none
Winning GPO N/A

    Question

  • Hey I have a problem with some devices.
    In gpresult /h they are still "applying" some Internet Explorer Maintenance settings.

    These maintenance settings do not exist in any policy currently linked.
    In winning GPO I receive information "Winning GPO" with value "N/A" for values "Not configured".
    Additionally there are some Internet Explorer Maintenance settings that seem to be configured in a linked GPO but the GPO itself does not report the setting as configured.

    This is the GPresult of device:

    This is the full group policy settings information of gpmc.msc (no further settings are available in that GPO):

    AD/SYSVOL match are both okay and on same version

    Monday, January 25, 2016 1:06 PM

Answers

  • > 3. I removed the folder from userprofile. Unfortunately now the gpresult
    > looks like the following:
     
    It might be required to delete and rebuild the WMI repository. I never
    dug too deep into the \root\rsop WMI namespace, so I don't know if IEM
    has its own "branch" there which is not reset?!?
     
    If you are familiar with WMI scripting: AFAIK it is
    \root\rsop\user\S-1-5-21-xxxx (User's SID), from there on I don't know
    the path to IEM. It "should" be possible to loop through that and remove
    IEM individually...
     
    Honestly - before things get worse: We dropped IEM long before IE11
    became our default browser, so most clients safely dropped their IEM
    settings, and I never had to deal with that challenge :)
     
    • Marked as answer by MK-Maddin Wednesday, January 27, 2016 1:46 PM
    Tuesday, January 26, 2016 2:35 PM
  • Hey,

    I am not fully sure if everything I did was how you should do...
    I tested now with 5 devices and it looks like they are fully good (at the moment).

    I think I will let users work and wait one more week to see if other problems appear.

    The script (not very nice and written in short) I used to resolve the problem can be found here:
    https://gallery.technet.microsoft.com/GPO-Internet-Explorer-7278a6b1

    • Marked as answer by MK-Maddin Wednesday, January 27, 2016 1:46 PM
    Wednesday, January 27, 2016 1:46 PM

All replies

  • > In winning GPO I receive information "Winning GPO" with value "N/A" for
    > values "Not configured".
     
    That's one of the quirks in IEM. Simply ignore it. Or delete the user
    profile... :)
     
    Monday, January 25, 2016 2:30 PM
  • Thanks for your reply.

    Ignoring is no option since some of these settings still take affect and causing errors.

    Hm... truly I do not want to delete the whole userprofile on about 300 devices.
    But if the error goes when deleting the whole userprofile it is related to a specific reg key or something similiar.
    Probably you could be more specific in what exactly to delete?

    Monday, January 25, 2016 2:38 PM
  • > Ignoring is no option since some of these settings still take affect and
    > causing errors.
     
    Then things are getting harder - IEM can be configured in Maintenance
    Mode, that means these settings will never vanish, not even if the
    related GPO is deleted...
     
    I'd suggest to go the following steps:
     
    1. Ensure all your IE settings are implemented through either
    Administrative Templates or GPP Internet settings.
     
    2. Get a computer where IE is version 9 or older. On this computer,
    install RSAT and remove IEM Settings from all GPOs.
     
    (If 2. is not possible, there are other ways to remove IEM from GPOs.
    Feel free to ask if you want/need to know)
     
    3. In all user profiles, delete all subfolders of the
    "%LocalAppData%\Microsoft\Internet Explorer\Custom Settings" folder
     
     
     
    Monday, January 25, 2016 4:17 PM
  • Hi MK,

    I have tested for the case follow Martin’s suggestion, and successfully.

    What is the state of your question?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 26, 2016 8:52 AM
    Moderator
  • Thanks for your detailed description.

    Here are my nodes to the specified steps:

    1. In "Settings" panel of the specified GPO there are no IE Maintenance settings defined.
    Additionally I removed the link of the GPO (new settings are all in new GPO).

    2. On Windows 7 with IE9 there is no IE Maintenance defined in my GPO.

    3. I removed the folder from userprofile. Unfortunately now the gpresult looks like the following:

    The GPO is simply shown as their Unique ID
    • Edited by MK-Maddin Tuesday, January 26, 2016 1:04 PM
    Tuesday, January 26, 2016 1:03 PM
  • > 3. I removed the folder from userprofile. Unfortunately now the gpresult
    > looks like the following:
     
    It might be required to delete and rebuild the WMI repository. I never
    dug too deep into the \root\rsop WMI namespace, so I don't know if IEM
    has its own "branch" there which is not reset?!?
     
    If you are familiar with WMI scripting: AFAIK it is
    \root\rsop\user\S-1-5-21-xxxx (User's SID), from there on I don't know
    the path to IEM. It "should" be possible to loop through that and remove
    IEM individually...
     
    Honestly - before things get worse: We dropped IEM long before IE11
    became our default browser, so most clients safely dropped their IEM
    settings, and I never had to deal with that challenge :)
     
    • Marked as answer by MK-Maddin Wednesday, January 27, 2016 1:46 PM
    Tuesday, January 26, 2016 2:35 PM
  • Thanks for that hint.
    I will have a deeper search on WMI of my testclient tomorrow and post if I was able to find a solution or corresponding WMI namespace. :)
    Tuesday, January 26, 2016 7:28 PM
  • > I will have a deeper search on WMI of my testclient tomorrow and post if
    > I was able to find a solution or corresponding WMI namespace. :)
     
    Yeah thanks - awaiting your feedback :-)
     
    What I'm sure of: Each CSE is responsible on its own to create RSoP
    logging entries in WMI. And as of now, I can imagine the following: IEM
    isn't available anymore, so it cannot write new RSoP entries nor can it
    purge outdated ones... The GPO name resolution is not done via WMI (WMI
    only stores technical data), but is translated via GPMC. And ok, since
    the GPO is gone, it cannot be resolved.
     
    Wednesday, January 27, 2016 9:17 AM
  • Hey,

    I am not fully sure if everything I did was how you should do...
    I tested now with 5 devices and it looks like they are fully good (at the moment).

    I think I will let users work and wait one more week to see if other problems appear.

    The script (not very nice and written in short) I used to resolve the problem can be found here:
    https://gallery.technet.microsoft.com/GPO-Internet-Explorer-7278a6b1

    • Marked as answer by MK-Maddin Wednesday, January 27, 2016 1:46 PM
    Wednesday, January 27, 2016 1:46 PM
  • > The script (not very nice and written in short) I used to resolve the
    > problem can be found here:
     
    Looks good at a glance - one thing I would change:
     
    $RSOP_GPO = Get-WmiObject -ComputerName $($CompName + "." + $CompDomain)
    -Namespace $UserGPONameSpace -Query $("SELECT * FROM RSOP_GPO WHERE
    guidName='" + $GPOguid + "'")
     
    If you first grab a collection of all user namespaces, you could loop
    through them and clean up all user RSoPs at once - this of course would
    require the script to run in system context (via startup scripts or SCCM
    - you are a pro with that, aren't you? - or whatever means).
     
    Well done!
     
    Wednesday, January 27, 2016 4:34 PM