Thursday, February 13, 2014

Internet Explorer Branding failed

On all Windows 8 and Windows 8.1 client Resultant Set of Polices (rsop.msc) was returning an error for Internet Explorer Branding component like this:


And in Group Policy event log the following event is logged Event ID 7016:
  • CSEElaspedTimeInMilliSeconds 0
  • ErrorCode 127
  • CSEExtensionName Internet Explorer Branding
  • CSEExtensionId {A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B} 
The reason for this behavior is that Internet Explorer Maintenance or Internet Explorer Branding has been removed from Windows 8 and Windows Server 2012. One way to resolve this error is to remove Internet Explorer Branding Group Policy client side extension using the following Microsoft KB 2813272 .
Another way to prevent this error is to prevent all the GPOs with some Internet Explorer Maintenance configured setting from applying to Windows 8 computers. But, there is also another catch, if you reset the Internet Explorer Maintenance settings in GPO, the extensions are not removed from GPO ! There is also published article from Microsoft about this bug http://support.microsoft.com/kb/2722241/EN-US . So, there might be GPOs with no settings about internet explorer branding, but still having the client extension in place. To find all the GPOs with configured Internet Explorer Maintenance extension, dsquery can be used with following syntax:
dsquery * -filter "(&(gPCUserExtensionNames=*{A2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}*))"
DSquery will return GUIDs of all affected GPOs with Internet Explorer Branding Extension. In order to remove the extension information from the GPOs, Active Directory Users and Computers snap-in on Windows Server 2008 or later can be used to edit the attributes. Navigate to Domain Name -> System -> Policies and locate and select the GUID of the GPO that was returned as result from dsquery command, and go to the attribute editor tab from the properties of the GPO. Search for gPCUserExtensionNames entry and edit the field. Locate the [{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}], and delete that entry including "[" and "]" brackets. Save the properties, and that GPO will not be qualified for running the Internet Explorer Branding client extension.
After removing "orphaned" extensions from GPOs, the Event ID 7016 with error code 127 was not logged anymore and rsop.msc was not returning failed status for Internet Explorer Branding since this extension is not in use anymore.

Note: If you're using Internet Explorer Maintenance for pushing Internet Explorer settings to clients, you should consider migrating to Group Policy Preferences for Internet Explorer for setting those settings. Also, you can't use Internet Explorer Maintenance for setting Internet Explorer 10 or 11 http://technet.microsoft.com/en-us/library/jj890998.aspx .
 

2 comments: