What if…. Chrome Policies are Failing

What if…. Chrome Policies are Failing

This blog will show you how to troubleshoot the Intune Chrome Device config policy when it’s giving you the famous -2016281112 (remediation failed) error.

I will divide this blog into multiple parts:

  1. Troubleshooting it!
  2. Solving it!
  3. Information about the Depracted part

1.Troubleshooting it!

Some time ago I got this question on the TechNet forum, so here we go.

Blocking chrome extensions but whitelist specific ones – Page 2 – Microsoft Tech Community

Of course, we need to make sure that when configuring Chrome policies we also did some ingesting with the ADMX file.

Spongebob Eat GIF - Spongebob Eat Swallow - Discover & Share GIFs

When we need to troubleshoot Intune Device config Policies errors, we need to start opening the event log. To be specific the devicemanagement-enterprise-diagnotics-provider eventlog. Another possibility would be to open the intune management extension log file, but this time I will stick with the event log.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When looking at the event log, you will need to search for Event 404. When taking a closer look at the error, you will notice the error: The system cannot find the file specified

Some time ago I did a blog a little bit similar to this one. But using this blog didn’t resolve this “file not found” error.

Of course, this error should not be mistaken with this FakePolicy error you could notice:

(./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

“The FakePolicy policy was created to detect if a certain patch is present on Windows, and will be removed automatically once we’re sure most machines are ready to consume the new ADMX versioning feature.”

So if you see this error, just skip it!

What to do next? Please open the registry and start looking for the Policy manager key and the chrome policy you are trying to configure to see if it’s there. Just like in the picture below, the blacklist extension part was missing.

Let’s go further with troubleshooting. Like mentioned earlier, you will need to ingest the ADMX before you can configure Chrome Policies. When the ADMX file arrives at the device, it will be placed inside the MS DM server registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\somenumber

You will notice, there is an “expectedvalue” key inside it with the whole admx xml content in it. But when you want to take a better look at it… you will notice it isn’t returning the data you want!

You have got 2 options now:

  1. Export the registry part to a .reg file and open it with notepad!

2. Fire up PowerShell and export it from there.

Get-ItemProperty -Path Registry::”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\87″ | Select-Object “ExpectedValue” | Format-List * | Out-File c:\temp\chrome.txt

2.Solving it !

Now open the text or reg file and start by searching for the policy that isn’t working. In this example: ExtensionInstallBlacklist.

As shown below, the key was in the file.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Please note: When you are troubleshooting it and you don’t get any results back when searching for the policy, you will need to make sure you have ingested the latest google chrome ADMX file.

Did you notice anything weird in the picture I showed you? It’s showing us, it’s deprecated?

Okay, that’s odd because when looking at another Chrome Admx file I still got I am noticing the parent category is configured to: “Extensions”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay… let’s upload that ADMX to the Intune ADMX ingestion CSP. And let’s look what will happen!

Afbeelding met tekst  Automatisch gegenereerde beschrijving

3. Information about the Deprecated Part

But I am not done yet as someone made me aware of the fact I forgot to tell more information about the Deprecated part. I will show you that solving it, would be a better option than just using an older ADMX.

So here we go. Let’s take a look at the “OLD” policy first

Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie

And when something old is deprecated, it is or it should be replaced with something new. So just change 1 letter in it, so it looks like ExtensionInstallBlOcklist.

Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie

Open the ADMX and search for that one, instead of the OLD one.

Now change your policy to something like this!

OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlocklist

 

String: 

<enabled/> 
<data id="ExtensionInstallBlocklistDesc" value="1&#xF000;*"/>

To resume, when you get the error “The system cannot find the file specified”, could also mean you are using a policy that isn’t in use anymore. Just dig to the admx to get the new values!

Conclusion

When trying to answer as many questions as possible for the community on TechNet, Discord, Reddit, Facebook, Linkedin, Twitter and even direct Teams messages you can learn a thing or 2 by solving it. This was one of them!

Im Just Doing My Job GIFs - Get the best GIF on GIPHY

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  2  =