ActiveX uploader and IE Enhanced Protection Mode

While preparing the next Upload Suite update, we had some support requests regarding the problems with Internet Explorer when it runs in so-called EPM (Enhanced Protection Mode). So we had to figure out what is EPM and how our uploader should live with it.

Microsoft introduced EPM when they released Windows 8. This new mechanism causes ActiveX controls and other IE addons to run in a sandboxed environment called AppContainer which does not allow to carry out potentially unsafe activities, i.e. allows almost nothing. Now Microsoft wants ActiveX developers to create a kind of broker object and make all calls to WinAPI through it. For us it means that we have to rewrite the whole product from a scratch.

Fortunately, Microsoft made two favors to the software vendor community: (a) they turned off EPM by default and (b) even if EPM is on, when ActiveX is loaded the first time, it suggests the user to turn EPM off for a particular website. 

This webpage wants to run ActiveX. If you trust this site, you can disable Enhanced Protection Mode for this site to run the control. Windows 8 (IE10).

EPM warning - Windows 8 (IE10)

This webpage wants to run ActiveX which isn't compatible with Internet Explorer's enhanced security features. If you trust this site, you can diable Enhanced Protection Mode for this site and allow the control to run. Windows 8.1 (IE11).

EPM warning - Windows 8.1 (IE11)

The only problem is that if the user selects a wrong answer, IE won’t give the user another chance to change his mind. As you can see on these screenshots, it is especially easy to mistake on Windows 8. The button captions are looking very confusing.

More or less power users may google a bit and find how to edit the registry to have IE to ask the question again, but apparently it is not an option for a regular user.

Since the EPM is not a default option and IE is not so popular nowadays, this problem occurs quite seldom. However who knows what Microsoft will decide when they release, say, IE12. They already claimed that EPM will be enabled in IE11 by default and changed their mind in the last moment. I am pretty sure they will eventually turn it on for everybody.

That’s why I decided to spend few Saturday hours and create a simple utility which will allow end users to manage EPM status for each website where IE offered a choice. 

IE EPM (Enhanced Protection Mode) Manager for websites

The user should just “thumb up” the website where EPM does not allow ActiveX to appear and it should work fine. Alternatively, they can reset the EPM flags and IE will ask again whether they want to run ActiveX control when the appropriate page is opened.

The application can be downloaded from here:

http://www.aurigma.com/Download/EpmManager/EpmManager.exe

If for some reasons you need the source code for it, I have published it on GitHub: 

https://github.com/aurigma/EpmManager

So if the user has IE with EPM enabled and ActiveX does not seem to appear, feel free to give them this utility.

You may wonder if there is any method to determine whether EPM is enabled. Well, it looks like that EPM is always enabled when IE is running in 64-bit mode and vice versa, so you can just check CPU mode by running this JavaScript: 

console.log(navigator.cpuClass);

Or you can check if the navigator.userAgent contains Win64.

If you encounter any problems using the latest Upload Suite in IE with Enhanced Protection Mode and the EPM Manager does not help, don't hesitate to email us at info@aurigma.com