This blog will show you how to troubleshoot the Intune Chrome Device config policy when it gives the famous -2016281112 (remediation failed) error.
1.Troubleshooting 2016281112
Some time ago, I got this question below on the TechNet forum, so here we go.
Blocking chrome extensions but whitelist specific ones – Page 2 – Microsoft Tech Community
Of course, when you want to configure some Chrome Policies, you need to make sure you have also ingested the ADMX file!
When we need to troubleshoot Intune Device config Policies errors, we need to start opening the event log. To be specific the devicemanagement-enterprise-diagnotics-provider eventlog. This log is the first log you will need to start looking at.
Another possibility is to open the Intune management extension log file, but this time, I will stick with the event log.
When looking at the event log, you must search for Event 404. When taking a closer look at the error, you will notice the error: The system cannot find the file specified
I did a blog a little bit similar to this one some time ago. However, using this blog didn’t resolve this “file not found” error.
Of course, this error should not be mistaken with this FakePolicy error you could notice:
(./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
“The FakePolicy policy was created to detect if a certain patch is present on Windows, and will be removed automatically once we’re sure most machines are ready to consume the new ADMX versioning feature.”
So if you see this error, just skip it!
What to do next? Please open the registry and start looking for the Policy Manager registry key and the Chrome policy you are trying to configure to see if it’s there. Just like in the picture below, the blacklist extension part was missing.
Let’s go further with troubleshooting. As mentioned earlier, you will need to ingest the ADMX before you can configure Chrome Policies. When the ADMX file arrives at the device, it will be placed inside the MS DM server registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\somenumber
You will notice, there is an “expectedvalue” key inside it with the whole ADMX XML content in it. But when you want to take a better look at it… you will notice it isn’t returning the data you want! The ExpectedValue is empty, as it looks like
You have got 2 options now:
- Export the registry part to a .reg file and open it with notepad!
2. Fire up PowerShell and export it from there.
Get-ItemProperty -Path Registry::”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\87″ | Select-Object “ExpectedValue” | Format-List * | Out-File c:\temp\chrome.txt
2. Solving it !
Now we are pretty sure the ADMX is on the device let’s open the text or reg file we exported and start by searching for the policy that isn’t working. In this example: ExtensionInstallBlacklist.
As shown below, the key was in the file.
Please note: When you are troubleshooting it and you don’t get any results back when searching for the policy, you will need to make sure you have ingested the latest Google Chrome ADMX file. Did you notice anything weird in the picture I showed you? It’s showing us, it’s DeprecatedPolicies?
Okay, that’s odd because when looking at another Chrome Admx file I still got from ingesting it the first time I am noticing the parent category is configured to: “Extensions”
Okay… let’s upload that ADMX to the Intune ADMX ingestion CSP. And let’s look at what will happen!
3. The Deprecated Part
But I am not done yet as someone made me aware of the fact I forgot to tell more information about the Deprecated part. I will show you that solving it, would be a better option than just using an older ADMX.
So here we go. Let’s take a look at the “OLD” policy first
Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie
And when something old is deprecated, it is or it should be replaced with something new. So just change 1 letter in it, so it looks like ExtensionInstallBlOcklist.
Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie
Open the ADMX and search for that one, instead of the OLD one.
Now change your policy to something like this!
OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlocklist
String:
<enabled/>
<data id="ExtensionInstallBlocklistDesc" value="1*"/>
To resume, when you get the error “The system cannot find the file specified”, could also mean you are using a policy that isn’t in use anymore. Just dig to the ADMX to get the new values!
4. Using Intune and the Build-in ADMX
Finally! Microsoft has listened to us and provided some new ADMX options to configure Chrome with a build-in Intune ADMX. Let’s take a look by creating a new Administrative Template first.
From today you will find the nice option to configure the same Google Chrome policies I showed you earlier!
Conclusion
When trying to answer as many questions as possible for the community on TechNet, Discord, Reddit, Facebook, Linkedin, Twitter, and even direct Teams messages, you can learn a thing or two by solving it. This was one of them! Luckily Microsoft now has a build-in option to configure those Chrome policies