latest version of Java also not just the out of date version.

• Anonymous
  August 14, 2014
  Please note that updated testing guidance is now available on support.microsoft.com/.../2991000 under the section Testing the out-of-date ActiveX controls feature.

• Anonymous
  August 14, 2014
  Yes, sir !! I totally agree with you, the changes become make in internet explorer is such so interesting and provide better security to IE. Because it is the part of JAVA, so learn<a href="www.sagacademy.com/java-development-training-jaipur"> of those changes training</a> is also required.

• Anonymous
  August 15, 2014
  Hi ilove u someone and u2w

• Anonymous
  August 17, 2014
  Hi,Every one wants security in life.Security cover is necessary.Your instiuition is caring.

• Anonymous
  August 17, 2014
  Hi, anyone can find the new policy with IE 9 Windows 7 x64? I have installed the update but found nothing even I have added the  Administrative Templates.

• Anonymous
  August 17, 2014
  Hi, what will be the update reference please? So that we can block it through group policy.  We use a system that only works with Java 6.  Thank you.

• Anonymous
  August 20, 2014
  Hi, anyone can find the new policy with IE 9 Windows 7 x64? Thank you.

• Anonymous
  March 06, 2015
  I can load some game on Club Pogo but a lots of them I can not load

• Anonymous
  March 07, 2015
  we are having trouble loading up the couponging sites just to get coupons printed out

• Anonymous
  March 08, 2015
  Well a thank u?

• Anonymous
  March 11, 2015
  ok

• Anonymous
  March 11, 2015
  kan nogen fortælle mig hvordan jeg løser en error code 1638 i java

• Anonymous
  March 16, 2015
  ta hra je mrtě dobrá doporučuji mladím hráčům i starím hačům

• Anonymous
  March 16, 2015
  ok

• Anonymous
  March 28, 2015
  343434343fdsddfdre43

• Anonymous
  April 02, 2015
  isoo e legal

• Anonymous
  April 02, 2015
  isso funcionao nao

• Anonymous
  April 04, 2015
  ok

• Anonymous
  April 04, 2015
  ok ok ok

• Anonymous
  May 02, 2015
  koogle woonthan publicokootis?