IntuneDeviceConfigurationCustomPolicyWindows10: Error decrypting OmaSetting with SecretReferenceValueId #4412
Comments
|
@skghq: Please show the output of the following: $Policies = Get-MgBetaDeviceManagementDeviceConfiguration `
-ErrorAction SilentlyContinue | Where-Object -FilterScript {
$_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration"
}
$it = 1
foreach ($Policy in $Policies)
{
foreach ($omaSetting in $Policy.AdditionalProperties.omaSettings.secretReferenceValueId)
{
$Message = "{0}: {1} / {2}" -f $it, $Policy.DisplayName, $omaSetting
Write-Output $Message
}
++$it
} |
|
Unredacted as it likely matters. Let me know when I can edit my comment: |
|
@ricmestre Forgot to tag you in last comment. Thanks -- I was hoping you would pick up this ticket. |
|
That doesn't make sense, the errors you posted originally "Error decrypting OmaSetting with SecretReferenceValueId secret_key" and "Error decrypting OmaSetting with SecretReferenceValueId secret_key:", did you actually edited what was in the "secret_key"? Was it a GUID? I'm asking because that string should appear in what I requested you to post now and I don't see the string "secret_key" anywhere. But in case that you edited that string and it was like a GUID then it means you, don't have permission to read those OMA settings and the code is actually correct. |
|
You can test the below, it's the policy number 4 called "FP: Production: Windows 10: Default apps", it will give you the same forbidden error message. $Uri = "/beta/deviceManagement/deviceConfigurations/a4bb78a1-3272-4f19-845e-f504b65afc64/getOmaSettingPlainTextValue(secretReferenceValueId='3ac13eed-7b30-4d90-8300-5ebe12130cc8_a4bb78a1-3272-4f19-845e-f504b65afc64_9f9e5b56-522e-4d47-8983-67a8d9cf099e')"
$Result = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop |
|
@ricmestre Yes it was redacted and incomplete. Thanks for the bit of test code -- that lead to the actual problem. I have it working now. Added consent for I'm not closing this ticket -- in case something should be updated with Update-M365DSCAllowedGraphScopes ? Kind of a grey area since you need ReadWrite when only reading? Let me know if I should close. Thanks. |
|
Did you have DeviceManagementConfiguration.Read.All already assigned to your account and it started working after you consent to ReadWrite? That's not supposed to be required according to https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-deviceconfiguration-getomasettingplaintextvalue?view=graph-rest-beta, they say Read should be enough so probably it's an API problem. |
|
@ricmestre : DeviceManagementConfiguration.Read.All has admin consent for the application. So not to my account -- but it should have worked if that was all that was required. What do we do with API problems? Close this issue and let MSFT sort it out? |
|
Yeah I meant the app, if that was the case then raise a ticket with MS support for your tenant. I didn't test it yet on my side with Read only but probably I'll also have the same issue. |
|
@ricmestre Outside the scope of MSFT365DSC -- How does this work with MSFT: We have multiple tenants. Would something like that be identified as a bug and rolled out globally, or, per tenant when requested? |
|
I'm not from MS but if it's a global problem ideally it should be solved for everyone and not upon request, in your case if you have multiple tenants then just test it on all of them and if it also happens there as well then let them know, if it's just an isolated case (because you didn't test your other tenants) then they will probably not pay much attention to your ticket as they would if you tell them all your tenants have the same issue. |
|
@ricmestre Thanks. Unfortunately I only have Intune with a single tenant. Do you want me to leave this opened until you can test or close it out? |
|
From one of those affected policies give me a screenshot of how it's setup, you can obfuscate the value just let me know if it's an integer or string and I can try to replicate on my side. |
|
That one is not affected :) Show me for example this one "FP: Production: Windows 10: Default apps", give me the full OMA-URI please. |
|
@ricmestre gah! That's embarrassing... apologies :) |
|
Got exactly the same issue as you, by any change is that string a base64 encoded value? Could you please check if the other affected policies also have base64 encoded values as their string? |
|
Nah, never mind, I had another policy that always worked with a single integer and I can't extract it anymore without ReadWrite. Definitely an API issue, but at the very least it's a documentation issue since it implies ReadWrite is not needed to call that function. You can mention this issue you raised here in your ticket so they can see the comments, but you should close it since it's not an M365DSC issue. |
|
Actually... @andikrueger what about the settings.json file? it would need to be updated to have ReadWrite in the read section. |
|
@ricmestre Since I had compiled the list before I saw your test with an integer... here it is anyways: FP: Production: Windows 10: Default apps - string/Appears to be base64 encoded string. I didn't try decoding. |
|
@ricmestre I have opened a support case. Let me know if anyone needs the number. |
|
@andikrueger only keeping this open until you weigh in on @ricmestre 's comment re: settings.json. It does seem that, despite documentation, ReadWrite is required. Feel free to close otherwise. |
|
@ricmestre: Could you raise an issue within the graph PowerShell SDK repo as well? I just compared the list of permissions given by .read. and .readwrite. There is a difference in these endpoints GET /deviceManagement/applePushNotificationCertificate/downloadApplePushNotificationCertificateSigningRequest We recently introduced a QA pipeline to monitor the read section for only read permissions. We can overcome this by adding this resource to the Allow list, but I would prefer this to be properly fixed. |
|
Since this is an API issue, which this is, their answer is always to raise a ticket with the support of the tenant. But maybe raise a ticket with the metadata team instead? |
|
@ricmestre @andikrueger I opened a support case in my tenant. I opened it with the API/Graph team but it was handed over to the Intune team. I spoke with the support tech and outlined the issue. I had also linked here so they had the complete history. I was told since the case was reassigned to the Intune department, and not the API department, they had to close the ticket because I was able to work around it by granting Read/Write access. They said they would share my feedback with the API team and they may send that over to engineering to resolve. All of that correspondence would be done outside of my case. They also said they would let me know if they hear back. All of that being said... it's probably best to just add Read/Write to the default permissions to prevent more people from having the same issue until it is resolved? Technically Read/Write is required by MSFT, due to what we deem as a bug, but it is required. |
|
@andikrueger What do you think we should do here? It's clearly an API issue since their docs say Read is enough but actually isn't, and it's not an SDK problem so we cannot report this to the Graph PS SDK team. Without changing this permission to ReadWrite the resource will fail to be processed correctly. |
|
Thanks for the reminder on this topic. I’ll check if there are any update |
Description of the issue
When exporting IntuneDeviceConfigurationCustomPolicyWindows10 the majority fail. A handful work.
Command:
Export-M365DSCConfiguration -Components @("IntuneDeviceConfigurationCustomPolicyWindows10") -Credential $Credential -Path $FilePath -FileName $FileName -Debug -VerboseProduces (notice the error logs):
Connecting to {MicrosoftGraph}...✅
[1/1] Extracting [IntuneDeviceConfigurationCustomPolicyWindows10] using {Credentials}...
|---[1/17] Allow Optional Content✅
|---[2/17] Credential Guard (test)✅
|---[3/17] XX Production Windows 11: Disable Comsumer Experience✅
|---[4/17] XX Production: Windows 10: Default apps Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[5/17] XX Production: Windows 11 -Skip Account Setup - ESP✅
|---[6/17] XX Production: Windows 11: Custom Start Layout Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[7/17] XX Production: Windows 11: Disable Cortana✅
|---[8/17] XX Production: Windows: Create Local Admin Account Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[9/17] XX Testing: Windows 11: Custom Start Layout 1 Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[10/17] XX Testing: Windows: Denver Local Time Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[11/17] xx-Disable-Copilot✅
|---[12/17] XXYY: Reference: Default apps (unassigned) Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[13/17] XXYY-Production-Custom device setups-(CSPs) Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[14/17] XX-Production-Windows 11-Default Apps Complete Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[15/17] OLD_XX Production: Windows 11: Default apps Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[16/17] W365: Default Application Settings Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
|---[17/17] W365: GDPR - AppLocker Policy Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log}
✅
⌛ Export took {16 seconds}
Transcript stopped, output file is C:\temp\scott\debug2\log\IntuneDeviceConfigurationCustomPolicyWindows10.txt
The error logs:
Microsoft 365 DSC Version
1.24.228.1
Which workloads are affected
other
The DSC configuration
Verbose logs showing the problem
Environment Information + PowerShell Version
The text was updated successfully, but these errors were encountered: