What if…. Chrome Policies are Failing

This blog will show you how to troubleshoot the Intune Chrome Device config policy when it’s giving you the famous -2016281112 (remediation failed) error.

I will divide this blog into multiple parts:

  1. Troubleshooting it!
  2. Solving it!

Some time ago I got this question on the TechNet forum, so here we go.

Blocking chrome extensions but whitelist specific ones – Page 2 – Microsoft Tech Community

Of course, we need to make sure that when configuring Chrome policies we also did some ingesting with the ADMX file.

Spongebob Eat GIF - Spongebob Eat Swallow - Discover & Share GIFs

When we need to troubleshoot Intune Device config Policies errors, we need to start opening the event log. To be specific the devicemanagement-enterprise-diagnotics-provider eventlog. Another possibility would be to open the intune management extension log file, but this time I will stick with the event log.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When looking at the event log, you will need to search for Event 404. When taking a closer look at the error, you will notice the error: The system cannot find the file specified

Some time ago I did a blog a little bit similar to this one. But using this blog didn’t resolve this “file not found” error.

Of course, this error should not be mistaken with this FakePolicy error you could notice:

(./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

“The FakePolicy policy was created to detect if a certain patch is present on Windows, and will be removed automatically once we’re sure most machines are ready to consume the new ADMX versioning feature.”

So if you see this error, just skip it!

What to do next? Please open the registry and start looking for the Policy manager key and the chrome policy you are trying to configure to see if it’s there. Just like in the picture below, the blacklist extension part was missing.

Let’s go further with troubleshooting. Like mentioned earlier, you will need to ingest the ADMX before you can configure Chrome Policies. When the ADMX file arrives at the device, it will be placed inside the MS DM server registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningNodeCacheCSPDeviceMS DM ServerNodessomenumber

You will notice, there is an “expectedvalue” key inside it with the whole admx xml content in it. But when you want to take a better look at it… you will notice it isn’t returning the data you want!

You have got 2 options now:

  1. Export the registry part to a .reg file and open it with notepad!

2. Fire up PowerShell and export it from there.

Get-ItemProperty -Path Registry::”HKEY_LOCAL_MACHINESOFTWAREMicrosoftProvisioningNodeCacheCSPDeviceMS DM ServerNodes87″ | Select-Object “ExpectedValue” | Format-List * | Out-File c:tempchrome.txt

Now open the text or reg file and start by searching for the policy that isn’t working. In this example: ExtensionInstallBlacklist.

As shown below, the key was in the file.

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Please note: When you are troubleshooting it and you don’t get any results back when searching for the policy, you will need to make sure you have ingested the latest google chrome ADMX file.

Did you notice anything weird in the picture I showed you? It’s showing us, it’s deprecated?

Okay, that’s odd because when looking at another Chrome Admx file I still got I am noticing the parent category is configured to: “Extensions”

Afbeelding met tekst  Automatisch gegenereerde beschrijving

Okay… let’s upload that ADMX to the Intune ADMX ingestion CSP. And let’s look what will happen!

Afbeelding met tekst  Automatisch gegenereerde beschrijving

When trying to answer as many questions as possible for the community on TechNet, Discord, Reddit, Facebook, Linkedin, Twitter and even direct Teams messages you can learn a thing or 2 by solving it. This was one of them!

Im Just Doing My Job GIFs - Get the best GIF on GIPHY
Rudy Oomshttps://call4cloud.nl/
Rudy is a Modern workplace architect and currently working for a company in the Netherlands, called Deltacom Steenbergen. He has been working in IT since he was 16 years old. Within these years, he gained a lot of experience in different kinds of expertise. I guess like most of you, he started working with active directory environments. In June 2021 he received the MVP status in the category Enterprise Mobility for the first time. The multi-tenant PowerShell scripted Deltacom-Cloud environment is one of his creations.

Related Articles

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected


Subscribe to our newsletter

To be updated with all the latest news, offers and special announcements.

Latest Articles