none
IE11 Add-on management GPO settings not functioning as documented by Microsoft

    Question

  • I am testing a GPO to configure Add-ons in IE11 on Windows 10 v1607 in large enterprise environment. The behavior I want to configure is to enable 4 add-ons by default when a new domain user signs in for the first time, but to allow users to disable these same add-ons in the future if needed for troubleshooting etc.

    This Article describes what I am trying to do:
    https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy

    Based on the article I should be able to use this policy setting:
    Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management - Add-on List

    and set a value of 2 with the CLSID of my addons in order to have "The add-on is enabled and your employees can change it."

    When I set this setting, RSOP shows the GPO setting is correctly applied to my workstation but the Add-ons I configured are not enabled. When I change the value to 1, then the add-ons are enabled but then users are unable to change them, which isn't what I want.

    Looking online I see other articles where others have tested and found this exact same behavior:

    http://serverfault.com/questions/671064/how-can-i-eliminate-the-several-add-ons-are-ready-for-use-prompt-in-internet-e

    Wondering if Microsoft is aware of this issue with this policy, that the value of 2 does not work as documented, and if anyone is aware of a workaround or otherway to configure a GPO to produce the behiavor to enable certains Add-ons via CLSID without locking them down (the "1" behavior)

    Monday, February 20, 2017 5:51 PM

All replies

  • Hi,
    With the test via group policy in my lab environment, the same behavior is produced: when the value is set into 2 in the group policy, the add-on list is not applied.
    However, I figure out a workaround which make it work as we request:
    1. add the add-on list via group policy as you did now;
    2. modify the related registry value as below:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CLSID}
    (Default)=2

     After doing that, the add-on item is showed with enabled/disabled option:


    So please have a try and see if it works for you.
    Best regards,
    Wendy

     

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, February 21, 2017 3:01 AM
    Moderator
  • Thanks I will try this, to clarify are you meaning to keep the GPO setting configured with the 1 value or with the 2 value for each add-on?
    Tuesday, February 21, 2017 4:49 PM
  • I checked for that registry path, and I don't have the Ext key under currentversion. I search around a bit but could not find this same path. We are using Windows 10 Enterprise x64 v1607 with latest updates, not sure why my reg paths would be different?

    Tuesday, February 21, 2017 7:21 PM
  • Hi,

    I modified this registry after applying the group policy, did you do the same? Please have a try again.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 24, 2017 2:19 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 6:22 AM
    Moderator
  • I just did some more testing of this, I wanted to clarify however how you set the GPO, did you set the GPO with each Add-on CLSID with the 1 value so that it enabled the add-on but did allow users to modify it?

    And then you set this registy key you listed afterwards to the 2 value and then that did allow users to change it?

    Or did the set the GPO with the CLSID with the 2 value, that wasn't working to actually enable the Add-on?

    I just tried Add-on Management - Add-on List configued wtih CLSID with the 1 value, and it enabled the Addons, and restricted disabling them and created the registry keys. There was a (Default) value listed like in your screenshot with a (value not set), under the CLSID key for each add-on. I changed the data from (value not set) to 2 like in your screenshot, and then tested the addons but they were still locked down unfortantley. 

    Any other thoughts?

    Thursday, March 2, 2017 9:56 PM
  • Hi,
    What I did is to set the value 2 for add-on list in the GPO, not 1, and then modify the registry value.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 3, 2017 2:25 AM
    Moderator
  • Hi,
    What I did is to set the value 2 for add-on list in the GPO, not 1, and then modify the registry value.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    I did try this, I set the value to 2, then after opening IE I did see the Ext\Stats\{CLSID} keys created with the value and data of (Default)=(value not set).

    I then changed data to (Default)=2, but it did not enable the add-on unfortunately :( Any other thoughts? 

    Tuesday, March 14, 2017 3:56 PM
  • Hi,
    Strange, did you test if the problem happened only specific clients or multiple clients? And have you tried to test another CLSID and see if other CLSID is working or not?
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 15, 2017 1:31 AM
    Moderator
  • I tried with a few CLSID's:

    Skype for Business Browser Helper and Click to CallJava™ Plug-In 1 and 2 SSV Helper

    I did try a few systems, they are all our new Windows 10 v1607 systems with the same configuration.

    Thursday, March 16, 2017 10:15 PM
  • Hi,
    Did you configure the GPO on the domain controller? If yes, please have a try my test in the local group policy editor on Windows 10 v1607 system to see if there is any difference.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 17, 2017 1:58 AM
    Moderator