none
Custom Intune policies keep failing with "-2016281112 (Remediation failed)" - Device restriction policy

    Question

  • Hi folks

    I'm trying to add in a custom policy within Microsoft Intune as per the following:

    Profile Name: DeviceInstallation

    Platform: Windows 10 and later

    Profile Type: Custom

    Assigned: Yes

    OMA-URI Settings:

    Name:

    PreventInstallationOfMatchingDeviceSetupClasses

    Description:

    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

    Data Type:

    String

    Value

    <enabled/><data id="DeviceInstall_Classes_Deny_List" value="d48179be-ec20-11d1-b6b8-00c04fa372a7" &#xF000 "7ebefbc0-3200-11d2-b4c2-00a0C9697d07" &#xF000 "c06ff265-ae09-48f0-812c-16753d7cba83" &#xF000 "6bdd1fc1-810f-11d0-bec7-08002be2092f"/>

    I've also added other values to test variations as below (all have failed):

    <enabled/><data id="DeviceInstall_Classes_Deny_List" value="d48179be-ec20-11d1-b6b8-00c04fa372a7";"7ebefbc0-3200-11d2-b4c2-00a0C9697d07";"c06ff265-ae09-48f0-812c-16753d7cba83";"6bdd1fc1-810f-11d0-bec7-08002be2092f"/>

    <enabled/><data id="DeviceInstall_Classes_Deny_List" value="d48179be-ec20-11d1-b6b8-00c04fa372a7"&#xF000;&#xF000 ;"7ebefbc0-3200-11d2-b4c2-00a0C9697d07"&#xF000;&#xF000"c06ff265-ae09-48f0-812c-16753d7cba83"&#xF000;&#xF000"6bdd1fc1-810f-11d0-bec7-08002be2092f"/>

    My presumption is that the XML is incorrectly formatted (the values above are from using the Policy CSP) - could someone please point me in the right direction and provide the correct formatting for the OMA-URI value, as I suspect this is where it is failing with the "-2016281112 (Remediation failed)" error.  I've also used &#xF000 which is probably not required for Intune?

    I save the policy and sync on the test device and then on the Intune console within Azure, the status states "Pending" for around 5 minutes and then goes to the failure message of "Remediation failed".

    By the way, I'm using the Intune MDM within Azure and devices are AAD joined and managed by Intune.  Device is Windows 10 Enterprise 1803 build.


    • Edited by RDWUK Wednesday, August 8, 2018 4:17 PM
    Wednesday, August 8, 2018 4:16 PM

All replies

  • Hello,

    This is an ADMX-backed policy. You can refer to the ADMX file for the specific settings and values. The ADMX file is located at C:\Windows\PolicyDefinitions on the Windows 10 device. The name of the ADMX file is DeviceInstallation.admx.

    Based on the documentation introducing this policy, this policy only can be assigned to the device.

    In addition, for the "PreventInstallationOfMatchingDeviceSetupClasses" setting, you only need to set the value as <enabled/>

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 9, 2018 6:17 AM
  • I wrote a post on basic troubleshooting which may help...if you dont mind the shameless self-promotion:

    https://carlbarrett.uk/admx-ingestion-and-troubleshooting

    The section starting "Part 2" might be more relevant to your situation


    Carl Barrett | Web: carlbarrett.uk | Twitter: @CarlBarrett


    • Edited by Carl_B_ Thursday, August 9, 2018 7:09 AM
    Thursday, August 9, 2018 7:06 AM
  • Hi Andy

    Thanks for the feedback.  I had actually been reviewing documentation already on the ADMX ingestion and CSP's and it can seem quite confusing on the first read.

    From what I have read, it appears I need to ingest the ADMX file and then apply the setting after?  This to me would indicate that I need two custom policies; one for ADMX ingestion and one for the actual setting required.

    As a quick and dirty test in response to your reply Andy, I added the <enabled/> value for ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses and it failed too (Remediation Failed).

    See my reply to Carl Barrett's reply for further information on my issues with the custom polcies as I'd like to respond to both of your replies.

    Friday, August 10, 2018 7:56 AM
  • Hi Carl

    Thanks for the response which I looked at in depth (including your post on troubleshooting - great by the way and no shameless plug at all) yesterday.  I'm still experiencing issues with getting the policies applied though.  I went through your guide and still am getting remediation failed or 2016281109 (Data type conversion failed) errors.

    I essentially need to create a Device Installation custom policy which is ADMX-backed on the deviceinstallation.admx GPO for the following:

    DeviceInstall_IDS_Deny_List

    DeviceInstall_Classes_Deny

    DeviceINstall_Devices_Deny

    DeviceInstall_Classes_Deny_List

    I created an ADMX ingestion file (copied all the deviceinstallation.admx contents into the value as specified and called it the ingestion file).

    I then looked for the Parent categories as detailed in your post and added 4 other OMA-URI settings within the custom policy to cater for the above.

    Below are the settings in the custom policy I've created and directly below are the errors I'm getting for 1-5:

    DeviceInstall_IDs_Deny_List [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny_List]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstall_Classes_Deny [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstallationADMX [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Win10Ent/Policy/DeviceInstallationADMX]
    Error
    -2016281112 (Remediation failed)

    DeviceInstall_IDs_Deny [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstall_Classes_Deny_List [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny_List]
    Error
    -2016281109 (Data type conversion failed)

    1) PreventInstallationOfMatchingDeviceSetupClassesSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny

    <enabled/> <dataid="DeviceInstall_Classes_Deny" value="DenyDeviceClasses"/>

    2) PreventInstallationOfMatchingDeviceIDsSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny

    <enabled/> <dataid="DeviceInstall_IDs_Deny" value="DenyDeviceIDs"/>

    3) PreventInstallationOfMatchingDeviceIDsListSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny_List

    <enabled/> <dataid="DeviceInstall_IDs_Deny_List" value="PCI\\CC_0C0A\"/>

    4) PreventInstallationOfMatchingDeviceClassesListSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny_List

    <enabled/> <dataid="DeviceInstall_Classes_Deny_List" value="d48179be-ec20-11d1-b6b8-00c04fa372a7;7ebefbc0-3200-11d2-b4c2-00a0C9697d07;c06ff265-ae09-48f0-812c-16753d7cba83;6bdd1fc1-810f-11d0-bec7-08002be2092f"/>

    5) PreventInstallationOfMatchingDeviceSetupClassesANDDeviceIDsIngestion

    ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Win10Ent/Policy/DeviceInstallationADMX

    <policyDefinitions xmlns:xsd="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE" xmlns:xsi="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE" revision="1.0" schemaVersion="1.0" xmlns="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE">
      <categories>
        <category name="DeviceInstall_Category" displayName="$(string.DeviceInstall_Category)" explainText="$(string.DeviceInstall_Help)">
          <parentCategory ref="windows:System" />
        </category>
        <category name="DriverInstall_Category" displayName="$(string.DriverInstall_Category)" explainText="$(string.DriverInstall_Help)">
          <parentCategory ref="windows:System" />
        </category>
        <category name="DeviceInstall_Restrictions_Category" displayName="$(string.DeviceInstall_Restrictions_Category)" explainText="$(string.DeviceInstall_Restrictions_Help)">
          <parentCategory ref="DeviceInstall_Category" />
        </category>
      </categories>
      <policies>
        <policy name="DeviceInstall_AllSigningEqual" class="Machine" displayName="$(string.DeviceInstall_AllSigningEqual)" explainText="$(string.DeviceInstall_AllSigningEqual_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="AllSigningEqual">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_InstallTimeout" class="Machine" displayName="$(string.DeviceInstall_InstallTimeout)" explainText="$(string.DeviceInstall_InstallTimeout_Help)" presentation="$(presentation.DeviceInstall_InstallTimeout)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
            <decimal id="DeviceInstall_InstallTimeout_Time" valueName="InstallTimeout" minValue="300" maxValue="4294968" />
          </elements>
        </policy>
        <policy name="DeviceInstall_SystemRestore" class="Machine" displayName="$(string.DeviceInstall_SystemRestore)" explainText="$(string.DeviceInstall_SystemRestore_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="DisableSystemRestore">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceManagement_RPCInterface_Allow" class="Machine" displayName="$(string.DeviceManagement_RPCInterface_Allow)" explainText="$(string.DeviceManagement_RPCInterface_Allow_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="AllowRemoteRPC">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7ToVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_AllowAdminInstall" class="Machine" displayName="$(string.DeviceInstall_AllowAdminInstall)" explainText="$(string.DeviceInstall_AllowAdminInstall_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowAdminInstall">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Classes_Allow" class="Machine" displayName="$(string.DeviceInstall_Classes_Allow)" explainText="$(string.DeviceInstall_Classes_Allow_Help)" presentation="$(presentation.DeviceInstall_Classes_Allow)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowDeviceClasses">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_Classes_Allow_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceClasses" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyDeviceClasses">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" valuePrefix="" />
            <boolean id="DeviceInstall_Classes_Deny_Retroactive" valueName="DenyDeviceClassesRetroactive" >
              <trueValue>
                <decimal value="1" />
              </trueValue>
              <falseValue>
                <decimal value="0" />
              </falseValue>
            </boolean>
          </elements>
        </policy>
        <policy name="DeviceInstall_IDs_Allow" class="Machine" displayName="$(string.DeviceInstall_IDs_Allow)" explainText="$(string.DeviceInstall_IDs_Allow_Help)" presentation="$(presentation.DeviceInstall_IDs_Allow)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowDeviceIDs">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_IDs_Allow_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DeviceInstall_IDs_Deny" class="Machine" displayName="$(string.DeviceInstall_IDs_Deny)" explainText="$(string.DeviceInstall_IDs_Deny_Help)" presentation="$(presentation.DeviceInstall_IDs_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyDeviceIDs">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_IDs_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" valuePrefix="" />
            <boolean id="DeviceInstall_IDs_Deny_Retroactive" valueName="DenyDeviceIDsRetroactive" >
              <trueValue>
                <decimal value="1" />
              </trueValue>
              <falseValue>
                <decimal value="0" />
              </falseValue>
            </boolean>
          </elements>
        </policy>
        <policy name="DeviceInstall_Removable_Deny" class="Machine" displayName="$(string.DeviceInstall_Removable_Deny)" explainText="$(string.DeviceInstall_Removable_Deny_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyRemovableDevices">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Unspecified_Deny" class="Machine" displayName="$(string.DeviceInstall_Unspecified_Deny)" explainText="$(string.DeviceInstall_Unspecified_Deny_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyUnspecified">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Policy_RebootTime" class="Machine" displayName="$(string.DeviceInstall_Policy_RebootTime)" presentation="$(presentation.DeviceInstall_Policy_RebootTime)" explainText="$(string.DeviceInstall_Policy_RebootTime_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="ForceReboot">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <decimal id="DeviceInstall_Policy_RebootTime_Time" valueName="RebootTime" minValue="0" maxValue="4294968" />
          </elements>
        </policy>
        <policy name="DeviceInstall_DeniedPolicy_SimpleText" class="Machine" displayName="$(string.DeviceInstall_DeniedPolicy_SimpleText)" explainText="$(string.DeviceInstall_DeniedPolicy_SimpleText_Help)" presentation="$(presentation.DeviceInstall_DeniedPolicy_SimpleText)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <elements>
            <text id="DeviceInstall_DeniedPolicy_SimpleText_Text" valueName="SimpleText" required="true" maxLength="63" />
          </elements>
        </policy>
        <policy name="DeviceInstall_DeniedPolicy_DetailText" class="Machine" displayName="$(string.DeviceInstall_DeniedPolicy_DetailText)" explainText="$(string.DeviceInstall_DeniedPolicy_DetailText_Help)" presentation="$(presentation.DeviceInstall_DeniedPolicy_DetailText)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <elements>
            <text id="DeviceInstall_DeniedPolicy_DetailText_Text" valueName="DetailText" required="true" maxLength="128" />
          </elements>
        </policy>
        <policy name="DriverInstall_Classes_AllowUser" class="Machine" displayName="$(string.DriverInstall_Classes_AllowUser)" explainText="$(string.DriverInstall_Classes_AllowUser_Help)" presentation="$(presentation.DriverInstall_Classes_AllowUser)" key="Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" valueName="AllowUserDeviceClasses">
          <parentCategory ref="DriverInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DriverInstall_Classes_AllowUser_List" key="Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DriverSigning" class="User" displayName="$(string.DriverSigning)" explainText="$(string.DriverSigning_Help)" presentation="$(presentation.DriverSigning)" key="Software\Policies\Microsoft\Windows NT\Driver Signing">
          <parentCategory ref="DriverInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsPreVista" />
          <elements>
            <enum id="DriverSigningOp" valueName="BehaviorOnFailedVerify">
              <item displayName="$(string.DriverSign_None)">
                <value>
                  <decimal value="0" />
                </value>
              </item>
              <item displayName="$(string.DriverSign_Warn)">
                <value>
                  <decimal value="1" />
                </value>
              </item>
              <item displayName="$(string.DriverSign_Block)">
                <value>
                  <decimal value="2" />
                </value>
              </item>
            </enum>
          </elements>
        </policy>
      </policies>
    </policyDefinitions>

    Any help would be really appreciated Carl!

    Cheers

    Friday, August 10, 2018 8:30 AM
  • Hi Carl

    Thanks for the response which I looked at in depth (including your post on troubleshooting - great by the way and no shameless plug at all) yesterday.  I'm still experiencing issues with getting the policies applied though.  I went through your guide and still am getting remediation failed or 2016281109 (Data type conversion failed) errors.

    I essentially need to create a Device Installation custom policy which is ADMX-backed on the deviceinstallation.admx GPO for the following:

    DeviceInstall_IDS_Deny_List

    DeviceInstall_Classes_Deny

    DeviceINstall_Devices_Deny

    DeviceInstall_Classes_Deny_List

    I created an ADMX ingestion file (copied all the deviceinstallation.admx contents into the value as specified and called it the ingestion file).

    I then looked for the Parent categories as detailed in your post and added 4 other OMA-URI settings within the custom policy to cater for the above.

    Below are the settings in the custom policy I've created and directly below are the errors I'm getting for 1-5:

    DeviceInstall_IDs_Deny_List [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny_List]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstall_Classes_Deny [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstallationADMX [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Win10Ent/Policy/DeviceInstallationADMX]
    Error
    -2016281112 (Remediation failed)

    DeviceInstall_IDs_Deny [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny]
    Error
    -2016281109 (Data type conversion failed)

    DeviceInstall_Classes_Deny_List [root\ccm\cimodels:CustomConfiguration.Key='./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny_List]
    Error
    -2016281109 (Data type conversion failed)

    1) PreventInstallationOfMatchingDeviceSetupClassesSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny

    <enabled/> <dataid="DeviceInstall_Classes_Deny" value="DenyDeviceClasses"/>

    2) PreventInstallationOfMatchingDeviceIDsSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny

    <enabled/> <dataid="DeviceInstall_IDs_Deny" value="DenyDeviceIDs"/>

    3) PreventInstallationOfMatchingDeviceIDsListSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_IDs_Deny_List

    <enabled/> <dataid="DeviceInstall_IDs_Deny_List" value="PCI\\CC_0C0A\"/>

    4) PreventInstallationOfMatchingDeviceClassesListSetting

    ./Device/Vendor/MSFT/Policy/Config/Win10Ent~Policy~windows:System/DeviceInstall_Restrictions_Category/DeviceInstall_Classes_Deny_List

    <enabled/> <dataid="DeviceInstall_Classes_Deny_List" value="d48179be-ec20-11d1-b6b8-00c04fa372a7;7ebefbc0-3200-11d2-b4c2-00a0C9697d07;c06ff265-ae09-48f0-812c-16753d7cba83;6bdd1fc1-810f-11d0-bec7-08002be2092f"/>

    5) PreventInstallationOfMatchingDeviceSetupClassesANDDeviceIDsIngestion

    ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Win10Ent/Policy/DeviceInstallationADMX

    <policyDefinitions xmlns:xsd="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE" xmlns:xsi="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE" revision="1.0" schemaVersion="1.0" xmlns="REMOVED THIS LINK AS I COULDN'T POST IN THIS MESSAGE">
      <categories>
        <category name="DeviceInstall_Category" displayName="$(string.DeviceInstall_Category)" explainText="$(string.DeviceInstall_Help)">
          <parentCategory ref="windows:System" />
        </category>
        <category name="DriverInstall_Category" displayName="$(string.DriverInstall_Category)" explainText="$(string.DriverInstall_Help)">
          <parentCategory ref="windows:System" />
        </category>
        <category name="DeviceInstall_Restrictions_Category" displayName="$(string.DeviceInstall_Restrictions_Category)" explainText="$(string.DeviceInstall_Restrictions_Help)">
          <parentCategory ref="DeviceInstall_Category" />
        </category>
      </categories>
      <policies>
        <policy name="DeviceInstall_AllSigningEqual" class="Machine" displayName="$(string.DeviceInstall_AllSigningEqual)" explainText="$(string.DeviceInstall_AllSigningEqual_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="AllSigningEqual">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_InstallTimeout" class="Machine" displayName="$(string.DeviceInstall_InstallTimeout)" explainText="$(string.DeviceInstall_InstallTimeout_Help)" presentation="$(presentation.DeviceInstall_InstallTimeout)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <elements>
            <decimal id="DeviceInstall_InstallTimeout_Time" valueName="InstallTimeout" minValue="300" maxValue="4294968" />
          </elements>
        </policy>
        <policy name="DeviceInstall_SystemRestore" class="Machine" displayName="$(string.DeviceInstall_SystemRestore)" explainText="$(string.DeviceInstall_SystemRestore_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="DisableSystemRestore">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceManagement_RPCInterface_Allow" class="Machine" displayName="$(string.DeviceManagement_RPCInterface_Allow)" explainText="$(string.DeviceManagement_RPCInterface_Allow_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Settings" valueName="AllowRemoteRPC">
          <parentCategory ref="DeviceInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7ToVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_AllowAdminInstall" class="Machine" displayName="$(string.DeviceInstall_AllowAdminInstall)" explainText="$(string.DeviceInstall_AllowAdminInstall_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowAdminInstall">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Classes_Allow" class="Machine" displayName="$(string.DeviceInstall_Classes_Allow)" explainText="$(string.DeviceInstall_Classes_Allow_Help)" presentation="$(presentation.DeviceInstall_Classes_Allow)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowDeviceClasses">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_Classes_Allow_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceClasses" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DeviceInstall_Classes_Deny" class="Machine" displayName="$(string.DeviceInstall_Classes_Deny)" explainText="$(string.DeviceInstall_Classes_Deny_Help)" presentation="$(presentation.DeviceInstall_Classes_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyDeviceClasses">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_Classes_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses" valuePrefix="" />
            <boolean id="DeviceInstall_Classes_Deny_Retroactive" valueName="DenyDeviceClassesRetroactive" >
              <trueValue>
                <decimal value="1" />
              </trueValue>
              <falseValue>
                <decimal value="0" />
              </falseValue>
            </boolean>
          </elements>
        </policy>
        <policy name="DeviceInstall_IDs_Allow" class="Machine" displayName="$(string.DeviceInstall_IDs_Allow)" explainText="$(string.DeviceInstall_IDs_Allow_Help)" presentation="$(presentation.DeviceInstall_IDs_Allow)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="AllowDeviceIDs">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_IDs_Allow_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DeviceInstall_IDs_Deny" class="Machine" displayName="$(string.DeviceInstall_IDs_Deny)" explainText="$(string.DeviceInstall_IDs_Deny_Help)" presentation="$(presentation.DeviceInstall_IDs_Deny)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyDeviceIDs">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DeviceInstall_IDs_Deny_List" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs" valuePrefix="" />
            <boolean id="DeviceInstall_IDs_Deny_Retroactive" valueName="DenyDeviceIDsRetroactive" >
              <trueValue>
                <decimal value="1" />
              </trueValue>
              <falseValue>
                <decimal value="0" />
              </falseValue>
            </boolean>
          </elements>
        </policy>
        <policy name="DeviceInstall_Removable_Deny" class="Machine" displayName="$(string.DeviceInstall_Removable_Deny)" explainText="$(string.DeviceInstall_Removable_Deny_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyRemovableDevices">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Unspecified_Deny" class="Machine" displayName="$(string.DeviceInstall_Unspecified_Deny)" explainText="$(string.DeviceInstall_Unspecified_Deny_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="DenyUnspecified">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
        </policy>
        <policy name="DeviceInstall_Policy_RebootTime" class="Machine" displayName="$(string.DeviceInstall_Policy_RebootTime)" presentation="$(presentation.DeviceInstall_Policy_RebootTime)" explainText="$(string.DeviceInstall_Policy_RebootTime_Help)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" valueName="ForceReboot">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_Windows7" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <decimal id="DeviceInstall_Policy_RebootTime_Time" valueName="RebootTime" minValue="0" maxValue="4294968" />
          </elements>
        </policy>
        <policy name="DeviceInstall_DeniedPolicy_SimpleText" class="Machine" displayName="$(string.DeviceInstall_DeniedPolicy_SimpleText)" explainText="$(string.DeviceInstall_DeniedPolicy_SimpleText_Help)" presentation="$(presentation.DeviceInstall_DeniedPolicy_SimpleText)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <elements>
            <text id="DeviceInstall_DeniedPolicy_SimpleText_Text" valueName="SimpleText" required="true" maxLength="63" />
          </elements>
        </policy>
        <policy name="DeviceInstall_DeniedPolicy_DetailText" class="Machine" displayName="$(string.DeviceInstall_DeniedPolicy_DetailText)" explainText="$(string.DeviceInstall_DeniedPolicy_DetailText_Help)" presentation="$(presentation.DeviceInstall_DeniedPolicy_DetailText)" key="Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy">
          <parentCategory ref="DeviceInstall_Restrictions_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <elements>
            <text id="DeviceInstall_DeniedPolicy_DetailText_Text" valueName="DetailText" required="true" maxLength="128" />
          </elements>
        </policy>
        <policy name="DriverInstall_Classes_AllowUser" class="Machine" displayName="$(string.DriverInstall_Classes_AllowUser)" explainText="$(string.DriverInstall_Classes_AllowUser_Help)" presentation="$(presentation.DriverInstall_Classes_AllowUser)" key="Software\Policies\Microsoft\Windows\DriverInstall\Restrictions" valueName="AllowUserDeviceClasses">
          <parentCategory ref="DriverInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsVista" />
          <enabledValue>
            <decimal value="1" />
          </enabledValue>
          <disabledValue>
            <decimal value="0" />
          </disabledValue>
          <elements>
            <list id="DriverInstall_Classes_AllowUser_List" key="Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses" valuePrefix="" />
          </elements>
        </policy>
        <policy name="DriverSigning" class="User" displayName="$(string.DriverSigning)" explainText="$(string.DriverSigning_Help)" presentation="$(presentation.DriverSigning)" key="Software\Policies\Microsoft\Windows NT\Driver Signing">
          <parentCategory ref="DriverInstall_Category" />
          <supportedOn ref="windows:SUPPORTED_WindowsPreVista" />
          <elements>
            <enum id="DriverSigningOp" valueName="BehaviorOnFailedVerify">
              <item displayName="$(string.DriverSign_None)">
                <value>
                  <decimal value="0" />
                </value>
              </item>
              <item displayName="$(string.DriverSign_Warn)">
                <value>
                  <decimal value="1" />
                </value>
              </item>
              <item displayName="$(string.DriverSign_Block)">
                <value>
                  <decimal value="2" />
                </value>
              </item>
            </enum>
          </elements>
        </policy>
      </policies>
    </policyDefinitions>

    Any help would be really appreciated Carl!

    Cheers

    Friday, August 10, 2018 8:31 AM
  • Matt Shadbolt post this just yesterday which may give you some additional troubleshooting help:

    https://blogs.technet.microsoft.com/configmgrdogs/2018/08/09/troubleshooting-windows-10-intune-policy-failures/?utm_source=dlvr.it&utm_medium=twitter

    Another thing to read in depth is Oliver's blog posts that I mention in my post - he covers some of the pre-reqs for ADMX backed templates (you may have already checked the pre-reqs and Andy has also had a look so its likely that its OK to deploy in this way)

    Finally - if I get a chance I will try to bung this into my lab and see what results I get too and post back ;)


    Carl Barrett | Web: carlbarrett.uk | Twitter: @CarlBarrett

    Friday, August 10, 2018 8:38 AM
  • Ayup Carl.

    I'll review that blog and take a good read.  I'll also re-review Oliver's blog post.

    If you do get chance to bung into your lab, great.  That would be appreciated.  Still trying to understand the custom policies - it will all click soon!

    All the best

    Saturday, August 11, 2018 7:47 AM
  • Still having difficulty finding the time to get this into my lab - I made a start but in the meantime I remembered this came out a few months back which might be of use:

    https://docs.microsoft.com/en-gb/windows/client-management/mdm/understanding-admx-backed-policies

    Shame he uses the old console but much of the principles are the same


    Carl Barrett | Web: carlbarrett.uk | Twitter: @CarlBarrett

    Thursday, August 16, 2018 2:06 PM
  • Got this into my lab and i get the same - read lots of blogs that describe how to deploy similar settings but nothing seems to help - I'm tempted to raise a ticket

    Carl Barrett | Web: carlbarrett.uk | Twitter: @CarlBarrett

    Wednesday, August 22, 2018 7:27 AM
  • Finally after much trial and error I got the correct configuration - please see below and adjust for your environment:

    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses

    Data Type: String

    <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="false"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;123&#xF000;2&#xF000;456&#xF000;3&#xF000;789"/>

    As you can see the key value pairs are broken up numerically - its easier to see this via local GPO - in my example I have created 3 device classes which look like 1 = 123, 2 = 456, 3 = 789 in the registry.  You will substitute your device classes in obviously ;)


    The thing that confused me the most is that you also need to specify the boolean value for the 'DeviceInstall_Classes_Deny_Retroactive' policy too - without this you get an error.

    Setting 'DeviceInstall_Classes_Deny_List' to <disabled/> creates the registry entry for 'DeviceInstall_Classes_Deny_Retroactive' for you but enabling it does not...hence you must explicitly declare it

    Hope this helps

    Carl 


    Carl Barrett | Web: carlbarrett.uk | Twitter: @CarlBarrett


    • Edited by Carl_B_ Wednesday, August 29, 2018 10:30 AM
    • Proposed as answer by Carl_B_ Wednesday, August 29, 2018 10:31 AM
    Wednesday, August 29, 2018 10:29 AM