Hi, I’m Chris Corio, a Program Manager on the User Account Control team. As I’m sure you’ve guessed by now, we’re hard at work providing a great experience for standard users in Windows Vista. I’m happy to announce a brand new feature that we’ve added to Windows Vista – the ActiveX Installer Service.
Our Technical Adoption Program (TAP) participants testing Windows Vista require that a variety of ActiveX controls are installed to conduct day-to-day business within their enterprise and with their partners. These ActiveX controls were being updated regularly, and the corporations couldn’t package and deploy them to their users quickly enough. As we looked at the problem more closely, we realized we needed to provide a way for enterprises to delegate the installation of ActiveX controls for standard users. The ActiveX Installer Service was the resultant solution that the UAC team created for this problem. With this service, Microsoft will be providing a Group Policy driven mechanism that lets IT professionals define the Host URLs from which standard users can install ActiveX controls.
The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and a few changes in Internet Explorer. It will be an optional component on the Ultimate, Business, and Enterprise SKUs of Windows Vista and will only be enabled on clients where it’s installed. If a user is running as a standard user and the feature is enabled, Internet Explorer will ask the service to install any ActiveX controls that need to be installed. Before installing the ActiveX control, the Installer service will check to see if the Host URL of the CODEBASE is defined and listed in Group Policy and if it is allowed. If the service policy permits the install of the ActiveX control, then the service will create an instance of the Internet Explorer ActiveX installer object to be used to install the control. If Group Policy did not specify that the ActiveX control was allowed to install, then the default Windows Vista behavior is resumed: a Consent\Credential prompt is required to install an ActiveX control.
For now, the service is designed to install Internet Component Download packaged controls – this means that an ActiveX control must be a .cab, .dll, or .ocx. Following Windows Vista, this solution will probably be married with MSI, enabling MSIs installations based on similar policy.
If you’re at TechEd, look for demos of the ActiveX Installer Service all week. Ben Fathi’s Security Keynote speech also included a demo of the feature–Alex Heaton demonstrated ActiveX control installation for a standard user by using a simple business-to-business ActiveX control in an enterprise. Steve Hiskey, our fearless Lead PM, will also be giving a demo of the service and a look at how to configure the policy–or you can just stop by the UAC booth in the Windows Vista area for a personal demo.
The ActiveX Installer Service is scheduled to be in the next public release of Windows Vista – RC1. We will be providing more details on the service and how to define policy for it in the next couple weeks. As you move to running as a standard user, this will definitely be something you’ll want to look into!!
As always, we welcome your feedback about the service and we’ll try our best to answer your questions in a timely manner.