Policy
ActiveX Control Initialization
Microsoft Office 5532.1000
Policy overview
Key metadata and intent for this policy.
This policy setting specifies the Microsoft ActiveX® initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
ActiveX Control Initialization: ID L_ActiveXControlInitializationcolon | enum | HKCU\software\policies\microsoft\office\common\security\uficontrols Type REG_DWORD | Options: $(string.L_1) (1), $(string.L_2) (2), $(string.L_3) (3), $(string.L_4) (4), $(string.L_5) (5), $(string.L_6) (6) |
Other policies in this category
Explore related policies at the same level.
- UserAllow Basic Authentication prompts from network proxiesWindows7
- UserAllow file extensions for OLE embeddingWindows7
- UserAllow root or intermediate certificates as VBA trusted publishersWindows 10
- UserAllow specified hosts to show Basic Authentication prompts to Office appsWindows7
- UserAllow VBA to load typelib references by path from untrusted intranet locationsWindows 10
- UserAutomation SecurityWindows7
- UserBlock additional file extensions for OLE embeddingWindows7
- UserBlock all internet macros (ignore trusted locations or publishers)Windows 10
- UserBlock Insecure ProtocolsWindows7
- UserBlock loading of COM/VSTO add-ins registered in HKCUWindows 10
- UserBlock OLE GraphWindows7
- UserBlock OrgChartWindows7