Internet Explorer 9 Add-ons

Check the group policy settings for those servers under "User Config/Policies/Admin Templates/Windows Components/Internet Explorer/Security Features/Add-on Management"

If using AppSense, I would import the necessary GPO objects (noted above) at the Internet Explorer process start, so that you don't need to load these GPOs at logon time in case IE isn't  used in that session. If you're using Personalization Server, the settings will then be captured for that process and loaded when the user requires them.

Agree on process start for IE using AppSense, but i'd rather use a set reg value to set the IE add-on. Seems to be HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext to set the add=on list?

I'd generally recommend using the GPO method thru AppSense, as they are vendor-supplied and if changes are made to the keys they set it's easier to import a new GPO than find the new Registry key. I'm not sure on the actual key you need to set but there is an Excel spreadsheet online somewhere that provides the Registry keys that correlate with GPO settings. This may be it http://download.microsoft.com/download/8/F/B/8FBD2E85-8852-45EC-8465-92756EBD9365/WindowsServer8BetaandWindows8ConsumerPreviewGroupPolicySettings.xlsx

Citrix strongly recommends using Group Policies, so I would stick with GPOs as well.

Ok thanks kz20fl. We are running EM 8.2.125 and the relevant ADMX policy for Internet Explorer/Security Features/Add-on Management cab be set. It wants a value name (CLSID I think) and value (1 to allow), but I'm wondering how I find our the CLSID for the necessary add-in? (ASW.CAB)

Good question....maybe you can load the add-in on a different computer where you have full control and monitor the registry value (either manually or using Process Monitor) to see what gets set?

Try:

Open Internet Options > General > Browsing history > Settings > View Objects

This opens an explorer window displaying the contents of the following path:
C:\Windows\Downloaded Program Files\

You can find the CLSID of the installed ActiveX controls by right-clicking >
Properties.

If that isn't what you need look at the second post here: http://www.techtalkz.com/internet-explorer/181805-add-ons-clsid.html and the quote above is the 4th post.

So I think I've found the CLDIS, and I've baked this into production citrix servers using environment manager policy:

Process start for IE - create/set reg value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ex

Value Name: {BDB57FF2-79B9-4205-9447-F5FE85F37312}
Value: 1

When I log into Citrix and test by opening IE, the reg values above are set correctly. However this still doesn't work, and I get the UAC prompt - do you want to allow the following program to make changes to this comouter?

Program name: Internet Explorer Add-on installer
File origin: hard disk on this computer
CLSID: {BDB57FF2-79B9-4205-9447-F5FE85F37312}

I'm stumped as I thought this would be the fix.

Ok, so a bit more info. I've found the OCX's needed:

Vsflex6d.ocx - c:\windows\downloaded program files
ASW.ocx - c:\windows\sysWOW64

I've copied these into the base build (Citrix session hosts are PVS disk streamed) and registred the OCX files (regsvr32 asw.ocx regsvr32 Vsflex6d.ocx). Now when browisng to the intarnet site, I'm stil getting the UAC prompt (UAC is disabled).

Hi Guys

Any ideas? I've attached a screen shot of the UAC message). I know I've got the CLSID's right now, as when you click 'no' to the UAC prompt, the intranet application lets you perform a search correctly, which it wasn't doing before. Just need to get rid of this UAC message (UAC is disabled).
screen-dump.doc

is UAC disabled via GPO? If it is, does the RSOP show the policy as applying correctly?

Another note - if these are x64 systems, you need to run the regsvr32 command from the %windir%\syswow64 folder as I remember, is this where it was run from? Don't know whether that will make a difference in this particular instance but it has caught me out previously with some problems.

Thanks for suggestions kz20fl, but registering the ocx's using regsvr32 from %windir%\syswow64% doesn't work. RSOP shows the correct GPO applied (UAC disabled). I've checked in the registry as well (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) - EnableLUA DWORD = 0.

Let me see if I can replicate this behaviour in my lab

Great thank-you. Do you want a copy of the OCX's and info on the CLSID's?

I was just wondering about the UAC stuff, but sure, put the details in and I will see if I can recreate it precisely

Hi kz20fl. I'm wondering if you got time to replicate? So in summary, baking in the CLSID's for the OCX active x components works, and the search area on the web app works correctly.

The annoying thing is that every time a user clicks the link to perform an SKN serach, IE warsn that it needs to download the active x components. I've tried disabling:

automatic prompting for active X controls
only allowed approve domains to use active x without prompt - intranet site is approved.

These settings still leaves IE displaying a warning prompt (bottom of screen) "Internet Explorer Blocked this website from installing ActiveX content". You also get a 'Install' button which a user can click. This then tries again to install the ASW.CAB (containing the OCX components baked into the registry through CLSID's) and the user receives the UAC prompt.

is there anyway i can disable this prompt?

Go to IE's "Internet Options" -> "Advanced" tab -> "Security" section -> check "Allow active content to run in files on My Computer".

Please note you'll need to restart IE to test the changes.

Good idea, but this didn't work.

I've installed the ASW.OCX onto my laptop, which I'm a full admin. When I choose to manage my add-ons, I can see the asw.ocx has been added-in correctly:

Name:                   ASW_Control.ASW
Publisher:              (Not verified)
Type:                   ActiveX Control
Version:                1.0.0.37
File date:              
Date last accessed:     ¿20 ¿September ¿2012, ¿¿14:36
Class ID:               {1020A036-C11C-4952-8FBE-CDF1E67496EE}
Use count:              4
Block count:            0
File:                   ASW.ocx
Folder:                 C:\Windows\Downloaded Program Files


So on my Citrix test server, I'm using AppSense policy to set:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ex\CLSID
Value Name: {1020A036-C11C-4952-8FBE-CDF1E67496EE}
Value Type: REG_SZ
Value: 2 (enabled so I can manage through IE add-ons)

When I manage add-ons through IE on my Citrix test server, I cannot manage ASW_Control.ASW. Are the registry settings correct?

I've tried HKCU\Microsoft\Windows\CurrentVersion\Policies\Ex\CLSID as well.

I'm not able to assist with setting this up in the registry, but if you'd like to try a GPO please let me know.

Ok, lets try this through a GPO using AppSense. So at IE start, I'm using the ADMX, and enabled:

Windows Components - Internet Explorer - Security Features - Add-on Management:

ASW.OCX = {1020A036-C11C-4952-8FBE-CDF1E67496EE} Value = 2 (enabled and user can manage)

Vsflex6d.ocx = {C5DE3F82-3376-11D2-BAA4-04F205C10000} Value = 2

Is this ok? Should I still put the OCX's in the gold build?

I'd set the values to 1 on both that way the user doesn't accidentally disable the add-on.

Yep, give that a shot and don't forget to do a gpupate on all fronts.

Ok, done that, left at option 2 so in my test environment I can see the add-on's. GPO has applied. I can see in the RSOP. When I launch the application from IE, and click the link that requires the active x component, it still displays the UAC message. Managing the IE add-ons doesn't show me the active x components,

Has anyone else got any thoughts on this issue?

I'm afraid I was unable to replicate this, but I was using a personal vDisk in my test environment so I was wondering if this had any possible effect. I will see if I can do a bit of further testing when I get a moment.

Anyone else got any ideas on this one? If I set the IE add-ons through GPO (settings CLSID), should I still be able to view the add-on's through IE 9 add-on management?

We didn't really find any better solutions.