Last Updated on March 16, 2023 by rudyooms
This time a very short blog about an Intune Settings Catalog profile and the Error Code 65000. After reading a question about an issue with disabling the News and Weather Feed on the Microsoft Technet forum I decided to dedicate a blog to it.
I will divide this blog into multiple parts:
- The Problem
- Troubleshooting it
- Another licensing Possibility
- Windows 10 or 11?
- ADMX Ingestion Flow bug?
- Windows Pro Vs Windows Business SKU
- Edge | Office ADMX
- Excluding Policies
1. The Problem
So If you don’t know the answer immediately, test it yourself! I made sure I configured the same News and Weather feed setting inside my test tenant. After I created the new policy I manually synced the 2 devices to determine if I would end up with the same error. After the sync was completed, I got 1 working device and 1 with the same Deployment Status Error.
Looking at the screenshot above, it is giving us the error code: 65000. So what does this mean? Using Google to search for Error code 65000 did not show anything useful? Let me get my shovel to start some troubleshooting!
When you need to start troubleshooting, normally we need to start to take a look at these 2 logs.
- Intune Management Extension log (IME)
- DeviceManagement-Enterprise-Diagnostics event log
So which one do we need If we need to troubleshoot Intune Device configuration profiles? Correctly answered, we need to take a look at the devicemanagement-enterprise-diagnostics event log! The Intune Management Extension log file is a perfect place to start when you need to troubleshoot other stuff like application deployment failures.
Let’s open MMC and add the DeviceManagement-Enterprise-Diagnostics Event log. Sync the device from the Intune portal and monitor the event log.
Within a few minutes, you will be getting some more information. Please note that sometimes Error 404 could give you some misleading information like I am showing below
Looking at the error “The system cannot find the file specified” it looks like it telling us it couldn’t find the ConfigOperations/ADMXInstall/Receiver/Properties/Policy/Fakepolicy/Version but in reality, (to quote an MS engineer) “The “FakePolicy” policy was created to detect if a certain patch is present on Windows, and will be removed automatically once we’re sure most machines are ready to consume the new ADMX versioning feature”
So a piece of quick advice, when you are noticing this FakePolicy error, just skip it! Let’s dig further as we have more 404 errors to look into
As shown above: The system cannot find the file specified. So what does this mean? It looks like it’s missing something… but what? The first place to start would be (in my opinion) the registry. So I did because I could compare 2 devices.
One was working, the other one was giving the 65000 error. Open the registry and open the hklm\software\microsoft\policymanager\default folder
Normally when you need to define some settings the corresponding folder in the policymanager\defaults needs to exist. So let’s check out the device which is giving us the 65000 error
As mentioned earlier I also got a working device. Let’s open the registry on the working device and compare them!
As shown above, the working device has the required registry keys configured. But why doesn’t it exist on that other device? Normally all working Windows build-in ADMX settings (not ingested ADMX files) should be available inside the c:\windows\policydefinitions folder
As you probably have noticed in the picture above, the Feeds.admx file doesn’t exist. I can tell you a very long story or just how it is…
So you need to make sure your devices are up to date (check part 3) so they have the latest ADMX files installed. Otherwise configuring settings in Intune will not be enabled on your devices because it’s just missing the information on how to do so!
And if you are still experiencing these kinds of errors, please make sure you install the KB5005101 update.
This update will enable over 1400 new mobile device management (MDM) policies. With them, you can configure policies that Group Policies also support. These new MDM policies include administrative templates (ADMX) policies, such as App Compat, Event Forwarding, Servicing, and Task Scheduler.
3. A Licensing Issue?
When talking on the TechNet Forum and looking at the Event log which was shared we determined that on his devices there was something else going wrong.
MDM PolicyManager: Policy is rejected by licensing, Policy: (FeedsEnabled), Area: (Feeds), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006.
So it really looks like this Settings Catalog Policy is only supported on Windows 10 Enterprise/Education devices? Even when the Microsoft Documentation of the CSP is telling us it is supported on Windows 10 Pro devices
But I guess it all depends on which Windows 10 build version you are using. A lot of settings aren’t supported on Windows 10 20H2 in combination with Business licenses. A lot of these settings catalog features will only be available in 21H2!
Please Note: Even when the applicability filter is removed, you could still run into some issues when your device has the Business SKU instead of the Pro SKU. I am describing it in this blog below
4. Windows 10 or Windows 11
This blog was written while Windows 11 was not yet globally used. Today I got a response to that same question from the TechNet community.
I was immediately intrigued by this response as I did not have noticed this issue with Windows 11. After looking at the question, I quickly realized that when you need to remove the News and Weather feed in Windows 11, you will need to disable the damn Widgets! You could do this manually by flipping the switch as shown below.
winget uninstall “windows web experience pack”
When you have Windows 10 and Windows 11 devices you want to make sure each Settings catalog profile will arrive at the proper device because we don’t want to end up with Device configuration policy errors in Intune.
Filters…Filters…Just use those wonderful filters!!!!! Let’s create a filter as I am showing below
After this Filter has been created, you could change your existing Windows10_DisableNewsAndWeather policy to make sure you are “excluding” Windows 11 devices with the Filter above!
Now we are sure, this policy will only target Windows 10 devices, let’s create an additional Device configuration policy to disable (not allow) those evil widgets!
Just like we did with the Windows 10 policy, we are going to use a filter but this time we are making sure the filter mode is set to “Include” instead of “Exclude”
After changing these Device configuration policies you will notice it just works!!! no more errors
5. ADMX Ingestion flow Bug?
In the troubleshooting part, I showed you why it’s important that the ADMX itself must be on the device if you want the setting to apply successfully. When ingesting an ADMX you could sometimes run into some weird behavior.
The device will normally perform the ADMX ingestion BEFORE applying the policies but sometimes it just doesn’t. As shown below the ADMX ingestion is done AFTER applying the Device configuration policy
Luckily when the device performs a sync again all is fine and the setting will be applied successfully. So when noticing this behavior, just perform another sync! I guess good old Mike has us covered again!
6. Windows Pro Vs Windows Business SKU
We also need to beware of some differences in the SKUs because sometimes even when it should be working on Pro it doesn’t mean it also works for Business even while the Microsoft Documentation is telling us otherwise!
The above ScriptedDiagnosticsExecutionPolicy is one of those that could be failing you. I am also mentioning it in the blog about dealing with the “Follina” bug
Summary of the blog: Microsoft is aware of this issue and they are working on a fix!. Hopefully, it will be fixed in the near future!
7. Edge/Office ADMX
I guess I am still not done, as you could also run into some weird rare issue in which the Intune build-in Edge ADMX could give you the same issue.
This registry key (microsoft_edgev99) and the ADMX should be automatically delivered by the ADMXInstall CSP so that later on the specific settings could be deployed
But sometimes, it just doesn’t work as you expected and you will end up with a device without that Policymanager\Admxinstalled registry key
Besides this missing registry key, the ADMX would also be missing from the Ingestion folder : c:\programdata\microsoft\policymanager\ADMXIngestion
If you have spent a fair amount of time waiting and you want it to fix it now get yourself a copy from the ADMX and the registry key I mentioned from a working device and place them on the not working device…
1) KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxInstalled\GUID\microsoft_edgev99 2) C:\ProgramData\Microsoft\PolicyManager\ADMXIngestion\GUID\microsoft_edgev99
8. Excluding Policies
If you have a question… just post it on Reddit. So did he!
He was experiencing the same error 65000 as mentioned in this blog. The funny thing was that the: “excluded paths” was not giving him issues only the “excluded Processes” setting.
After some messages send back and forth I asked him to remove the setting that was giving him the error from the existing Antivirus Endpoint Security Policy
After removing the “excluded Process” and dedicating a separate Antivirus Exclusion policy to it the error 65000 was gone!
Knowing how to troubleshoot is necessary so you can come up with a good answer in no time. But then again, a lot of settings inside the settings catalog are telling us you need to have the insider preview installed so why not give us a little hint about this one?
I guess error 65000 just means Windows doesn’t know what SYNCML was trying to accomplish which could be caused by a lot!