none
Setting Flashplayer to click-to-play on Internet Explorer 10 via Group Policy.

    Question

  • Hi, since recent 0-day exploits and far too frequent update fixes released by adobe, I have to look for other ways to increase the safety.

    We just pushed 18.0.0.203 to fix that "hackingteam" 0-day exploit which allowed attacker to execute remote .exe files on target computer. However as of today, there's already two new 0-days that .203 is vulnerable to and Adobe has yet to release a fix for them.

    There are multiple ways to disable flashplayer plugin from IE10, but since it's essential plugin for our users I'd like to make it click-to-play instead.

    This would be the ideal result:

    (Having flasplayer to confirm via popup every time before loading)

    http://www.pcmech.com/article/how-to-sort-of-get-click-to-play-capability-in-internet-explorer-9/

    Would this be possible to achieve with Group Policy? Or is there any alternatives to make it click-to-play for IE10 for end users?

    Monday, July 13, 2015 12:21 PM

All replies

  • Alternatively it would be nice if I'm able make it so, that it asks every time before it runs flash content at any website.

    like changing the text field at IE10 plugin settings by removing the '*' on all computers under our domain. like seen in bellow picture:

    http://i.imgur.com/xgf17j3.png




    • Edited by kola15 Monday, July 13, 2015 12:45 PM
    Monday, July 13, 2015 12:40 PM
  • Bump!
    Tuesday, July 14, 2015 11:55 AM
  • Hi Kola,

    Similar to what you have shared. And disable seems to be the only option.

    http://www.howtogeek.com/188059/how-to-enable-click-to-play-plugins-in-every-web-browser/

    Enable and disable add-ons using administrative templates and group policy

    https://msdn.microsoft.com/en-us/library/dn454941.aspx?f=255&MSPPError=-2147217396

    How to Disable Internet Explorer (IE) Add-Ons through Group Policy

    http://social.technet.microsoft.com/wiki/contents/articles/11406.how-to-disable-internet-explorer-ie-add-ons-through-group-policy.aspx


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, July 14, 2015 12:33 PM
  • Hi,

    Found one more place where its residing, if this is the place you can figure out some method to cleanup this key.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\

    {D27CDB6E-AE6D-11cf-96B8-444553540000} - is for ShockWaveFlash

    Do a F3 search on the RegEditor, you will find some more keys.

    References:

    Where does Internet Explorer store its' add-ons?

    http://stackoverflow.com/questions/19036814/where-does-internet-explorer-store-its-add-ons


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Tuesday, July 14, 2015 12:47 PM
    Tuesday, July 14, 2015 12:47 PM
  • Hi,

    Thank you for the answers, but instead of disabling the whole addon globally or manually going through dozens of computers locally to limit the sites where it's allowed to run, I would like find a way to set it click-to-play globally.

    I have already researched the possibilites of registery editing and this F3 search, and been unable to find a way to change the "*" from the list.

    Unfortunately I have yet to find a solution for this.

    Regards,



    • Edited by kola15 Tuesday, July 14, 2015 1:02 PM
    Tuesday, July 14, 2015 1:00 PM
  • Hi Kola,

    "unable to find a way to change the "*" from the list." I didn't quite catch this.

    If the regedit works, you can use GPOs to configure it automatically for users.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, July 15, 2015 11:55 AM
  • Hi Kola,

    "unable to find a way to change the "*" from the list." I didn't quite catch this.

    If the regedit works, you can use GPOs to configure it automatically for users.


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    That is correct, but if, for example I allow "youtube.com" and search it from regedit, nothing shows up. Therefore i don't know where i'm able to edit the "allowed" textfield list which currently only has value "*" as shown in the picture.

    If you know where the list is saved in, I would love to know as well  :)



    • Edited by kola15 Thursday, July 16, 2015 5:54 AM
    Thursday, July 16, 2015 5:53 AM
  • Hi Kola,

    I don't think you can allow or deny it based on selective websites. It will be Click to Play for all websites or none.

    Hence what I wanted you to search was the GUID name for the plugin\addon not the website.

    The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\ is one of the locations.

    F3 , paste the PlugIn guid {D27CDB6E-AE6D-11cf-96B8-444553540000}, should be same for you as well .

    F3 again and again to search on and on.

    Deleting the entry should remove it from the list, hence enabling Click to Play


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Thursday, July 16, 2015 6:22 AM
    Thursday, July 16, 2015 6:21 AM
  • Hi, depending on computer tested on, the results vary a lot.

    Also, if you delete all corresponding values of {D27CDB6E-AE6D-11cf-96B8-444553540000}, the flash will completely screw up and will not load anymore at anywhere without full re-install of the flashplayer.

    Therefore this solution can't be used unless there is a specific single value under some path that does the magic trick for all computers in same way.

    Best regards,

    Thursday, July 16, 2015 11:06 AM
  • Hi Kola,

    You are right on, atleast you have the clue. You can now test on single machine to identify which keys to delete. I think it should be in single place only out of all the ones you found. Simply remove it from IE Toolbars list and look for the one missing. That would be the one you need to remove.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, July 16, 2015 12:44 PM