How to manage the new "blocking out-of-date ActiveX controls" feature in IE?


In this quick blog post, we are sharing the administrative group policy settings and registry location included in the August 2014 IE cumulative update, that will help you better prepare and manage the new "blocking out-of-date ActiveX controls" feature.

For more information on the new changes, please read the original post by the IE Product Team: "Internet Explorer begins blocking out-of-date ActiveX controls"

Below are some key notes from the Blog post http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx introducing the new changes.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

 

Today, the August IE Cumulative for August was released. Details of changes are also included in the kb2976627. 

HOW TO GET THE NEW ADMIN TEMPLATES?

  • Install the August IE Cumulative Update: Microsoft Security Bulletin MS14-051 - Critical https://technet.microsoft.com/en-us/library/security/MS14-051
  • For older OS you can download it from our Download center
    • Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
    • Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.

Windows Server 2003:

  1. Copy inetres.adm into %WINDIR%\inf\
  2. Open the Group Policy Editor
    • Click Start, click Run, type gpedit.msc, and then click OK.
    • Expand Local Computer Policy, expand Computer Configuration.
    • Right click on Administrative Templates. If you see Inetres template on this list, click Remove, and then click Close.
    • Right click on Administrative Templates and click on Add/Remove Templates. Click Add and locate inetres.adm in %WINDIR%\inf\ and click Open to add it again. Then click Close.

Windows Server 2012 R2:

The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed with the August Cumulative update!.

Windows Server 2008 R2 SP1:

    1. If you install Internet Explorer 11, the Administrative Template files (interes.admx and inetres.adml) will be installed automatically with the August IE Cumulative update!
    2. Follow the instructions as described in the following article: http://technet.microsoft.com/en-us/library/cc709647.aspx

Windows Server 2008 and Windows Server 2008 R2:

Follow the instructions as described in the following article: http://technet.microsoft.com/en-us/library/cc709647.aspx. Again, if you install the August IE cumulative update it will include the new admin templates!

 

 IMPORTANT : We have tested the steps outlined in the Windows 2008 and above and seeing reports of Access Denied. I strongly suggest to simply install the Cumulative update instead.

GPO LOCATION:

Category Path: User or Machine Configuration \ Administrative Templates \ Windows Components \ Internet Explorer \ Security Features \ Add-on Management

Policies:

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "VersionCheckEnabled"=dword:00000000 

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain

VALUE:  "*.contoso.com/*"="*.contoso.com/*" 

GPO NAME: Turn on ActiveX control logging in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "AuditModeEnabled"=dword:00000001 

GPO NAME: Remove "Run this time" button for outdated ActiveX controls in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "RunThisTimeEnabled"=dword:00000000 

 

SCREENSHOT:

You can also use the Central Store Group Policy by following these steps:

  • Make sure GPMC is close!
  • Copy the new IE11 Templates into its respective policy folders.
    • Copy inetres.admx from C:\Windows\PolicyDefinitions  to  the Domain Sysvol\Domain\policies\PolicyDefinitions folder.
    • Copy inetres.adml  from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions\en-US policy folder.

NOTE: Verify, the new files have the new blocking out-of-date ActiveX controls entries present. Example: open the inetres.admx and .adml file and search for the registry key value, like VersionCheckEnabled if present, you have confirmed you have the updated ADMX.

  • Open GPMC to confirm the new TEMPLATES are present

 

Related Articles:

Hope this quick GPO introduction for this impactful change helps you better prepare you and get your environment ready for what is ahead!

This blog has been provided to you by the IE Support team!

Comments (40)

  1. Simple says:

    Well the AuditMode doesn't work in IE9 on Windows 7 x86. Installed update KB2976627, registry key set to enable logging in both HKCU and HKLM but no logfile was written to %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode.

  2. AxelRMSFT says:

    @Simple

    I believed it is because, the blocking is not ON. The Template is there but the JAVA blocking is not going to be enabled until Sept.

    I will run some more test and come back to this blog post with more information.    

  3. meofcourse says:

    Same deal here on IE8/Win7x64

    Disabling logging defeats the point of delaying the enforcing for a month. As per MS: "Customers can use the new logging feature to assess ActiveX controls in their environment and deploy Group Policies to enforce blocking, turn off blocking ActiveX controls for specific domains, or turn off the feature entirely depending on their needs. The feature and related Group Policies will still be available on August 12, but no out-of-date ActiveX controls will be blocked until Tuesday, September 9th."  

  4. Corey says:

    What's the best way to test this today?  I have the update applied, the xml file copied over, and logging turned on.  I'm running Java 6.43.  Looking at the VersionAuditLog all the lines are showing "Version not in blocklist".  

  5. Joseph.Harris says:

    You can download the versionlist.xml file from iecvlist.microsoft.com/.../versionlist.xml  and put the file in this folder:

    %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManager"

    Once the file is there, then the VersionAuditLog.csv file will appear in %LOCALAPPDATA%MicrosoftInternet ExplorerAuditMode"

    However, even using Java 6 update 21 for some applications, all entires in the log file show "Allowed, Version not in block list" so I am unable to successfully trigger a "block" event.  Without being able to generate a block event, I am unable to adequately test solutions.  Any recommendations? If the versionlist.xml file at the location specified above (taken from the  addendum section of the original IE blog announcing the feature) is not the same file that will be used in September, Is there a chance that Microsoft could provide the actual versionlist.xml file they are planning on using so that IT Administrators can test in their environments?

  6. Shane says:

    I have enable the policy to "Turn on ActiveX control logging in Internet Explorer," however, where is the log so that I may view the results?

  7. RSAT says:

    I installed MS14-051 on my Windows 8.1 64bit machine for IE11 but it did not update the inetres.admx template or inetres.adm template in c:windowspolicydefinitons.  As such, I cannot manage the policy using group policy management in RSAT.  I am building a test Server 2012 VM computer to see if works on that.  Our productions environment doesn't have any server 2012 machines yet.  

  8. Corey says:

    How do we test this?

  9. AxelRMSFT says:

    The code that will activate this new feature is not enabled currently and why, some of the test outlined in this blog post thread are not working. The policy / registry and versionlist.xml will take effect once the September update is available.

    At this time, my suggestion is to make sure the GPOs or Registry key is implemented on your environment if you are anticipating conflicts with the upcoming changes.

    If I come across any options, I will share it out here!

  10. AxelRMSFT says:

    This article outlines the steps you need to test the new feature under "Testing the out-of-date ActiveX controls feature"

    Update to block out-of-date ActiveX controls in Internet Explorer

    support.microsoft.com/.../2991000

  11. NickA says:

    Joseph .. you need to install Java 7 any versions  (except for the latest one of course)..  Anything below Java 7 you won't see the BLOCK event.. I tested in multiple workstation.

  12. NickA says:

    Block Out-Of-Date ActiveX GPO not working..  The Block Event dialog box still shows up even after Enabling "Turn off blocking of outdated ActiveX controls for Internet Explorer" and/or "Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains"

  13. JP2013 says:

    I installed the August IE update and my GPO policy files are still dated from July not August and I don't see the other options listed in this article being available for management.

  14. AxelRMSFT says:

    @NickA and JP2013    

    Try following my other blog:

    •How do I test the new out-of-date ActiveX controls feature?

    blogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspx

    Comment the blog if you have any problems and I will try to research it and provide guidance.

  15. D2014 says:

    @JP2013 and AxelRMSFT

    Like JP2013, I have installed the patch on a Windows 2012 and Server 2008 R2. But I see no change in Policy Files, cant find the settings in GPMC. KB 2976627

  16. AxelRMSFT says:

    @D2014

    Are you using Central Store Group Policy?

    You have IE11 + the IE August Cumulative update ms14-051 kb2976627 , right?

    • Open gpedit.msc on your Server
    • go to user configuration  Administrative Templates Windows Components Internet Explorer Security Features Add-on Management

    • Can you see the GPOs?

    You can also go to the C:WindowsPolicyDefinitions  and open the inetres.admx and search for one of the new gpos. Example: VersionCheckEnabled

    If you see it, the GPO should be there, if not you don't have the right ADMX.

    Remove and reinstall the IE Cumulative kb2976627 on the client with IE in it. You must have both in order to see the ADMX.

    If you are testing on a machine with IE10,the ADMX are not included in it. You have to copy the ADMX from a machine that have the ADMX or download it from the Download center.

    NOTE: If you get access denied when copying to a machine that have IE10 or below, you have to take ownership of the file and have full access in order to copy the admx and adml files. The trusted Installer NT Service have ownership of these files and why the access denied message.

  17. Kel says:

    I installed the August Cummulative update KB2976627 on test Win 2008R2 servers and Win 7 Workstations. I can see the GPOs in both user or computer configuration  Administrative Templates Windows Components Internet Explorer Security Features Add-on Management. We are just doing logging for now, so I enabled logging in GPO. I followed the instructions below to test it.  AuditMode wasn't created on %LOCALAPPDATA%MicrosoftInternet Explorer so I created the folder. To test it, opened IE and went to a site that uses Java, but I didn't see the  notification bar and nothing get logged in AuditMode. What am I doing wrong?

    1.On a test computer, install the August cumulative update for Internet Explorer

    2.Set a registry key to stop downloading updated versions of the VersionList.xml file. To do this, run the following command:

    reg add "HKCUSoftwareMicrosoftInternet ExplorerVersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f

    Important After testing is complete, you must delete this registry key. Otherwise, this computer will stop receiving an updated VersionList.xml file that lists the out-of-date ActiveX controls. We do not recommend ever setting this registry key on an in-production computer.

    3.Copy the current VersionList.xml file from here

    to the following location:

    %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml

    Note If you are asked to overwrite the existing file, you should agree.

    4.To start blocking outdated versions of Java, open the VersionList.xml file, and then delete the first occurrence of latestgroup="1" (that is, the portion in bold type that follows):

  18. kojeiwa says:

    I installed the August Cummulative update KB2976627 on test Win 2008R2 servers and Win 7 Workstations. I can see the GPOs in both user or computer configuration  Administrative Templates Windows Components Internet Explorer Security Features Add-on Management. We are just doing logging for now, so I enabled logging. I followed the instructions below to test it.  AuditMode wasn't created on %LOCALAPPDATA%MicrosoftInternet Explorer so I created the folder. To test it, opened IE and went to a site that uses Java, but I didn't see the  notification bar and nothing get logged in AuditMode. What am I doing wrong?

    1.On a test computer, install the August cumulative update for Internet Explorer

    .

    2.Set a registry key to stop downloading updated versions of the VersionList.xml file. To do this, run the following command:

    reg add "HKCUSoftwareMicrosoftInternet ExplorerVersionManager" /v DownloadVersionList /t REG_DWORD /d 0 /f

    Important After testing is complete, you must delete this registry key. Otherwise, this computer will stop receiving an updated VersionList.xml file that lists the out-of-date ActiveX controls. We do not recommend ever setting this registry key on an in-production computer.

    3.Copy the current VersionList.xml file from here

    to the following location:

    %LOCALAPPDATA%MicrosoftInternet ExplorerVersionManagerversionlist.xml

    Note If you are asked to overwrite the existing file, you should agree.

    4.To start blocking outdated versions of Java, open the VersionList.xml file, and then delete the first occurrence of latestgroup="1" (that is, the portion in bold type that follows):

  19. AxelRMSFT says:

    @kojeiwa   and Kel

    Did you enabled the GPO to get the Audit started?

    GPO NAME: Turn on ActiveX control logging in Internet Explorer

    REGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExt

    VALUE: "AuditModeEnabled"=dword:00000001

    Check the clients registry and make sure it is present.

  20. kojeiwa says:

    @AxelRMST

    Yes, I did enabled it in GPO and also in Registry. I don't even see the notification bar iin IE when I go to a site that uses Java. Anymore suggestion? Thanks

  21. AxelRMSFT says:

    @kojeiwa

    Please follow my steps on how to test the new feature below.

    Remember that this will be enable in September 9th so technically it should not block anything yet.

    blogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspx

  22. kojeiwa says:

    I still don't know what I am doing wrong. I followed your instructions. Everyone looks fine. Though I had to create the VersionManager and AuditMode folders manually cause they weren't automatically created.  I don't see the notification bar and nothing get logged in Auditmodelog

  23. AxelRMSFT says:

    @Kojeiwa

    Is the url you are opening in the Internet Zone?

    Are you adding the site to the Trusted Site Zones?

    Remember, there are scenarios you can bypass the warning.

    Did you validate the XML file have the correct parameters?

    You may have to consider opening a ticket with support and help you look into your particular configuration.

    If you are in a domain environment, I would suggest testing this using your local admin account and setup the local GPO and TEST configuration and see if you get the same results.

  24. kojeiwa says:

    I am opening http://www.nvidia.com/download and javatest.org/version.html. You mean the versionlist XML file? I used the one Microsoft published.

  25. AxelRMSFT says:

    @kokeiwa

    Did you edited the file with the parameter value I outlined in my other blog.

    Please use the other blog for comments, so everyone else can benefit from the thread

    blogs.msdn.com/.../how-do-i-test-the-testing-the-out-of-date-activex-controls-feature.aspx

  26. ChiefTom says:

    The change does not take affect until the 9th of September.  

    How is it turned on?

    Is it a timer built into the August 12th release or is there something coming in the Patch Tuesday release on the 9th that will trigger it?

    If it is a timer, when exactly does it go off?

  27. AxelRMSFT says:

    @ChiefTom

    We do not have any specifics on the time where this will be in effect, but it will be on the scheduled date for sure; Sept 9th.

  28. GPO in local not group policy says:

    I have the latest August update, and am running IE 11 on my server, but the policies don't show up when I'm editing my new GPO.  They're visible when I open the local gpo (gpedit.msc) but not when I open the domain policy editor (gpmc.msc). Am I missing something?  I've even tried to add the template in manually (right clicking the Administrative templates and adding the new adm file) but that doesn't seem to populate the new entries either. Any help would be great.

  29. Jac says:

    Same problem for me

    I can't see the new policy

  30. 127 says:

    Hi

    i activated all Settings but  no block happen

    as well no Auditlog is generated.

    Afaik the block should be happen after 09/09/2014 but it seems not

  31. AxelRMSFT says:

    @GPO in local not group policy

    You may be using Central Store Group Policy

    You will have to copy the new Templates inetres.admx and inetres.adml to your central store.

    See the part in my blog that explain the steps under:

    You can also use the Central Store Group Policy by following these steps:

  32. AxelRMSFT says:

    @127    

    There could be different variables happening on your machine or environment.

    • After you have installed the August update and past Tuesday, it can take up to 12 hours for the versionlist.xml to be downloaded. The Versionlist.xml has to be present before the AuditLog can be created.
    • You would want to check the registry and make sure, you do not have the VersionCheckEnabled present and set to 0, if you do. Delete it and have to wait until, the versionlist.xml is downloaded under the user profile.

    REGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExt

    VALUE: "VersionCheckEnabled"=dword:00000000

    • The url is not in the Local Intranet or Trusted Site Zone
  33. You are not running a java version that is blocked

  34. Tip: Once you have confirmed that you have the requirements, you should close the browser and wait a few minutes then try again.

  • Rob Zuber says:

    In our testing, with an outdated version of Java (JRE 6 update 45), applets in modal dialogs cannot be used even after clicking "Run this time" for other applets in the application. When the modal dialog is opened, the applet is not loaded and IE does not present a "run this time" option. Is this a known issue? The windows are opened with window.showModalDialog.

    Our testing has been on Windows 7 with IE9.

  • PC says:

    I tried using the new ADMX and the registry key to turn off all blocking. But it is still blocking the test machine with Java 7 25 on it.

    I am using server 2008 R2, all desktops are Win7 IE10, I tried IE11 as well, it is still blocking.

  • AxelRMSFT says:

    @Rob Zuber

    Could you provide a sample code or a site where this is used for us to test it out?

  • AxelRMSFT says:

    @PC    

    You would want to review the registry key associated with the Group Policy.

    REGISTRY LOCATION: SOFTWAREMicrosoftWindowsCurrentVersionPoliciesExt

    VALUE: "VersionCheckEnabled"=dword:00000000

    you can also add the site to the Local Intranet or Trusted Site Zone.

  • Matt says:

    i'm confused; the article below has two copy commands for the downloaded template files, which i can't do because domain admin has no permissions to add files to these directories:

    http://www.microsoft.com/.../details.aspx

    this article has a link to another article if you're running Windows 2008 R2 SP1:

    technet.microsoft.com/.../cc709647.aspx

    then there's mention of another approach if you're using central store.

    so is there a recommended way to update the admin templates depending on your environment?

    please help?

  • @wfs says:

    I haven't been able to find this out.

    1. How will the file be updated? Will it be done via a KB release (patch tuesday update) or when the user/machine connects to the internet/or a site?

    2. What happens when another user logs into the machine? Is the versionlist.xml that was previously installed for user 'A' also work to block outdated java apps for user 'B'. If not, how and when will the file be installed?

  • please help ? says:

    I'm just a home user trying to get as sturdy a build as possible.

    I have nirsoft suite: activexhelper reports missing files that aren't missing -

      wonder if it's an x-architecture issue (running portable activexhelper *32 on 64-bit windows 7 ultimate)

    I see things installed that I don't use. Trying to COMPLETELY remove homegroup, for example.

    Using shellexview to disable hoemgroup control panel - restart explorer, but icon still there 🙁

    ideas? thanks 🙂

  • Steve Ashton says:

    With my current customer I would like to take a middle path. Disable the versionlist.xml download and manage its contents ourselves. Is there a method by which I can control its location? The default currently leaves multiple copies in the various user profiles and I would prefer to set it to a single static path.

  • Skip to main content