Call4Cloud

What if…. Chrome Policies are Failing

This blog will show you how to troubleshoot the Intune Chrome Device config policy when it’s giving you the famous -2016281112 (remediation failed) error.

I will divide this blog into multiple parts:

  1. Troubleshooting it!
  2. Solving it!
  3. The Depracted part
  4. Using Intune with the Build in ADMX

1.Troubleshooting it!

Some time ago I got this question below on the TechNet forum, so here we go.

Blocking chrome extensions but whitelist specific ones – Page 2 – Microsoft Tech Community

Of course, when you want to configure some Chrome Policies you need to make sure you have also ingested the ADMX file!

Spongebob Eat GIF - Spongebob Eat Swallow - Discover & Share GIFs

When we need to troubleshoot Intune Device config Policies errors, we need to start opening the event log. To be specific the devicemanagement-enterprise-diagnotics-provider eventlog. This log is the first log you will need to start looking at.

Another possibility would be to open the intune management extension log file, but this time I will stick with the event log.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When looking at the event log, you will need to search for Event 404. When taking a closer look at the error, you will notice the error: The system cannot find the file specified

Some time ago I did a blog a little bit similar to this one. But using this blog didn’t resolve this “file not found” error.

Of course, this error should not be mistaken with this FakePolicy error you could notice:

(./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

“The FakePolicy policy was created to detect if a certain patch is present on Windows, and will be removed automatically once we’re sure most machines are ready to consume the new ADMX versioning feature.”

So if you see this error, just skip it!

What to do next? Please open the registry and start looking for the Policy Manager registry key and the Chrome policy you are trying to configure to see if it’s there. Just like in the picture below, the blacklist extension part was missing.

Let’s go further with troubleshooting. As mentioned earlier, you will need to ingest the ADMX before you can configure Chrome Policies. When the ADMX file arrives at the device, it will be placed inside the MS DM server registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\somenumber

You will notice, there is an “expectedvalue” key inside it with the whole ADMX XML content in it. But when you want to take a better look at it… you will notice it isn’t returning the data you want! The ExpectedValue is empty, as it looks like

You have got 2 options now:

  1. Export the registry part to a .reg file and open it with notepad!

2. Fire up PowerShell and export it from there.

Get-ItemProperty -Path Registry::”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\87″ | Select-Object “ExpectedValue” | Format-List * | Out-File c:\temp\chrome.txt

2.Solving it !

Now we are pretty sure the ADMX is on the device let’s open the text or reg file we exported and start by searching for the policy that isn’t working. In this example: ExtensionInstallBlacklist.

As shown below, the key was in the file.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Please note: When you are troubleshooting it and you don’t get any results back when searching for the policy, you will need to make sure you have ingested the latest Google Chrome ADMX file. Did you notice anything weird in the picture I showed you? It’s showing us, it’s DeprecatedPolicies?

Okay, that’s odd because when looking at another Chrome Admx file I still got from ingesting it the first time I am noticing the parent category is configured to: “Extensions”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay… let’s upload that ADMX to the Intune ADMX ingestion CSP. And let’s look at what will happen!

Afbeelding met tekst  Automatisch gegenereerde beschrijving

3. The Deprecated Part

But I am not done yet as someone made me aware of the fact I forgot to tell more information about the Deprecated part. I will show you that solving it, would be a better option than just using an older ADMX.

So here we go. Let’s take a look at the “OLD” policy first

Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie

And when something old is deprecated, it is or it should be replaced with something new. So just change 1 letter in it, so it looks like ExtensionInstallBlOcklist.

Lijst met Chrome Enterprise-beleidsregels en beheer van Chrome Enterprise | Documentatie

Open the ADMX and search for that one, instead of the OLD one.

Now change your policy to something like this!

OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlocklist

 

String: 

<enabled/> 
<data id="ExtensionInstallBlocklistDesc" value="1&#xF000;*"/>

To resume, when you get the error “The system cannot find the file specified”, could also mean you are using a policy that isn’t in use anymore. Just dig to the ADMX to get the new values!

4. Using Intune and the Build-in ADMX

Finally! Microsoft has listened to us and provided some new ADMX options to configure Chrome with a build-in Intune ADMX. Let’s take a look by creating a new Administrative Template first.

From today you will find the nice option to configure the same Google Chrome policies I showed you earlier!

Conclusion

When trying to answer as many questions as possible for the community on TechNet, Discord, Reddit, Facebook, Linkedin, Twitter, and even direct Teams messages you can learn a thing or 2 by solving it. This was one of them! Luckily Microsoft has now a build-in option to configure those Chrome policies

Im Just Doing My Job GIFs - Get the best GIF on GIPHY

Leave a Reply

Your email address will not be published. Required fields are marked *

8  +  1  =