This blog covers a weird issue where Windows Update client policies deployed through Intune began to fail after devices were upgraded to Windows 11 24H2. As soon as the upgrade finished and the Windows Update Client policy was applied, you might see error code 65000, 2016281112, or 201628111 showing up in Intune.
Introduction
You might already be familiar with error code 65000 from another blog we wrote about ADMX ingestion being broken. If not, you can read more about that scenario here: Intune Settings Catalog Error Code 65000. That blog shows you what happens under the hood of the ADMX ingestion and is pretty important to know when troubleshooting Policy issues.
In this blog, I’ll focus on a different reason why 2016281112 (Recovery Failed) and 201628111 (Not Applicable) appear in Intune, specifically when deploying Windows Update client policies on devices that have recently been upgraded to Windows 11 24H2.
Even though the built-in WindowsUpdate.admx file was present, the update policy still failed with error 2016281112 or 201628111. Let’s take a closer look at why that happens and how to fix it.
Windows Update Client Policies: Error 2016281112
Let’s say, you’ve configured some Windows Update Client policies through Intune by configuring the Update Rings. Everything looked fine…until some devices, the ones recently upgraded to Windows 11 24H2, started failing.
Policy deployment status: failed. Error: 2016281112/201628111.
The Windows Update Client policy won’t apply, and Intune shows the 2016281111 / -2016281112 status error. Looking at the error details, you’ll see something like:
The system cannot find the file specified.
URI: ./Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesPeriodInDaysThe Windows Update Client policy itself is valid. It worked before, and it still works on freshly installed machines. However, it appears that on some devices, the Windows 11 feature update may silently fail. Let’s dig in on why that happened and why those Windows Update Client policies are failing.
Looking at the Device: Missing Default Update Policies
Once we were able to log in to such a problematic device, things became even more confusing. I was expecting the WindowsUpdate.admx to be missing in action… which would have made a lot of sense, when looking back at the “the system cannot find the file specified” error. However, the WindowsUpdate.admx file was present in C:\Windows\PolicyDefinitions.
However, when you check the registry under HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update, you will notice that most of the usual subkeys are missing.
As shown above, there’s no DeferQualityUpdatesPeriodIn Days. No ConfigureDeadlineForFeatureUpdates.
This is why Intune reports error -2016281112, and why the policy ends in failure code 65000, the CSP URI doesn’t exist because the backing registry structure wasn’t created.
Background: What Should Have Happened
When a Windows device is freshly installed, even without any internet connection, the OS automatically creates a base set of policy registry keys under: HKLM\SOFTWARE\Microsoft\PolicyManager\default
This includes default nodes like Update, WiFi, and SmartScreen. These keys are created as part of OS setup, long before Intune or any MDM enrollment ever occurs.
The DLL responsible for this is PolicyManager.dll, and it builds out the initial policy structure based on built-in ADMX templates like WindowsUpdate.admx. On a clean install, this always works (well, it should).
But it seems after a feature update from, such as updating from Windows 11 22H2 to 24H2, this initialization sometimes fails silently. The OS upgrade process skips or breaks the step where it needs to recreate the policy provider structure. Even though the Windows Update ADMX file is present, the CSP paths it defines cannot be used because there is no registry mapping in the policymanager\default.
When Intune pushes a policy tied to one of those missing CSPs, it fails with: Error code: -2016281112 (SyncML error 404) / Intune status: 65000
And because this failure occurs within the OS, no logs or Event Viewer entries ever mention the actual root cause.
Fixing the Windows Update Client Policy error: 2016281112
1. Validate the ADMX file
First, check that WindowsUpdate.admx is present in: C:\Windows\PolicyDefinitions
Open the ADMX file and check if it contains all the settings that are causing the error. Ensure the ADMX is up to date and valid.
If the WindowsUpdate.admx itself is missing, you have a different problem. If it’s there, the issue lies in the policy platform, not the ADMX file itself.
2. Check if the CSP-backed registry keys exist
Open regedit and open this registry key: HKLM\SOFTWARE\Microsoft\PolicyManager\default\Update
Look for values like DeferQualityUpdatesPeriodInDays. If these are missing, you’ve found your problem. The Update Policy root was never initialized, and Intune’s Update Ring or Settings Catalog policy fails with error code 65000 or -2016281112 because it can’t bind to that nonexistent path.
3. Option A: Copy from a working device
Export the full PolicyManager\default\Update registry node from a clean working 24H2 system. Import it into the broken device using: reg import UpdateFix.reg
This restores the missing structure, allowing the CSP to function as expected. Simple fix, right? Of course, you can also script this. To script this, you need to export the existing update registry node from a working device to base64. Once you have the base64 export, you can push a PowerShell script to import it on those breaking devices.
4. Option B: Rebuild using a PowerShell script
Use a script that programmatically creates the registry keys default\Update based on what should have been created during OS setup. This method avoids needing another machine and rebuilds the entire Update policy node by parsing WindowsUpdate.admx directly.
- Identifies the correct WMI class for the Update policy area
- Recompiles the
DMWmiBridgeProv.mofif the class is missing - Extracts metadata (like value ranges and group policy blocking paths) from the ADMX file
- Writes all required fields (
mergealgorithm,policytype,GPBlocking*,Behavior, and defaultvalue) into the registry
It closely mirrors what the OS should have done during feature setup and ensures the PolicyManager\default\Update structure matches the real policy contract defined in the system.
5. Option C: Full re-enrollment to fix 2016281112
As a last resort, unenroll the device, clean up the MDM enrollment keys, and re-enroll. This forces the CSPs and policy platform to rebuild fully ,but it’s the most disruptive and slowest option… and the option we always try to avoid!
What You’ll See in Logs or Intune when the Windows Update Client Policies are Failing
- Intune reports the policy as failed with an error code 2016281111 / 2016281112
- SyncML responses show:
404 The system cannot find the file specified. - Event Viewer gives no usable context
- On the device, registry values for expected CSPs like
DeferQualityUpdatesPeriodInDaysare simply missing - Nothing gets applied
Error Code: -2016281112 Wrap-up
This is a classic case of a feature update breaking something silently.
The policy works. The CSP exists. The ADMX file is present. However, after an upgrade, the system fails to rebuild part of its policy backbone, and Intune is left attempting to check and write to a registry path that doesn’t exist.
If you’re rolling out Windows 11 24H2 and start seeing Update Ring errors with code 65000 or -2016281112, don’t assume the policy is wrong. Check the registry. If the backing structure is gone, you now know how to restore it.