This is primary notes for my self, because for some reason I always spend much time dealing with this during installation of Remote Desktop Servers.
First of all there is a part of Windows that is called ActiveX Installer Service that needs to be configured. This is default enabled in Windows 7. In Vista you have to add this as feature through add windows features. I always assume that if something is in Windows 7 it is also implemented in the Server 2008 R2 OS, since it is the same core (and on Vista and 2008). In this case this is not true at all. In order to get Server 2008 R2 to enable the ActiveX installer service there is a hotfix required. The same goes for 2008.
ActiveX installer service for 2008 R2 Hotfix: http://support.microsoft.com/kb/2508120
ActiveX installer service for 2008 Hotfix: http://support.microsoft.com/kb/2582841
Okay, so after installing this hotfix you can start configuring the ActiveX installer Service with Group policy. Yoho!
Edit your group policy that affects your Remote Desktop Server and browse to the following:
Here you will have a setting that you want to edit (Approve Installation Sites for ActiveX Controls):
But before you enable this you have to know where the ActiveX is coming from. In my scenario it was coming from http://webint.customer.local/ . Edit the setting and choose enable and click show:
You might want to understand the value field in this setting. You have 4 different switches.
The first one controls what to do when installing ActiveX controls that have trusted signatures.
0 = Prevents users from installing
1 = Prompts the user before installing
2 = Installs ActiveX
The second controls what to do when the signed ActiveX is not the trusted root.
0 = Prevents users from installing
1 = Prompts the user before installing
2 = Installs ActiveX
The third controls what to do when the ActiveX is unsigned.
0 = Prevents users from installing
1 = Installs the unsigned ActiveX
The fourth controls what to do when any errors are returned in a https session:
0 = Specifies that the connection must pass all verification checks. (default).
0x00000100 = Ignore errors caused by unknown certification authorities (CAs).
0x00001000 = Ignore errors caused by an invalid common name (CN).
0x00002000 = Ignore errors caused by a certificate’s date.
0x00000200 = Ignore errors caused by improper certificate use.
So in my scenario I want to install this no matter what so my values are 2,2,1,0 . Since the connection is not HTTPS I can safely set 0 in last control since there are no certificate involved in the connection to the web server.
To verify it is working you can have look in the event log:
If it fails the event ID is 4097.
More detailed information on this here :
http://technet.microsoft.com/en-us/library/dd631688(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc721964(WS.10).aspx
Now it is up to Internet Explorer to handle the ActiveX as an add-on. So if the ActiveX is denied then you need to adjust the settings regarding the ActiveX in the Zone it lives in. I choose to set this setting per user under the intranet zone, because this web service is in this zone.
I adjust the following settings for my ActiveX:
Hopes this helps someone else having the same problem.
Your a star!
Ditto! i figured this was the reason it wasnt working but couldnt find anything on it!
Great article!
I’m trying to accomplish the same thing you are describing here. Unfortunately, after performing this exact procedure, I can’t get any activex controls to install as a normal user. One thing that stands out is that the ActiveX Installer Service does not log any events in the event logs — it’s as if it isn’t even being asked to install the controls. Any idea what could be the problem?
Hi. Are you sure that you installed the hotfixes? It should say something in the event log….
I did install the hotfix, and it’s easily verified because you can see the service is installed. I have resolved the problem, though. Previously, group policy was configured to not allow ActiveX controls. I changed the settings as you described in your article, but I believe there is one additional setting. The policy I had to set was ‘Automatic Prompting for ActiveX controls’. I changed that to enabled, and everything started working.
It doesn’t seem like that policy should be required, but it started working as soon as I ‘gpupdate /force’ after making the change. I was able to see things in the event logs after that.
Thanks for the article!
hi,
i followed all the instructions, even joe’s and still the information bar or insall pop up does not appear. nothing in the logs
any suggestions?
Amazing!
[…] Install ActiveX for all users on 2008R2 Remote Desktop … – This is primary notes for my self, because for some reason I always spend much time dealing with this during installation of Remote Desktop Servers. First of all … […]