7

The issue I describe here is the same as that in Group Policy Internet Explorer, Add-on list not working, but I provide more detail and troubleshooting steps, so I thought it was worth re-asking.


I manage a number of computers running Windows 8.1. Several software packages that I install on these machines have associated add-ons for Internet Explorer. The default behavior of Internet Explorer is to prompt the user to enable add-ons the first time he/she runs Internet Explorer after the add-on has been installed. Since I am the one installing the add-ons, and since I manage the machines, I want these add-ons to be enabled by default, and I do not want the user to be prompted. I want the user to retain the ability to disable the add-ons for troubleshooting purposes if needed, though, and if the user has been granted privileges to install software, I want him/her to be prompted for any add-ons he/she installs that I don't know about.

According to Microsoft's documentation, this is possible through a Group Policy setting. (Note that the Automatically activate newly installed add-ons setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer would turn on any add-on that came along without prompting, and so it does not fit what I want as described above.)

The setting that seems like it should do what I want is Add-on List under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. Quoted from MSDN:

Using the CLSID and Administrative Templates to manage group policy objects

Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates.

To manage add-ons
  1. Get the CLSID for the add-on you want to enable or disable:
    1. Open Internet Explorer, click Tools, and then click Manage Add-ons.
    2. Pick the add-on you want to change, and then right-click More Information.
    3. Click Copy and then close Manage Add-ons and Internet Explorer.
  2. From the copied information, select and copy just the Class ID value.
  3. Open the Group Policy Management Editor and go to Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
    -or-
    Open the Local Group Policy Editor and go to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
  4. Open the Add-on List Group Policy Object, pick Enabled, and then click Show.
    Show Contents box appears.
  5. In Value Name, put your copied Class ID.
  6. In Value, put:
    • 0. The add-on is disabled and your employees can’t change it.
    • 1. The add-on is enabled and your employees can’t change it.
    • 2. The add-on is enabled and your employees can change it.
  7. Click OK and close the Group Policy editor.

The value of 2 is exactly what I want, but it does not work. I did some troubleshooting that I describe below. My environment is:

  • Windows 8.1 Enterprise fresh installation with all updates as of 24-Feb-2015 installed
  • Internet Explorer 11 (included in Windows 8.1)
  • Used Local Group Policy object to avoid the complication of dealing with GPOs applied from the domain
  • Used the following add-ons:
    {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - Lync Browser Helper
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Java(tm) Plug-In SSV Helper
    {DBC80044-A445-435B-BC74-9C25C1C588A9} - Java(tm) Plug-In 2 SSV Helper

Troubleshooting Steps

  1. Sign in as Administrator.
  2. Create a regular user account named "test".
  3. Open Local Group Policy Editor, navigate to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management, and open the Add-on List policy.
  4. Mark it as enabled, and then click Show... and add the following values to the table:
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 0
    {DBC80044-A445-435B-BC74-9C25C1C588A9} 0
    {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 0
  5. Click OK twice to save the policy.
  6. Sign into the "test" account, and run Internet Explorer.
    As expected, the prompt does not appear, and checking Tools > Manage add-ons shows the specified add-ons as disabled with the Enable and Disable buttons both disabled.
  7. Sign out, and sign back into the Adminstrator account.
  8. Delete the "test" user's profile.
  9. Change the Add-on List policy so that the value for each add-on is 1.
  10. Sign into the "test" account, and run Internet Explorer.
    As expected, the prompt does not appear, and checking Tools > Manage add-ons shows the specified add-ons as enabled with the Enable and Disable buttons both disabled.
  11. Sign out, and sign back into the Adminstrator account.
  12. Delete the "test" user's profile.
  13. Change the Add-on List policy so that the value for each add-on is 2.
  14. Sign into the "test" account, and run Internet Explorer.
    I expected the prompt to be eliminated, but it showed up. I ignored it (leaving it on the screen) and looked in Tools > Manage add-ons, which showed the following statuses:
    Lync Browser Helper - New
    Lync Click to Call - Enabled
    Java(tm) Plug-In SSV Helper - New
    Java(tm) Plug-In 2 SSV Helper - New
    Then I exited the Manage add-ons window.
  15. Close the prompt without choosing either option (using the [x] button). I looked in Tools > Manage add-ons again, and all of the relevant add-ons' statuses had switched to disabled. The Enable button was available, though.

The behavior when the value is set to 2 contradicts what the documentation says. My understanding is that when the value is set to 2, (1) the prompt should not appear, (2) the specified add-ons should be enabled, and (3) the user should be able to enable or disable the add-ons freely. Is there something I am missing here, like some other policy that also needs to be set? Is there another way to accomplish what I want?

Jay Michaud
  • 3,947
  • 4
  • 21
  • 36
  • If it makes you feel any better, the behavior of the add-on prompt worked exactly how you described it in one of our environments as well so I am suspecting that it may very well be a "feature" of the specific Policy. Just for sh&ts and G7ggles though, you mentioned it was applied locally, are you sure it is not being overwritten by any other domain/ou level policies? Also, I have looked into using another policy in the .\Add-On Management folder which references "Deny all add-ons unless specifically allowed" which hints at being able to applied with this one as well. – Get-HomeByFiveOClock Feb 24 '15 at 18:16
  • @Get-HomeByFiveOClock My test machine was not joined to the domain, so only the LGPO was applied. I saw that other one too, but at this point, I don't want to lock it down that much. – Jay Michaud Feb 24 '15 at 18:26
  • I know this seems arcane, but what happens if you try to enable **Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Automatically activate newly installed add-ons**, then into **Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management** you set both **Add-On list** and **Deny all add-ons unless specifically allowed in the Add-on List** ? – Alex Mazzariol Apr 18 '15 at 21:02

1 Answers1

1
  1. Open Group Policy Management
  2. Navigate to Computer Configuration -> Policies -> Administrative Templates -> 3. Windows Components -> Internet Explorer
  3. Enable the following policy: Automatically enable newly installed add-ons

*Now, when you start IE 11, the “Several add-ons are ready for use” message will be disabled.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
My IT Guy
  • 11
  • 2