Troubleshooting Windows 10 Intune Policy Failures

Quick brain dump today. One of our customers recently reached out with an issue where a policy for Windows 10 wasn’t applying correctly, and we were returning a very unhelpful error message “-2016281112 Remediation failed”.

Unfortunately, the Remediation failed error message is all that is returned by the client when we issue the SET command on the OMA-URI’s required to configure the target setting. We’re partnering with Windows to improve this experience, so watch this space. But for now, we have to settle for what we have.

So what are the next steps in troubleshooting this error?

Luckily, Windows has a pretty good diagnostics channel in everyone’s favorite Event Viewer (eventvwr).

So first, open up eventvwr.msc from Run.


Next, browse to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider. You’ll see two logs, Admin and Operational mmc_2018-08-09_08-54-20

Firstly, take a look in the Admin log. You should see some high level error messages which might point to an obvious issue. For example, here on my corp device I’ve got an error message for an app deployment via MDM.


This error obviously indicates an app is not being discovered as expected. I recon if I gave this a couple more syncs, the app would reinstall and all would be well.If the error messages in the Admin log are still unhelpful, we have one other option and that’s to enable Debug logging on the DeviceManagement-Enterprise-Diagnostics-Provider.

To do this, from the View menu in eventvwr, enable the Show Analytic and Debug Logs option. This will likely make your eventvwr window flash like crazy for a minute or two, but it’s enabling a bunch of extra logs and the UI doesn’t like it much.


Once enabled, you’ll now see a Debug log option in the DeviceManagement-Enterprise-Diagnostics-Provider. Now enable the log by right-clicking on the log and selecting Enable Log. mmc_2018-08-09_09-02-57

Now run a repro of your issue by running a Sync (Control Panel > Access work or school > Connected to Azure AD > Info)


In the debug log, you should see a bunch of verbose debug information about the sync and settings being applied.


And here you can see the Wifi URI being applied successfully. If there was an issue with the Wifi configuration, I’d get a much more helpful reason as to why the URI failed. I’m not seeing the error from the MDM MSI anymore, so it must have fixed itself on subsequent check-ins.

Hope you find this helpful!

Matt Shadbolt
Senior Program Manager for Microsoft Intune