Getting error -2016281112 ("Remediation failed") in Intune when deploying Settings Catalog policies? This is usually a false-positive error. The policy likely applied successfully, but Intune can't verify it because the CSP doesn't support read operations.

What Causes Error -2016281112

Error -2016281112 appears when:

1. Intune deploys a Settings Catalog policy

2. The device applies the policy successfully

3. Intune tries to read back the setting to verify

4. The CSP returns "GET operation not supported"

5. Intune reports "remediation failed"

Common triggers:

- Password policies (users/username/password CSP)

- Chrome policies requiring ADMX

- Local administrator account creation

The underlying configuration usually works. The error just means Intune can't validate it.

How to Tell If the Policy Actually Failed

Check if the policy applied despite the error.

For Password Policies

# Check if password requirements are enforced
Get-LocalUser | Select-Object Name, PasswordRequired, PasswordLastSet

# Try to set a weak password on a test account
# If the policy works, Windows will reject it

For Chrome Policies

# Check Chrome extensions
# Open Chrome: chrome://extensions

# Or check registry
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Google\Chrome"

For Local Admin Accounts

# Check if account exists
Get-LocalUser | Where-Object {$_.Name -eq "YourAdminAccountName"}

# Check group membership
Get-LocalGroupMember -Group "Administrators"

If the configuration is present, the policy worked despite the error.

The Fix

If the policy actually failed (configuration is missing):

Step 1: Check for Conflicting Policies

# In Intune portal: Devices > [Your Device] > Device configuration
# Look for multiple policies targeting the same CSP
# If you see 2+ policies configuring passwords or Chrome, consolidate them

Step 2: Use an Alternative Deployment Method

For password policies:

- Use Account Protection policy instead of Settings Catalog

- Or deploy via PowerShell script through Intune Remediations

For Chrome policies:

- Use Administrative Templates instead of Settings Catalog

- Or deploy via registry script

For local admin accounts:

- Use LAPS (Local Administrator Password Solution) instead of CSP

- Or deploy via PowerShell script

Step 3: Suppress the Error (If Policy Works)

If the policy works but Intune reports error -2016281112, you can't hide the error directly. Options:

Option A: Document it. Note in your runbook: "Error -2016281112 expected for [policy name] due to CSP read limitation—verify functionality manually."

Option B: Use Intune Remediation scripts instead of Settings Catalog policies to control success/failure reporting.

Which CSPs Trigger This Error

./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups - Local admin accounts (Can't read passwords)

./User/Vendor/MSFT/Policy/Config/Authentication/PasswordComplexity - Password policies (Security restriction)

./Device/Vendor/MSFT/Policy/Config/Chrome/* - Chrome settings (Chrome CSP doesn't support GET)

./Device/Vendor/MSFT/Policy/Config/ADMX_* - ADMX policies (Some are write-only)

Prevention

Test Settings Catalog policies in pilot groups and verify configuration manually on test devices. Use built-in policy types instead of generic Settings Catalog when available. Document expected errors in your runbook so your team doesn't waste time troubleshooting false positives.

Need hands-on help? Contact RainCity Techworks.