I Kill Remediation Errors

I Kill Remediation Errors

This time a simple blog, but still one with a Remediation Failed Error -201628112?. This nice remediation could occur when you have created a CSP to add an additional local admin on the device

CSP policy works but Intune reporting it failed. : Intune (reddit.com)

And

Create local admin account and Uninstall local admin account – Microsoft Tech Community

So I thought it was time to create a blog about it, so hopefully, the answer to this question can be found on google a little bit better.

I will divide this blog into multiple parts

  1. Adminless
  2. Creating a Local Admin
  3. Remediation Error
  4. Digging in the error
  5. Reboot Required URI
  6. Another option to create a local admin?

1. Adminless

Of course, you need to prevent your users to be or to becoming local admin. When being a local admin, there is no security!

I did a lot of blogs about why this is so important. Please check my blogs about this topic first.

2. Creating a local admin

So when you made sure, that all of your users are not a member of the local administrator’s group anymore. You could still want to have an additional dedicated workstation local admin on the device, dedicated for administrative purposes only!

To do so, we could create a new CSP. With this CSP we just create a new user: TestUser with a nice password and will add the user to the “local group” we want.

./Device/Vendor/MSFT/Accounts/Users/TestUser/LocalUserGroup

./Device/Vendor/MSFT/Accounts/Users/TestUser/Password

Afbeelding met tekst  Automatisch gegenereerde beschrijving
Afbeelding met tekst  Automatisch gegenereerde beschrijving

When looking at the AccountType, you would probably have noticed the Integer value: 2. Let me simply explain what happens when you configured the value 1 or 2.

Integer value 1 sets as user

Integer value 2  sets as Admin

So when you want to add the user to the local admin group, you will need to define the integer value of “2”

When syncing the device, the new admin user will be created. Please don’t forget to apply a local password solution like I am mentioning

The LAPS: Reloaded / Revolutions – Call4Cloud and Intune Proactive Remediations

3.Remediation error

Cool! We made sure we have an additional local admin on the workstations, should we take a look at the results?.

Huh? That’s odd, even while the local user has been created successfully and it’s added to the local admin group why is it giving us the famous error Remediation failed -201628112?

When in doubt always check the official Microsoft documentation first, to see if anything useful is it!

So looking at the Users/UserName/Password. It is telling us that the supported operation is Add and the GET operation is not supported. When you have configured this setting from the Endpoint Manager it will report as failed when deployed.

4. Digging into the error

But like always, I want to know why we can’t get the results. So let’s do some troubleshooting why it gives us this error.

Did you know that all of the settings and expected values are stored in the registry? Please take a look at these registry keys

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP\Device\MS DM Server\Nodes\”node”

In my case, the node I needed was 19759. Just search for the password in the main registry key to find it.

Looking at the picture above we noticed that the Expectedvalue is empty, let’s compare it with a working one.

Okay… The working one is giving us the value we configured in the CSP in the endpoint manager. So what does the expectedvalue value means? I guess it’s quite obvious…but …let me explain some more

/NodeID/ExpectedValue

This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node’s actual value.

I am also mentioning the NodeCache key in this blog about how chrome policies could be failing and how to troubleshoot it

Okay, so looking at the password value, it is going to compare the empty value against the node’s actual value? Of course, that will end up with the 2016281112 remediation failed error I guess.

5. RebootRequiredURI’s

Totally off-topic… but while looking at what happens on the client-side, I stumbled on this one

SOFTWARE\Microsoft\Provisioning\SyncML\RebootRequiredURIs

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When you do want to know which OMA-URI’s will require a reboot, you will need to check out this registry key!

6. Another option to create a local admin (do we want this)?

When we don’t want to end up with remediation errors… we could just create the additional local admin user with a PowerShell script… but then again… this will show up in your intune logs…so you will need to remove them like I am showing here!

Conclusion

It’s important to know how stuff works and what to look out for when it’s breaking. And sometimes a remediation error is not so bad… as long as you know why it is happening.

So after reading this blog, you will know how to kill giants… uhhhh sorry my bad… how to kill those remediations errors when adding a local admin.

Mine: I Kill Giants | Explore Tumblr Posts and Blogs | Tumgir

Leave a Reply

Your email address will not be published. Required fields are marked *

1  +  7  =