How to manage the new "blocking out-of-date ActiveX controls" feature in IE?

In this quick blog post, we are sharing the administrative group policy settings and registry location included in the August 2014 IE cumulative update, that will help you better prepare and manage the new "blocking out-of-date ActiveX controls" feature.

For more information on the new changes, please read the original post by the IE Product Team: "Internet Explorer begins blocking out-of-date ActiveX controls"

Below are some key notes from the Blog post https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx introducing the new changes.

Out-of-date ActiveX control blocking lets you:

  • Know when Internet Explorer prevents a Web page from loading common, but outdated, ActiveX controls.
  • Interact with other parts of the Web page that aren’t affected by the outdated control.
  • Update the outdated control, so that it’s up-to-date and safer to use.
  • Inventory the ActiveX controls your organization is using.

Out-of-date ActiveX control blocking for managed environments

Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and Trusted Sites Zone, to help ensure that intranet Web sites and trusted line-of-business apps can continue to use ActiveX controls without disruption. Some customers may want more granular control over how this feature works on managed systems. IT Pros may want to turn on ActiveX control logging, enforce blocking, allow select domains to use out-of-date ActiveX controls, or—although it is not recommended—disable the feature altogether.

To support these scenarios, Internet Explorer includes four new Group Policy settings that you can use to manage out-of-date ActiveX control blocking.

  • Logging can tell you what ActiveX controls will be allowed or flagged for warning or blocking, and for what reason. Creating an inventory of ActiveX controls can also show which ActiveX controls are compatible with Enhanced Protected Mode, an Internet Explorer 11 security feature which provides additional protection against browser exploits—but not all ActiveX controls are compatible with EPM, so this feature can help assess your organization’s readiness for blocking out-of-date ActiveX controls and enabling EPM. This Group Policy is “Turn on ActiveX control logging in Internet Explorer,” and can be used separately or in conjunction with the other three policies.
  • Enforced blocking prevents users from overriding the warning for out-of-control ActiveX controls. Users will not see the “Run this time” button. This Group Policy is “Remove Run this time button for outdated ActiveX controls in Internet Explorer.”
  • Selected domains can be managed for which Internet Explorer will not block or warn about outdated ActiveX controls. This policy is “Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains” and includes a list of top level domains, host names, or files.
  • This feature can be turned off by using the policy “Turn off blocking of outdated ActiveX controls for Internet Explorer.” This might be used temporarily in combination with logging, to assess ActiveX controls before re-enabling the feature. This can also be enabled, like all four policies, with a registry key—in this case, a REG_DWORD “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\VersionCheckEnabled" with value of zero.

 

Today, the August IE Cumulative for August was released. Details of changes are also included in the kb2976627. 

HOW TO GET THE NEW ADMIN TEMPLATES?

  • Install the August IE Cumulative Update: Microsoft Security Bulletin MS14-051 - Critical https://technet.microsoft.com/en-us/library/security/MS14-051
  • For older OS you can download it from our Download center
    • Windows Server 2003. Download the complete set of (English only) Internet Explorer administrative templates, which include the new settings, from here.
    • Windows Server 2008 and up. Download the complete set of Internet Explorer administrative templates, which include the new settings, from here.

Windows Server 2003:

  1. Copy inetres.adm into %WINDIR%\inf\
  2. Open the Group Policy Editor
    • Click Start, click Run, type gpedit.msc, and then click OK.
    • Expand Local Computer Policy, expand Computer Configuration.
    • Right click on Administrative Templates. If you see Inetres template on this list, click Remove, and then click Close.
    • Right click on Administrative Templates and click on Add/Remove Templates. Click Add and locate inetres.adm in %WINDIR%\inf\ and click Open to add it again. Then click Close.

Windows Server 2012 R2:

The Internet Explorer 11 Administrative Template files (interes.admx and inetres.adml) are already installed with the August Cumulative update!.

Windows Server 2008 R2 SP1:

    1. If you install Internet Explorer 11, the Administrative Template files (interes.admx and inetres.adml) will be installed automatically with the August IE Cumulative update!
    2. Follow the instructions as described in the following article: https://technet.microsoft.com/en-us/library/cc709647.aspx

Windows Server 2008 and Windows Server 2008 R2:

Follow the instructions as described in the following article: https://technet.microsoft.com/en-us/library/cc709647.aspx. Again, if you install the August IE cumulative update it will include the new admin templates!

 

 IMPORTANT : We have tested the steps outlined in the Windows 2008 and above and seeing reports of Access Denied. I strongly suggest to simply install the Cumulative update instead.

GPO LOCATION:

Category Path: User or Machine Configuration \ Administrative Templates \ Windows Components \ Internet Explorer \ Security Features \ Add-on Management

Policies:

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "VersionCheckEnabled"=dword:00000000 

GPO NAME: Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\Domain

VALUE:  "*.contoso.com/*"="*.contoso.com/*" 

GPO NAME: Turn on ActiveX control logging in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "AuditModeEnabled"=dword:00000001 

GPO NAME: Remove "Run this time" button for outdated ActiveX controls in Internet Explorer

REGISTRY LOCATION: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext

VALUE: "RunThisTimeEnabled"=dword:00000000 

 

SCREENSHOT:

You can also use the Central Store Group Policy by following these steps:

  • Make sure GPMC is close!
  • Copy the new IE11 Templates into its respective policy folders.
    • Copy inetres.admx from C:\Windows\PolicyDefinitions  to  the Domain Sysvol\Domain\policies\PolicyDefinitions folder.
    • Copy inetres.adml  from C:\Windows\PolicyDefinitions\en-US to the Domain Sysvol\Domain\policies\PolicyDefinitions\en-US policy folder.

NOTE: Verify, the new files have the new blocking out-of-date ActiveX controls entries present. Example: open the inetres.admx and .adml file and search for the registry key value, like VersionCheckEnabled if present, you have confirmed you have the updated ADMX.

  • Open GPMC to confirm the new TEMPLATES are present

 

Hope this quick GPO introduction for this impactful change helps you better prepare you and get your environment ready for what is ahead!

This blog has been provided to you by the IE Support team!