How do I Set My Activex Controls?

Office 2013 provides a setting that enables you to disable ActiveX controls. Disabling ActiveX controls prevents all ActiveX controls in a file from initializing (that is, loading) when a file is opened. It also prevents users from adding ActiveX controls to a document.

In some cases, a disabled ActiveX control might appear in a file as a red x or some other symbol. But, the control is disabled and no action occurs if a user selects the symbol. When you disable ActiveX controls, users aren’t notified that the controls are disabled.

Use the following guidelines to determine whether to disable ActiveX controls. Description: This setting controls whether ActiveX controls are disabled in Office 2013. This is a global setting and can’t be configured on a per-application basis.

Impact: If you enable this setting, ActiveX controls do not initialize and users aren’t notified that the ActiveX controls are disabled. Also, users can’t insert ActiveX controls into documents. ActiveX controls can provide additional functionality in documents.

Therefore, disabling them can reduce functionality for users. You should make sure that users are aware that this setting is enabled, because they aren’t notified by the application that ActiveX controls are disabled. It is also important to determine whether ActiveX controls are used to provide business-critical functionality before you enable this setting.

Guidelines: Organizations that have a highly restrictive security environment typically enable this setting. You can also use the Office COM kill bit, which was introduced in Office 2013, to prevent specific COM objects from running within Office 2013 applications. This includes ActiveX controls.

This capability was available in the 2007 Office system. But, it was dependent on the Internet Explorer ActiveX kill bit setting. Now, in Office 2013, you can use the registry to independently control which COM objects won’t be able to run when they use Office 2013.

If, for example, the kill bit is set for the same ActiveX control in both Office and Internet Explorer, and there is a conflict between the two settings, the Office COM kill bit has precedence. A common scenario where you would see the Office COM kill bit set is when you apply an update that is included in a Microsoft Security Bulletin to address a specific Office 2013 security issue. It is possible to add an AlternateCLSID (also known as a “Phoenix bit”) when you need to correlate the CLSID of a new ActiveX control.

This is necessary when an Office COM kill bit has been applied to the CLSID of an ActiveX control to mitigate a security threat. Office 2013 supports using the AlternateCLSID only together with ActiveX control COM objects. For more information about kill bit behavior, including AlternateCLSID, see How to stop an ActiveX control from running in Internet Explorer.

The location for setting the Office COM kill bit in the registry is HKLM/Software/Microsoft/Office/Common/COM Compatibility/{CLSID}, where CLSID is the class identifier of the COM object. To enable the Office COM kill bit, you must add the registry key, including the CLSID of the ActiveX control, and add the value of 0x00000400 to the Compatibility Flags REG_DWORD.