Last Updated on June 7, 2022 by rudyooms
This time a simple blog, but still one with a Remediation Failed Error -201628112?. This nice remediation could occur when you have created a CSP to add an additional local admin on the device
So I thought it was time to create a blog about it, so hopefully, the answer to this question can be found on google a little bit better.
I will divide this blog into multiple parts
- Creating a Local Admin
- Remediation Error
- Digging in the error
- Reboot Required URI
- Another option to create a local admin?
Of course, you need to prevent your users to be or to becoming local admin. When being a local admin, there is no security!
I did a lot of blogs about why this is so important. Please check my blogs about this topic first.
2. Creating a local admin
So when you made sure, that all of your users are not a member of the local administrator’s group anymore. You could still want to have an additional dedicated workstation local admin on the device, dedicated for administrative purposes only!
To do so, we could create a new CSP. With this CSP we just create a new user: TestUser with a nice password and will add the user to the “local group” we want.
When looking at the AccountType, you would probably have noticed the Integer value: 2. Let me simply explain what happens when you configured the value 1 or 2.
Integer value 1 sets as user
Integer value 2 sets as Admin
So when you want to add the user to the local admin group, you will need to define the integer value of “2”
When this CSP is deployed to your device a new local admin user will be created with the password you provided. Please note: When using this CSP: “User must change Password at next logon” will be enabled
If that is something you don’t want, take a look at this blog. I am using a PowerShell script and a scheduled task to make sure there are “never” more local admin’s on the device than we configured!
In this PowerShell script, I also added this part: get-localuser | Set-localUser -PasswordNeverExpires:$True. To make sure the change password issue is resolved please run this PowerShell script in 64 bits Context!.
After the local admin is created, please don’t forget to apply a local password solution like I am mentioning
Cool! We made sure we have an additional local admin on the workstations, should we take a look at the results?.
Huh? That’s odd, even while the local user has been created successfully and it’s added to the local admin group why is it giving us the famous error Remediation failed -201628112?
When in doubt always check the official Microsoft documentation first, to see if anything useful is it!
So looking at the Users/UserName/Password. It is telling us that the supported operation is Add and the GET operation is not supported. When you have configured this setting from the Endpoint Manager it will report as failed when deployed.
4. Digging into the error
But like always, I want to know why we can’t get the results. So let’s do some troubleshooting why it gives us this error.
Did you know that all of the settings and expected values are stored in the registry? Please take a look at these registry keys
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\”node”
In my case, the node I needed was 19759. Just search for the password in the main registry key to find it.
Looking at the picture above we noticed that the Expectedvalue is empty, let’s compare it with a working one.
Okay… The working one is giving us the value we configured in the CSP in the endpoint manager. So what does the expectedvalue value means? I guess it’s quite obvious…but …let me explain some more
This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node’s actual value.
I am also mentioning the NodeCache key in this blog about how chrome policies could be failing and how to troubleshoot it
Okay, so looking at the password value, it is going to compare the empty value against the node’s actual value? Of course, that will end up with the 2016281112 remediation failed error I guess.
Totally off-topic… but while looking at what happens on the client-side, I stumbled on this one this registry key mentioning the Reboot Required URI’s
When you do want to know which OMA-URI’s will require a reboot, you will need to check out this registry key!
6. Another option to create a local admin (do we want this)?
When we don’t want to end up with remediation errors… we could just create the additional local admin user with a PowerShell script… but then again… this will show up in your intune logs…so you will need to remove them like I am showing here!
It’s important to know how stuff works and what to look out for when it’s breaking. And sometimes a remediation error is not so bad… as long as you know why it is happening.
So after reading this blog, you will know how to kill giants… uhhhh sorry my bad… how to kill those remediations errors when adding a local admin.