In this Blog you will find instructions on how to locally enable, configure and troubleshoot the AXiS service. The ActiveX Installer Service (AXIS) was first introduced in Windows Vista and currently available in Widows 7 and Windows 2008 R2. The service purpose is to allow IT Admins deployment of ActiveX® controls by using Group Policy on computers in an organization. By default, standard user accounts do not have permission to install ActiveX controls. You can use this blog post to guide you on how to enable, configure and troubleshoot ActiveX Installer Service GPO deployment.
TIP: If you want to use wildcard please read the document referenced at the top of this blog post and search for “Configuring the ActiveX installation policy for the trusted sites zone”. Also pay close attention to the Security note in this paragraph that has important information as it has cause confusion.
NOTE: The GPUPDATE /FORCE command is use to force the Group Policy update on the client, it may take 10-15 minutes for this to go into effect. Logging off and on again or restarting the machine after running the command may make it happen more quickly!
Before we start testing, lets first do some pre-work on the client machine to help gather some data!
Let’s assume you encounter some problems with the ActiveX installation and need to troubleshoot the scenario. Below are a few tips you can use to help collect some data.
The information from the TechNet article has created confusion on how to implement the 4 https certificate exception errors and in most cases, you will see customer using the incorrect parameter and values, like this one: 2,2,1,0x00000100||0x00001000||0x00000200||0x00002000
This is incorrect, as this the logical combination should be done in the calculator; and its result is then configured in the policy. For this example: 2,2,1,0x00003300 represents all 4 exceptions!
NOTE: A request to clarify the use of these parameters and values was submitted but in the meantime, we wanted to share it with you to help get things moving along when troubleshooting and deploying ActiveX controls using the ActiveX Service in your control environment. The basis is that the least secure configuration of the ActiveX Installer Service is when an administrator configures the service for a site with the following characteristics:
Lowest security settings
The correct value for all 4 exceptions will look like this: 2,2,1,0x00003300
The simple math is: 0x00000100 0x00001000 0x00002000+ 0x00000200---------------------= 0x00003300
We recommend that you consolidate the ActiveX controls you use in your organization to a central server. The location where a Web site hosts an ActiveX control is called a CODEBASE. Normally, the CODEBASE is specified in the Web page, and the installation process retrieves the ActiveX control from that location. In managed enterprises, you can use Group Policy to override the CODEBASE that is specified within the Web page to redirect to an internal server. Using this setting allows you to easily manage which ActiveX controls users can install by consolidating the ActiveX controls onto a central server; if the server is an HTTPS server, you also satisfy the previous best practice, only use HTTPS host URLs. You can configure a common Group Policy setting to redirect all ActiveX control installations to a central server in your organization. You can do this by using the CodeBaseSearchPath registry key. For more information on the CodeBaseSearchPath see Implementing Internet Component Download (http://go.microsoft.com/fwlink/?LinkId=90677).
We will come back with another blog that expands the use of ActiveX Service and implementing the Codebase solution for use in an enterprise environment.