Monday, January 24, 2022

I Kill Remediation Errors

Must read

Rudy Ooms
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

This time a simple blog, but still one with a remediation issue that is been asked about a lot.

CSP policy works but Intune reporting it failed. : Intune (


Create local admin account and Uninstall local admin account – Microsoft Tech Community

So I thought it was time to create a blog about it, so hopefully, the answer to this question can be found on google a little bit better.

I will divide this blog into multiple parts

  1. Adminless
  2. Creating a Local Admin
  3. Remediation Error
  4. Digging in the error
  5. Reboot Required URI
  6. Another option to create a local admin?

Of course, you need to prevent your users to be or to becoming local admin. When being a local admin, there is no security!

I did a lot of blogs about why this is so important. Please check my blogs about this topic first.

So when you made sure, that all of your users are not a member of the local administrator’s group anymore. You could still want to have an additional dedicated workstation local admin on the device, dedicated for administrative purposes only!

To do so, we could create a new CSP. With this CSP we just create a new user: TestUser with a nice password and will add the user to the “local group” we want.



Afbeelding met tekst  Automatisch gegenereerde beschrijving
Afbeelding met tekst  Automatisch gegenereerde beschrijving

When looking at the AccountType, you would probably have noticed the Integer value: 2. Let me simply explain what happens when you configured the value 1 or 2.

Integer value 1 sets as user

Integer value 2  sets as Admin

So when you want to add the user to the local admin group, you will need to define the integer value of “2”

When syncing the device, the new admin user will be created. Please don’t forget to apply a local password solution like I am mentioning

The LAPS: Reloaded / Revolutions – Call4Cloud and Intune Proactive Remediations

Cool! We made sure we have an additional local admin on the workstations, should we take a look at the results?.

Huh? That’s odd, even while the local user has been created successfully and it’s added to the local admin group why is it giving us the famous error Remediation failed -201628112?

When in doubt always check the official Microsoft documentation first, to see if anything useful is it!

So looking at the Users/UserName/Password. It is telling us that the supported operation is Add and the GET operation is not supported. When you have configured this setting from the Endpoint Manager it will report as failed when deployed.

But like always, I want to know why we can’t get the results. So let’s do some troubleshooting why it gives us this error.

Did you know that all of the settings and expected values are stored in the registry? Please take a look at these registry keys

ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningNodeCacheCSPDeviceMS DM ServerNodes”node”

In my case, the node I needed was 19759. Just search for the password in the main registry key to find it.

Looking at the picture above we noticed that the Expectedvalue is empty, let’s compare it with a working one.

Okay… The working one is giving us the value we configured in the CSP in the endpoint manager. So what does the expectedvalue value means? I guess it’s quite obvious…but …let me explain some more


This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node’s actual value.

I am also mentioning the NodeCache key in this blog about how chrome policies could be failing and how to troubleshoot it

Okay, so looking at the password value, it is going to compare the empty value against the node’s actual value? Of course, that will end up with the 2016281112 remediation failed error I guess.

Totally off-topic… but while looking at what happens on the client-side, I stumbled on this one


Afbeelding met tekst  Automatisch gegenereerde beschrijving

When you are wanting to know what OMA-URI’s will require a reboot, you will need to check out this registry key

When we don’t want to end up with remediation errors… we could just create the additional local admin user with a PowerShell script… but then again… this will show up in your intune logs…so you will need to remove them like I am showing here!

It’s important to know how stuff works and what to look out for when it’s breaking. And sometimes a remediation error is not so bad… as long as you know why it is happening.

So after reading this blog, you will know how to kill giants… uhhhh sorry my bad… how to kill those remediations errors when adding a local admin.

Mine: I Kill Giants | Explore Tumblr Posts and Blogs | Tumgir

More articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest articles