Monday, December 23, 2013

FIX: IE10 RSOP Warning Internet Explorer Branding. The specified procedure could not be found.

Whilst working on a new IE10 GPO, I have noticed that in RSOP a warning appears when the GPO tries to process the Internet Explorer Branding on Windows 7 clients with IE10 installed.


This is due to the fact that we cleaned out existing GPOs from Internet Explorer Maintenance settings by resetting them. As explained in this blog: http://deployhappiness.com/tracking-down-rouge-cses-ie-maintenance-addition/  this method of cleaning the IEM setting is necessary, if you consider the following scenarios:

"When you remove a setting in Group Policy, these settings are not instantly grabbed by clients. Because of this, GPOs will keep blank settings if you unconfigure certain CSEs. For example, you removed a setting for folder redirection. Three months goes by and a user returns from maternity leave. She logs into her computer and Group Policy sees the blank settings and makes adjustments. If the blank settings were not there, she would continue to apply the obsolete settings while everyone else has the current configs."

On the other hand having a warning on all your Windows 7 clients until Windows 7 End Of Life is just not right either.

The reason the warning keeps appearing is due to the fact that the Windows 7 GPO CSE is still trying to process Internet Explorer Branding extension whilst IE10 has replaced the IE GPO template on the client under:   "C:\Windows\PolicyDefinitions\inetres.admx"

This problem also shows on the client when enabling logging, as per this blog post.
In the GPSVC log you can read "Couldn't read extension Internet Explorer Branding's status"

So you now have two choices and depending whether you are using the same GPO to target IE8 and IE10 users you might opt for one option or the other. 

The first one is to  fully remove IEM references in the GPO. Options to do this are detailed in this MS article: http://support.microsoft.com/kb/2722241/en-us
If you have a GPO that is only applying to IE10 clients that would be the best option.

Now if you apply the same GPO to machines that could have either IE8 or IE10, I personally would rather keep the empty IEM reference in the GPOs to ensure all IE8 clients do get the instructions to remove IEM settings from their local cache and instead "patch" the windows 7 machines by removing from the registry the Internet Explorer Branding extension keys when installing IE10 on each client. 

To do this you need to take ownsership of the below registry keys and then delete them. The process is documented in this other MS article: http://support.microsoft.com/kb/2813272
You can then install IE10 and receive you IE10 GPOs without any warning under RSOP or in GPresult html reports.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}


I hope you find the info provided useful and do share your views and comments !! 

Until  next time, I wish you all a great time with friends and family to celebrate Christmas and new year and all the best for 2014 !



No comments:

Post a Comment