Поделиться через


How to manage the new "blocking out-of-date ActiveX controls" feature in IE?

In this quick blog post, we are sharing the administrative group policy settings and registry location included in the August 2014 IE cumulative update, that will help you better prepare and manage the new "blocking out-of-date ActiveX controls" feature.

For more information on the new changes, please read the original post by the IE Product Team: "Internet Explorer begins blocking out-of-date ActiveX controls"

Below are some key notes from the Blog post https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx introducing the new changes.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

 

Today, the August IE Cumulative for August was released. Details of changes are also included in the kb2976627. 

HOW TO GET THE NEW ADMIN TEMPLATES?

  • Install the August IE Cumulative Update: Microsoft Security Bulletin MS14-051 - Critical https://technet.microsoft.com/en-us/library/security/MS14-051
  • For older OS you can download it from our Download center
    • Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
    • Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.

Windows Server 2003:

  1. Copy inetres.adm into %WINDIR%\inf\
  2. Open the Group Policy Editor
    • Click Start, click Run, type gpedit.msc, and then click OK.
    • Expand Local Computer Policy, expand Computer Configuration.
    • Right click on Administrative Templates. If you see Inetres template on this list, click Remove, and then click Close.
    • Right click on Administrative Templates and click on Add/Remove Templates. Click Add and locate inetres.adm in %WINDIR%\inf\ and click Open to add it again. Then click Close.

Windows Server 2012 R2:

The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed with the August Cumulative update!.

Windows Server 2008 R2 SP1:

    1. If you install Internet Explorer 11, the Administrative Template files (interes.admx and inetres.adml) will be installed automatically with the August IE Cumulative update!
    2. Follow the instructions as described in the following article: https://technet.microsoft.com/en-us/library/cc709647.aspx

Windows Server 2008 and Windows Server 2008 R2:

Follow the instructions as described in the following article: https://technet.microsoft.com/en-us/library/cc709647.aspx. Again, if you install the August IE cumulative update it will include the new admin templates!

 

 IMPORTANT : We have tested the steps outlined in the Windows 2008 and above and seeing reports of Access Denied. I strongly suggest to simply install the Cumulative update instead.

GPO LOCATION:

Category Path: User or Machine Configuration \ Administrative Templates \ Windows Components \ Internet Explorer \ Security Features \ Add-on Management

Policies:

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "VersionCheckEnabled"=dword:00000000 

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain

VALUE:  "*.contoso.com/*"="*.contoso.com/*" 

GPO NAME: Turn on ActiveX control logging in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "AuditModeEnabled"=dword:00000001 

GPO NAME: Remove "Run this time" button for outdated ActiveX controls in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "RunThisTimeEnabled"=dword:00000000 

 

SCREENSHOT:

You can also use the Central Store Group Policy by following these steps:

  • Make sure GPMC is close!
  • Copy the new IE11 Templates into its respective policy folders.
    • Copy inetres.admx from C:\Windows\PolicyDefinitions  to  the Domain Sysvol\Domain\policies\PolicyDefinitions folder.
    • Copy inetres.adml  from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions\en-US policy folder.

NOTE: Verify, the new files have the new blocking out-of-date ActiveX controls entries present. Example: open the inetres.admx and .adml file and search for the registry key value, like VersionCheckEnabled if present, you have confirmed you have the updated ADMX.

  • Open GPMC to confirm the new TEMPLATES are present

 

Hope this quick GPO introduction for this impactful change helps you better prepare you and get your environment ready for what is ahead!

This blog has been provided to you by the IE Support team!

Comments

  • Anonymous
    August 12, 2014
    Well the AuditMode doesn't work in IE9 on Windows 7 x86. Installed update KB2976627, registry key set to enable logging in both HKCU and HKLM but no logfile was written to %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode.

  • Anonymous
    August 12, 2014
    @SimpleI believed it is because, the blocking is not ON. The Template is there but the JAVA blocking is not going to be enabled until Sept.I will run some more test and come back to this blog post with more information.    

  • Anonymous
    August 13, 2014
    Same deal here on IE8/Win7x64Disabling logging defeats the point of delaying the enforcing for a month. As per MS: "Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th."  blogs.msdn.com/.../internet-explorer-begins-blocking-out-of-date-activex-controls.aspx

  • Anonymous
    August 13, 2014
    What's the best way to test this today?  I have the update applied, the xml file copied over, and logging turned on.  I'm running Java 6.43.  Looking at the VersionAuditLog all the lines are showing "Version not in blocklist".  

  • Anonymous
    August 13, 2014
    You can download the versionlist.xml file from iecvlist.microsoft.com/.../versionlist.xml  and put the file in this folder:%LOCALAPPDATA%MicrosoftInternet ExplorerVersionManager"Once the file is there, then the VersionAuditLog.csv file will appear in %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode"However, even using Java 6 update 21 for some applications, all entires in the log file show "Allowed, Version not in block list" so I am unable to successfully trigger a "block" event.  Without being able to generate a block event, I am unable to adequately test solutions.  Any recommendations? If the versionlist.xml file at the location specified above (taken from the  addendum section of the original IE blog announcing the feature) is not the same file that will be used in September, Is there a chance that Microsoft could provide the actual versionlist.xml file they are planning on using so that IT Administrators can test in their environments?

  • Anonymous
    August 13, 2014
    I have enable the policy to "Turn on ActiveX control logging in Internet Explorer," however, where is the log so that I may view the results?

  • Anonymous
    August 14, 2014
    I installed MS14-051 on my Windows 8.1 64bit machine for IE11 but it did not update the inetres.admx template or inetres.adm template in c:windowspolicydefinitons.  As such, I cannot manage the policy using group policy management in RSAT.  I am building a test Server 2012 VM computer to see if works on that.  Our productions environment doesn't have any server 2012 machines yet.  

  • Anonymous
    August 14, 2014
    How do we test this?

  • Anonymous
    August 14, 2014
    The code that will activate this new feature is not enabled currently and why, some of the test outlined in this blog post thread are not working. The policy / registry and versionlist.xml will take effect once the September update is available.At this time, my suggestion is to make sure the GPOs or Registry key is implemented on your environment if you are anticipating conflicts with the upcoming changes.If I come across any options, I will share it out here!

  • Anonymous
    August 14, 2014
    This article outlines the steps you need to test the new feature under "Testing the out-of-date ActiveX controls feature"Update to block out-of-date ActiveX controls in Internet Explorersupport.microsoft.com/.../2991000

  • Anonymous
    August 19, 2014
    Joseph .. you need to install Java 7 any versions  (except for the latest one of course)..  Anything below Java 7 you won't see the BLOCK event.. I tested in multiple workstation.

  • Anonymous
    August 19, 2014
    The comment has been removed

  • Anonymous
    August 19, 2014
    I installed the August IE update and my GPO policy files are still dated from July not August and I don't see the other options listed in this article being available for management.

  • Anonymous
    August 21, 2014
    @NickA and JP2013    Try following my other blog:•How do I test the new out-of-date ActiveX controls feature?◦blogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspxComment the blog if you have any problems and I will try to research it and provide guidance.

  • Anonymous
    August 21, 2014
    The comment has been removed

  • Anonymous
    August 22, 2014
    The comment has been removed

  • Anonymous
    August 28, 2014
    The comment has been removed

  • Anonymous
    August 28, 2014
    The comment has been removed

  • Anonymous
    August 29, 2014
    @kojeiwa   and KelDid you enabled the GPO to get the Audit started?GPO NAME: Turn on ActiveX control logging in Internet ExplorerREGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExtVALUE: "AuditModeEnabled"=dword:00000001Check the clients registry and make sure it is present.

  • Anonymous
    August 31, 2014
    @AxelRMSTYes, I did enabled it in GPO and also in Registry. I don't even see the notification bar iin IE when I go to a site that uses Java. Anymore suggestion? Thanks

  • Anonymous
    August 31, 2014
    @kojeiwaPlease follow my steps on how to test the new feature below.Remember that this will be enable in September 9th so technically it should not block anything yet.blogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspx

  • Anonymous
    September 02, 2014
    I still don't know what I am doing wrong. I followed your instructions. Everyone looks fine. Though I had to create the VersionManager and AuditMode folders manually cause they weren't automatically created.  I don't see the notification bar and nothing get logged in Auditmodelog

  • Anonymous
    September 02, 2014
    @KojeiwaIs the url you are opening in the Internet Zone?Are you adding the site to the Trusted Site Zones?Remember, there are scenarios you can bypass the warning.Did you validate the XML file have the correct parameters?You may have to consider opening a ticket with support and help you look into your particular configuration.If you are in a domain environment, I would suggest testing this using your local admin account and setup the local GPO and TEST configuration and see if you get the same results.

  • Anonymous
    September 02, 2014
    I am opening http://www.nvidia.com/download and javatest.org/version.html. You mean the versionlist XML file? I used the one Microsoft published.

  • Anonymous
    September 02, 2014
    @kokeiwaDid you edited the file with the parameter value I outlined in my other blog.Please use the other blog for comments, so everyone else can benefit from the threadblogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspx

  • Anonymous
    September 03, 2014
    The change does not take affect until the 9th of September.  How is it turned on?Is it a timer built into the August 12th release or is there something coming in the Patch Tuesday release on the 9th that will trigger it?If it is a timer, when exactly does it go off?

  • Anonymous
    September 05, 2014
    @ChiefTomWe do not have any specifics on the time where this will be in effect, but it will be on the scheduled date for sure; Sept 9th.

  • Anonymous
    September 07, 2014
    I have the latest August update, and am running IE 11 on my server, but the policies don't show up when I'm editing my new GPO.  They're visible when I open the local gpo (gpedit.msc) but not when I open the domain policy editor (gpmc.msc). Am I missing something?  I've even tried to add the template in manually (right clicking the Administrative templates and adding the new adm file) but that doesn't seem to populate the new entries either. Any help would be great.

  • Anonymous
    September 10, 2014
    Same problem for meI can't see the new policy

  • Anonymous
    September 11, 2014
    Hii activated all Settings but  no block happenas well no Auditlog is generated.Afaik the block should be happen after 09/09/2014 but it seems not

  • Anonymous
    September 11, 2014
    @GPO in local not group policyYou may be using Central Store Group PolicyYou will have to copy the new Templates inetres.admx and inetres.adml to your central store.See the part in my blog that explain the steps under:You can also use the Central Store Group Policy by following these steps:

  • Anonymous
    September 11, 2014
    @127    There could be different variables happening on your machine or environment.After you have installed the August update and past Tuesday, it can take up to 12 hours for the versionlist.xml to be downloaded. The Versionlist.xml has to be present before the AuditLog can be created.You would want to check the registry and make sure, you do not have the VersionCheckEnabled present and set to 0, if you do. Delete it and have to wait until, the versionlist.xml is downloaded under the user profile. REGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExtVALUE: "VersionCheckEnabled"=dword:00000000The url is not in the Local Intranet or Trusted Site ZoneYou are not running a java version that is blocked Tip: Once you have confirmed that you have the requirements, you should close the browser and wait a few minutes then try again.

  • Anonymous
    September 17, 2014
    In our testing, with an outdated version of Java (JRE 6 update 45), applets in modal dialogs cannot be used even after clicking "Run this time" for other applets in the application. When the modal dialog is opened, the applet is not loaded and IE does not present a "run this time" option. Is this a known issue? The windows are opened with window.showModalDialog.Our testing has been on Windows 7 with IE9.

  • Anonymous
    September 18, 2014
    I tried using the new ADMX and the registry key to turn off all blocking. But it is still blocking the test machine with Java 7 25 on it.I am using server 2008 R2, all desktops are Win7 IE10, I tried IE11 as well, it is still blocking.

  • Anonymous
    September 18, 2014
    @Rob ZuberCould you provide a sample code or a site where this is used for us to test it out?

  • Anonymous
    September 18, 2014
    @PC    You would want to review the registry key associated with the Group Policy.REGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExtVALUE: "VersionCheckEnabled"=dword:00000000you can also add the site to the Local Intranet or Trusted Site Zone.

  • Anonymous
    September 24, 2014
    i'm confused; the article below has two copy commands for the downloaded template files, which i can't do because domain admin has no permissions to add files to these directories:www.microsoft.com/.../details.aspxthis article has a link to another article if you're running Windows 2008 R2 SP1:technet.microsoft.com/.../cc709647.aspxthen there's mention of another approach if you're using central store.so is there a recommended way to update the admin templates depending on your environment?please help?

  • Anonymous
    October 03, 2014
    I haven't been able to find this out.How will the file be updated? Will it be done via a KB release (patch tuesday update) or when the user/machine connects to the internet/or a site? What happens when another user logs into the machine? Is the versionlist.xml that was previously installed for user 'A' also work to block outdated java apps for user 'B'. If not, how and when will the file be installed?

  • Anonymous
    December 13, 2014
    I'm just a home user trying to get as sturdy a build as possible.I have nirsoft suite: activexhelper reports missing files that aren't missing -  wonder if it's an x-architecture issue (running portable activexhelper *32 on 64-bit windows 7 ultimate)I see things installed that I don't use. Trying to COMPLETELY remove homegroup, for example.Using shellexview to disable hoemgroup control panel - restart explorer, but icon still there :(ideas? thanks :)

  • Anonymous
    February 15, 2015
    With my current customer I would like to take a middle path. Disable the versionlist.xml download and manage its contents ourselves. Is there a method by which I can control its location? The default currently leaves multiple copies in the various user profiles and I would prefer to set it to a single static path.