Intune CSP deployment constant errors

Question

Intune CSP deployment constant errors

Jason P 186

Hi All,

I have an issue with Custom CSP Profiles I am creating.

I created on with 4 different OAM-URI settings in a one policy. Two use Integer values and the other two need string (xml Format). These are needed to remediate security vulnerabilities flagged up by Defender for Endpoint. I got the xml ones to work.

The integer valued one that is failing is this : ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication Value = 1 But when configuring this one: ./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess Value = 1 It shows up as succeeded, but if I look in the registry it has not changed the value that is already there. Currently value is 2. One of them works (one of the ones that need an integer value) and the other fails with remediation errors (-2016281112 / 0x87d1fde8). All of OAM-URI's where taken from the MS site. If someone knows how to get these working that would be greatly appreciated. Thanks

Answer accepted by question author

1 additional answer

Your answer

Answer 1

Crystal-MSFT 54,201 Microsoft External Staff

@Jason P, Thanks for posting in Q&A。 For the custom policy with OMA_URI with error, you can go to event viewer Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin to see if any error with it.

For the setting which applied successfully but not working, I would like to confirm if there's any GPO set the same setting, Based as I know, if the same setting deployed via GPO, GPO will win over Intune policy.

Please check the above information and if there's any update, feel free to let us know.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Jason P 186 Reputation points

2024-02-07T17:11:55.0333333+00:00

It is very odd because on setting that shows up in the MS documentation, in the event log it is saying that "File not found", which I would assume actually means that the setting does not exist and as such cannot be applied. So If the documentation states a setting and it is not legitimate, then what are we supposed to do?
Jason P 186 Reputation points

2024-02-07T17:16:35.87+00:00

When looking in the event log it showed "File not Found" for the one setting, which I assume means that it does not exist, which is frustrating when it was taking directly from the MS site documentation. There are no other errors, and they show succeeded in the portal, but they have not been applied at all on the device
Crystal-MSFT 54,201 Reputation points Microsoft External Staff

2024-02-08T02:58:00.8333333+00:00

@Jason P, Thanks for the reply. For the ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowStorageOfPasswordsAndCredentialsForNetworkAuthentication, I know it get error not found. From the official article, I notice this is under development and only applicable for Windows Insider Preview builds. So it is failed on your device.

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#networkaccess_donotallowstorageofpasswordsandcredentialsfornetworkauthentication

For another one, it applies to Windows 11, version 22H2 [10.0.22621] and later. Please ensure the affected devices are with supported OS version.

https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess
Jason P 186 Reputation points

2024-02-08T17:27:01.1533333+00:00

Ah, makes sense. So assume then for those type of settings a script would be needed then to apply the settings in the registry if it is insider preview then. ProhibitInstallationAndConfigurationOfNetworkBridge - Shows only Windows 10 - so assume a script there also, even though it shows up as succeeded, and nothing has change in the registry NC_StdDomainUserSetLocation - Show Windows 10 and 11. this also shows up as succeeded but no values applied.
Crystal-MSFT 54,201 Reputation points Microsoft External Staff

2024-02-09T06:21:39.1233333+00:00

@Jason P, Thanks for the reply. If the registry key can work on the devices, then we can consider deploying PowerShell script to add the registry keys.

In general, not all CSP will change registry key. And for other two CSP, could you confirm if the setting takes effect. If not, then we needs to contact windows support to look into the issue.
Jason P 186 Reputation points

2024-02-09T09:14:12.5633333+00:00

The settings do not take affect. The Security guidelines in Defender for Endpoint keep showing up that they are not working. It shows the registry entry that it relates to, and as such they do not change, and therefore the "vulnerability" is shown as still there.
Jason P 186 Reputation points

2024-02-09T10:45:38.6366667+00:00

Gone back and checked and they have now applied. No idea why it took so long. Thanks for all your help
Crystal-MSFT 54,201 Reputation points Microsoft External Staff

2024-02-12T02:21:13.9+00:00

@Jason P, Thanks for the update. I am glad that they are applied now. Next time, you can sync on the device side and restart the device to see if it can faster the apply speed. Thanks!

Answer 2

Pavel yannara Mirochnitchenko 13,426 MVP

Have you cheched Settings Catalog or Admin Tamples if they contain same setting? OMA-URI is the last method you want to use.

Jason P 186 Reputation points

2024-02-07T17:14:11.7666667+00:00

I did check and there is no other option that I can find. Unless I push out a script that will change the registry settings, but that is just not great as I would prefer using the method of using config policies.

Share via

Intune CSP deployment constant errors

1 additional answer

Your answer