Quick and dirty Group Policy ADM template to implement the workaround from KB972890


Hey folks!


We’ve received many many requests asking if the workaround mentioned in KB972890 can be implemented via Group Policy.  To that end, we’ve put together an ADM template to help Domain Admins roll this out through Group Policy.  It’s an “as is” template, so feel free to tweak it as needed.


Important: This policy requires that you disable filtering in the group policy editor. See steps below on how to set this up.


How to load the Custom ADM Template?



  1. To start Group Policy, click Start and then click Run. In the Open box, type GPEdit.msc or GPMC.msc if from a Domain policy and then click OK.

  2. Select Administrative Templates from the Computer Configuration branch.

  3. Right-click the Administrative Templates branch, and then select All Tasks.

  4. Select Add/Remove Templates.

  5. Click Add.

  6. Load the ADM templates.

NOTE: Windows 2003, Windows XP will display the policy under: Administrative Templates > New Polcy


Here is how you disable the Group policy filer:



  1. Right click on the Policy and select View > detail > Filtering

  2. Remove the checkmark from the checkbox next to “Only show policy settings that can be fully managed”

  3. You should see the template now.


Please see the attached file below that contains the ADM templates.


Note:


We have updated the template base on some great feedback from our readers. When the policy is enable will set the value to hex 1024  and when disable to 0.


In the Zip file [ADM_KB972890_v_07-09-09.zip], you should find:



  1. The IE 32 bit custom adm version: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility]

  2. The IE Wow6432Node (x64) custom adm version: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility

  3. The registry export (.reg) export for both IE 32 bit and x64 IE version.

  4. Readme.txt with our Registry import disclaimer.

 


Related Article:



 


Regards,


The IE Support Team


 

ADM_KB972890_v-07-09-09.zip

Comments (5)

  1. David says:

    What are the implications of enabling all of the CSLIDs?  Do I have to identify which CSLIDs are in use on my workstations, or can I simply enable all of them?

  2. ArchersIT says:

    Just to note that you have missed a couple of settings in the x86 version: {37B03544-A4C8-11D2-B634-00C04F79498E} and {BB530C63-D9DF-4B49-9439-63453962E598} are missing the itemlist key value.

    HTH

    Jonathan

  3. S says:

    Can you also provide e .reg file that enables the activex control again for whenever there is a fix?

  4. Randy Jackson says:

    Thank you for this post. I have downloaded the adm zip and was able to add the template and link it to an OU. When I run gpresult from a Windows XP client, the result is showing that it has not been applied because they were filtered out. Is this correct or should it show it as being applied?

  5. I am assuming you are getting something like:

    The following GPOs were not applied because they were filtered out


    Local Group Policy

    Filtering: Not Applied (Empty)


    More likely cause:

    The setting you have applied must be linked to an OU containing computer, not users.  

    Reason:

    The registry keys we are adding via the ADM are Computer Policy not user.

    Try adding the computer to that OU.

    Check permissions.

    Tools you can use to help you isolate the problem:

    Userenv log

      How to enable user environment debug logging in retail builds of Windows

      http://support.microsoft.com/?scid=kb%3Ben-us%3B221833&x=7&y=6

    Event logs. You may have userenv warnings or errors with hints as to what may be happening.

    Regards,

    The IE Support Team