The ActiveX Installer Service

  • Artykuł

Hi, I’m Chris Corio, a Program Manager on the User Account Control team. As I’m sure you’ve guessed by now, we’re hard at work providing a great experience for standard users in Windows Vista.  I’m happy to announce a brand new feature that we’ve added to Windows Vista – the ActiveX Installer Service.

Our Technical Adoption Program (TAP) participants testing Windows Vista require that a variety of ActiveX controls are installed to conduct day-to-day business within their enterprise and with their partners.  These ActiveX controls were being updated regularly, and the corporations couldn’t package and deploy them to their users quickly enough.  As we looked at the problem more closely, we realized we needed to provide a way for enterprises to delegate the installation of ActiveX controls for standard users.  The ActiveX Installer Service was the resultant solution that the UAC team created for this problem. With this service, Microsoft will be providing a Group Policy driven mechanism that lets IT professionals define the Host URLs from which standard users can install ActiveX controls.

The ActiveX Installer Service consists of a Windows service, a Group Policy administrative template, and a few changes in Internet Explorer.  It will be an optional component on the Ultimate, Business, and Enterprise SKUs of Windows Vista and will only be enabled on clients where it’s installed.  If a user is running as a standard user and the feature is enabled, Internet Explorer will ask the service to install any ActiveX controls that need to be installed.  Before installing the ActiveX control, the Installer service will check to see if the Host URL of the CODEBASE is defined and listed in Group Policy and if it is allowed.  If the service policy permits the install of the ActiveX control, then the service will create an instance of the Internet Explorer ActiveX installer object to be used to install the control.  If Group Policy did not specify that the ActiveX control was allowed to install, then the default Windows Vista behavior is resumed: a Consent\Credential prompt is required to install an ActiveX control. 

For now, the service is designed to install Internet Component Download packaged controls - this means that an ActiveX control must be a .cab, .dll, or .ocx.  Following Windows Vista, this solution will probably be married with MSI, enabling MSIs installations based on similar policy.

If you’re at TechEd, look for demos of the ActiveX Installer Service all week. Ben Fathi’s Security Keynote speech also included a demo of the feature--Alex Heaton demonstrated ActiveX control installation for a standard user by using a simple business-to-business ActiveX control in an enterprise.  Steve Hiskey, our fearless Lead PM, will also be giving a demo of the service and a look at how to configure the policy--or you can just stop by the UAC booth in the Windows Vista area for a personal demo.

The ActiveX Installer Service is scheduled to be in the next public release of Windows Vista – RC1.  We will be providing more details on the service and how to define policy for it in the next couple weeks.  As you move to running as a standard user, this will definitely be something you’ll want to look into!! 

As always, we welcome your feedback about the service and we’ll try our best to answer your questions in a timely manner. 

Thanks,
Chris

Comments

  • Anonymous
    June 14, 2006
    Spotted this on the UAC blog:The ActiveX Installer Service

    As many IT Pro's know the ActiveX...
  • Anonymous
    June 14, 2006
    EEK!  Isn't this just a new excuse for the designers of said ActiveX controls to keep on releasing patches without thought of testing them before the fact?

    I have to deal with WebEx Communications multiple times a month because they keep updating one of their controls and conferences stop working when they deploy an update.

    I hope there's a way to disable these new installation capabilities for limited users.  The last thing I want to learn is that someone's falsified WebEx's certificate and is pushing malware under my nose.  Or that WebEx released an update with a bug that results in privilege escalation.

    I'd rather install tested and working code, and not have to worry about updating every single little control every single day because developers don't bother testing them before they release them.
  • Anonymous
    June 15, 2006
    PingBack from http://www.roks.xmgfree.com/blog/2006/06/15/activex-control-installer-service/
  • Anonymous
    June 15, 2006
    Control is disabled and manged via Group Policy so I would think you could manage the installer capability by on a user/OU/domain level.

    Code developed internally is subject to internal controls and QA procedures, therefore IT has input into the release freqency and can directly affect code integrity.  This service is a neccassary evil, in my opinion, because there are many vendors that release new controls on a frequent basis of which the IT admins have no control.  This service will potentially save IT depts. where it counts; their budgets.

    -Bill
  • Anonymous
    June 15, 2006
    "there are many vendors that release new controls on a frequent basis of which the IT admins have no control."

    No control?  I've had full control over this since 2003 when my first major client decided to upgrade to Win2K.  The only reason other IT admins don't have control is they don't bother to sieze it.

    The only really frequent updater I've really encountered after 11 years of IT experience is WebEx Communications.  Of the others, for example Macromedia, content and services are tolerant of varying versions of said controls.  Every new release represents untrusted, unknown, untested code to the eyes of the IT admin, who gets blamed when the new version of "x" doesn't work exactly the same as the old version.

    My solution to WebEx and other frequently updated controls is to stop using them.  Callinfo and Gotomeeting come to mind as replacements.  Nothing works like healthy competition to encourage better design.
  • Anonymous
    June 16, 2006
    ActiveX Installer サービス - Windows Installer
  • Anonymous
    June 16, 2006
    ActiveX Installer サービス - Windows Installer
  • Anonymous
    June 16, 2006
    Is the control only installed for the current user? It's a bad idea to allow standard users to install a control for the whole machine, even if it is supposedly from a "trusted" codebase. (Conversely, if the control is only being installed for the current user, I don't see the need for this feature.)

    # Before installing the ActiveX control, the
    # Installer service will check to see if the
    # Host URL of the CODEBASE is defined and
    # listed in Group Policy and if it is allowed.  

    Since when was the codebase URL a secure way to determine which controls are allowed (if it is not https)?
  • Anonymous
    June 20, 2006
    The comment has been removed
  • Anonymous
    June 21, 2006
    The comment has been removed
  • Anonymous
    June 21, 2006
    The comment has been removed
  • Anonymous
    August 24, 2006
    The comment has been removed
  • Anonymous
    August 30, 2006
    It seems like in the latest builds of Windows Vista it is possible to install the ActiveX Installer Service but configuring the administrative template in the Group Policy Object editor does nothing. Is Internet Explorer 7+ the problem? I mean does it need a newer build of IE to work?
  • Anonymous
    August 30, 2006
  1. You need to be a standard user (not admin) for it to work
    2) confirm that the activex installer service is running

  • Anonymous
    September 03, 2006
    I went to add pictures to my msn community and a pop up came up that said the following..

    "Internet Explorer has blocked this site from using an ActiveX control in an unsafe manner. As a result this page may not display correctly.


    How do I fix this problem so I can put my pictures in my album???

  • Anonymous
    September 05, 2006
    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account...

  • Anonymous
    September 07, 2006
    We’d like to thank all of the Windows Vista beta testers for using and giving us feedback on User Account...

  • Anonymous
    September 07, 2006
    The comment has been removed

  • Anonymous
    September 13, 2006
    This is Joel Yoker, Senior Consultant, and Rob Campbell, Technical Solutions Specialist, from the Microsoft...

  • Anonymous
    September 30, 2006
    Yesterday we had Cyra Richardson - Lead Program Manager on the Internet Explorer team - in...

  • Anonymous
    October 19, 2006
    We want to install our ActiveX without IE7 and UAC dialog on Vista basic.

  • Anonymous
    November 14, 2006
    The comment has been removed

  • Anonymous
    December 05, 2006
    I am trying to activate or install ActiveX. I need activex to install symantec for additional security on my computer.

  • Anonymous
    January 09, 2007
    WHAT DOES THE ACTIVE-X INSTALLER HAVE TO DO WITH SETTING UP A WEB CAM?

  • Anonymous
    January 19, 2007
    PingBack from http://www.elka-install-instructions.info/blog/39/livemath-plug-in-installation-authors-update-your/