Recently on a client build, we noticed that the Windows Autopatch – Office Configuration configuration policy was reporting problems assigning… On the basis this is an automatically configured profile, you’d assume, as long as the requirements are met, that it would apply. Notice, this isn’t a conflict, but instead an error.
When probing, and reviewing the per-setting report, you can see that the “Update Channel” is the root cause of this error.
Digging deeper, the exact error, albeit rather useless -at least within the UI- is “65000”. What does the error 65000 relate to? This is best explained by Rudy Ooms over at his blog Intune Error Code 65000 | Licensing | ADMX missing (call4cloud.nl)… In short, whenever I have faced 65000 errors, it has ALWAYS been ADMX related.
So, as with any troubleshooting steps… we identified a known good device, and set about comparing the differences. After much poking, many hours, we identified that on the working device, a Reg Key named office16v2.Updates~Policy~L_MicrosoftOfficemachine~L_Updates, under Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault\RandomID\ was present and then under that, another key called L_UpdateBranch. The RegKeyPathRedirect for this key points to software\policies\microsoft\office\16.0\common\officeupdate, which when you browse to that on a working device, you get, in words the Branch name used by Office for its updates. Which in our case, and as required for Autopatch, was MonthlyEnterprise. This is expected behaviour…
NOTE (!)
The key office16v2.Updates~Policy~L_MicrosoftOfficemachine~L_Updates should not be confused with office16v2~Policy~L_MicrosoftOfficemachine~L_Updates. There are slight differences, perhaps even by mistake on Microsoft’s part?
So why then, is this key missing from a whole load of devices? How did this key find its way on to a small amount of devices, but not others? I don’t have an answer for that, yet… but I was able to find a “fix”, or should that be cure?
The screenshot below, shows a device without the key, and sure enough, reports Error 65000 in Intune.
So what’s the “fix”?
More by luck than anything, I toggled the Microsoft 365 app updates setting within Intune > Devices > (Autopatch) Release Management > Release Settings, it was toggled OFF (Block?) and then back ON (Allow).
Shortly after toggling this option, it was observed that the number of assignment failures were dropping. A closer inspection on a device that was previously failing revealed that the Registry Key was now present… and then a short while later, the Configuration Profile reported back as a “Success”.
Annoying, yes. But always nice to get a win in the bag.
Leave a Reply