The issue I describe here is the same as that in Group Policy Internet Explorer, Add-on list not working, but I provide more detail and troubleshooting steps, so I thought it was worth re-asking.
I manage a number of computers running Windows 8.1. Several software packages that I install on these machines have associated add-ons for Internet Explorer. The default behavior of Internet Explorer is to prompt the user to enable add-ons the first time he/she runs Internet Explorer after the add-on has been installed. Since I am the one installing the add-ons, and since I manage the machines, I want these add-ons to be enabled by default, and I do not want the user to be prompted. I want the user to retain the ability to disable the add-ons for troubleshooting purposes if needed, though, and if the user has been granted privileges to install software, I want him/her to be prompted for any add-ons he/she installs that I don't know about.
According to Microsoft's documentation, this is possible through a Group Policy setting. (Note that the Automatically activate newly installed add-ons setting under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer would turn on any add-on that came along without prompting, and so it does not fit what I want as described above.)
The setting that seems like it should do what I want is Add-on List under Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. Quoted from MSDN:
Using the CLSID and Administrative Templates to manage group policy objects
Because every add-on has a Class ID (CLSID), you can use it to enable and disable specific add-ons, using Group Policy and Administrative Templates.
To manage add-ons
- Get the CLSID for the add-on you want to enable or disable:
- Open Internet Explorer, click Tools, and then click Manage Add-ons.
- Pick the add-on you want to change, and then right-click More Information.
- Click Copy and then close Manage Add-ons and Internet Explorer.
- From the copied information, select and copy just the Class ID value.
- Open the Group Policy Management Editor and go to Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.
-or-
Open the Local Group Policy Editor and go to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management.- Open the Add-on List Group Policy Object, pick Enabled, and then click Show.
Show Contents box appears.- In Value Name, put your copied Class ID.
- In Value, put:
- 0. The add-on is disabled and your employees can’t change it.
- 1. The add-on is enabled and your employees can’t change it.
- 2. The add-on is enabled and your employees can change it.
- Click OK and close the Group Policy editor.
The value of 2 is exactly what I want, but it does not work. I did some troubleshooting that I describe below. My environment is:
- Windows 8.1 Enterprise fresh installation with all updates as of 24-Feb-2015 installed
- Internet Explorer 11 (included in Windows 8.1)
- Used Local Group Policy object to avoid the complication of dealing with GPOs applied from the domain
- Used the following add-ons:
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - Lync Browser Helper
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Java(tm) Plug-In SSV Helper
{DBC80044-A445-435B-BC74-9C25C1C588A9} - Java(tm) Plug-In 2 SSV Helper
Troubleshooting Steps
- Sign in as Administrator.
- Create a regular user account named "test".
- Open Local Group Policy Editor, navigate to Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management, and open the Add-on List policy.
- Mark it as enabled, and then click Show... and add the following values to the table:
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} 0
{DBC80044-A445-435B-BC74-9C25C1C588A9} 0
{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} 0 - Click OK twice to save the policy.
- Sign into the "test" account, and run Internet Explorer.
As expected, the prompt does not appear, and checking Tools > Manage add-ons shows the specified add-ons as disabled with the Enable and Disable buttons both disabled. - Sign out, and sign back into the Adminstrator account.
- Delete the "test" user's profile.
- Change the Add-on List policy so that the value for each add-on is 1.
- Sign into the "test" account, and run Internet Explorer.
As expected, the prompt does not appear, and checking Tools > Manage add-ons shows the specified add-ons as enabled with the Enable and Disable buttons both disabled. - Sign out, and sign back into the Adminstrator account.
- Delete the "test" user's profile.
- Change the Add-on List policy so that the value for each add-on is 2.
- Sign into the "test" account, and run Internet Explorer.
I expected the prompt to be eliminated, but it showed up. I ignored it (leaving it on the screen) and looked in Tools > Manage add-ons, which showed the following statuses:
Lync Browser Helper - New
Lync Click to Call - Enabled
Java(tm) Plug-In SSV Helper - New
Java(tm) Plug-In 2 SSV Helper - New
Then I exited the Manage add-ons window. - Close the prompt without choosing either option (using the [x] button). I looked in Tools > Manage add-ons again, and all of the relevant add-ons' statuses had switched to disabled. The Enable button was available, though.
The behavior when the value is set to 2 contradicts what the documentation says. My understanding is that when the value is set to 2, (1) the prompt should not appear, (2) the specified add-ons should be enabled, and (3) the user should be able to enable or disable the add-ons freely. Is there something I am missing here, like some other policy that also needs to be set? Is there another way to accomplish what I want?