micke-k / intunemanagement Goto Github PK

Changing the item delimiter in the CSV documentation dialogue is not respected in the output it still uses commas.

Hi,

We have been seeing a weird issue after we have done an export and import to a tenant. All values from what we can tell get set as encrypted and all we see in the values is "***"

We discovered this issue first time when we tried to import some policies for Google Chrome. But we have also seen this happening to our ADMX OMA-URI policy for Lenovo Commercial Vantage.
So far the only solution we have found is to manually recreate the values that get encrypted.

Edit: This has happened around 4 times the last 2 months.

Hi Micke,
When i export psh scripts they export as UTF16LEBOM encoding; then when i reimport them back in they can't run. I believe they need to be UTF8.

Cheers.

Hi Micke,

I noticed documentation of kiosk template doesn't document the kiosk profile settings within it. Instead it just shows the text "Policy;"
See attacchment.

Cheers.

Hello,

Appears to be the same issue as previous when importing conifguration items (date \ time), I've followed the fixes docx but the issue persists with the software update configuration items, I assume it's due to the following fields in the SU config json files:

"qualityUpdatesPauseExpiryDateTime": "/Date(-62135596800000)/",
"featureUpdatesPauseExpiryDateTime": "/Date(-62135596800000)/",
"qualityUpdatesRollbackStartDateTime": "/Date(-62135596800000)/",
"featureUpdatesRollbackStartDateTime": "/Date(-62135596800000)/",

I have resolved this by updating the ConfigurationItems.psm1 file and adding in the above items into line 217 so the line should read:

Invoke-GraphRequest -Url "/deviceManagement/deviceConfigurations" -Content (ConvertTo-Json ($obj | Select-Object -Property * -ExcludeProperty createdDateTime, lastModifiedDateTime, qualityUpdatesPauseExpiryDateTime, featureUpdatesPauseExpiryDateTime, qualityUpdatesRollbackStartDateTime, featureUpdatesRollbackStartDateTime) -Depth 5) -HttpMethod POST

Hope this helps

Looking further at documentation. On the jumpbox (without word) I can export the configuration to all the json files and then copy to a workstation (that does have word installed). If it were possible to 'Load' the configuration (without importing) and then document from the loaded configuration, that would be awesome.

Cheers

Hey,

as already mentioned, I started to love this tool.
Makes administrating a big environment much more comfortable.

What I am asking is if it is possible to give the possibility to select columns/info?

Thanks for a reply.

Greetz Dominik

Hey!

Wanted to say that you make a pretty awesome tool here and I really appreciate you putting this together. This might be a big ask - are there any plans to support GCC High (or any non commercial cloud environments) by any chance? I'd love to be able to use this tool in GCC High tenants, but I'm only able to hack together enough for a few functions to work.

Thanks for such an awesome tool!

Hi @Micke-K

New one for you...
Doco does not capture all the Device Control template policies defined in 'Endpoint Security \ ASR' blade.
To reproduce, define all settings including block list.

Hi Micke,

I noticed that Enrollment policy documentation doesn't show the join type (ie AAD, HAADJ).

App Protection Policies, it looks as this issue was resolved here AlwaysLearningTech@ef3bd7c

Hi MIcke - Noticed the "Join to Azure AD as" field is missing from doco feature. Cheers.

If you create policies under these nodes, they dont seem to show up in the UI

Hello!

Your tool is awesome and I really appreciate you putting this together.

Have you considered adding support for managing "Conditional Access - Terms of use" settings. Not the Microsoft Endpoint Manager Tenant admin | Terms and conditions, but the Terms of Use as part of Conditional Access?

Thank you for such an awesome tool!

Hi @Micke-K,

Compliance policies don't seem to be exporting/importing the custom scripts (PS1 & JSON), and you can't modify the policy after importing it.

This is a list of controls I found in the UI, that are not in the json export of the security baseline

These are controls I found in the json export, that I was unable to associate with a control exposed by the azure intune UI.

When exporting and importing Windows apps the app is created but the app cannot we used. The message is: 'Your app is not ready yet. Check back again soon'. When i look at the export folder the MSI file is missing.

For example: i created an 7-Zip app. The export is a 7-Jip.json file. In the 7-Jip.json file there is a line: "fileName": "7z1900-x64.msi".
But the required msi file is missing.

Hi Micke-K

Is there a roadmap to have a comparison feature. i.e. create an intune policy, export that golden image policy to json file and then later do a comparison to check if there as been any changes?

Documentation related functions cause an exception when calling "Parse" on machines with date format dd/mm/yyyy.
or month and day are swapped if day value 12 or below

Error:

Get documentation info for Prod_Win_WindowsUpdates_Broad (Update Policies)
MethodInvocationException: Exception calling "Parse" with "1" argument(s): "String '02/15/2022 01:50:53' was not recognized as a valid DateTime."
InvalidOperation: You cannot call a method on a null-valued expression.
InvalidOperation: You cannot call a method on a null-valued expression.

Code: Documentation.psm1

Hopefully an easy one. If I select the tickbox at the top and hence select all items, the Document button stays greyed out. Work around is to select one of the individual items and then select the top tickbox. Document button then behaves as expected.

Using MSAL file C:\IntuneManagement-master\Microsoft.Identity.Client.dll. Version: 4.29.0.0
Add-Type : Ingen tilgang til banen C:\IntuneManagement-master\CS\TokenCacheHelperEx.cs.
At C:\IntuneManagement-master\Extensions\MSALAuthentication.psm1:407 char:5
+     Add-Type -Path ($global:AppRootFolder + "\CS\TokenCacheHelperEx.c ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-Type], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.AddTypeCommand

Translation: Add-Type : Ingen tilgang til banen - No access to the filepath

All files are untouched, and i see dll file in the dir

Hi, loving the new features and thought would give it a go with an ADMX import policy. Anything to save time is brilliant!

I have loaded inetres.admx (no adml) file and tried enabling the top 7 settings within $(string.InternetCPL) to block Internet Options in Control Panel e.g. Advanced Tab down to Restrict Security Tab.

When clicking on import and checking the log files I get this error

Failed to invoke MS Graph with URL https://graph.microsoft.com/BETA/deviceManagement/deviceConfigurations (Request ID: 1ebf6dec-b3a4-4ed8-9185-dcedc6a4dd4b). Status code: BadRequest

Have Microsoft changed the api or are additional security permissions required etc? Many thanks for any help!

Justin

Can you add a parameter to set the scope of the modules to be currentuser when installed please as not everyone has the ability to elevate to admin. ta

Query:https://graph.microsoft.com/BETA/deviceManagement/deviceEnrollmentConfigurations?$filter=not endsWith(id,'Windows10EnrollmentCompletionPageConfiguration')
Status code: InternalServerError

Graph is not accepting filter containing endswith for deviceEnrollmentConfigurations, this is impacting 'Enrollment Restriction' and 'Enrollment Status Page', same result with graph explorer.

This seems to be a recent issue, I have not been able to locate an impacting change in https://developer.microsoft.com/en-us/graph/changelog/

Thanks for your work.

Hi,

It seems like when connecting to new tenants, the Microsoft Intune PowerShell Enterprise Application doesn't get the following permissions.:

• Policy.Read.All
• Policy.ReadWrite.ConditionalAccess
• Application.Read.All
• Organization.ReadWrite.All

I just tried to document several configuration profiles which contain a "/" in the configuration name. The documentation feature is unable to save the CSV files probably caused by the illegal character for a Windows filesystem.

Maybe you could add to row 3677 in Extensions/Documentation.psm1 something like this:

$itemsToExport | Out-File ($folder + "$($objName.Split([IO.Path]::GetInvalidFileNameChars()) -join '_'
).csv") -Encoding UTF8 -Force

Thanks for the great tool btw!!!

the functionality to copy application doesn't download and upload the app content.

The application created is unusable :
Your app is not ready yet. If app content is uploading, wait for it to finish. If app content is not uploading, try creating the app again.

Updated to build 3.1.3 and import of Administrative Templates does not function.

Error message from the CloudAPIPowerShellManagement log
Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations . Status code: BadRequest

Other imports seems to function as they should

Hi,
Great project! This tools have soooo many features and nice additions, the Microsoft Endpoint Manager interface doesn't.

I get this error when exporting Compliance Policies, and choose not to export Assignments - I do not see this error on e.g. Conditional Access og Windows Update policies.

Loading Compliance Policies objects
Export Compliance Policies
Export WS-C-Windows Compliance - Microsoft Defender BitLocker settings
Loading WS-C-Windows Compliance - Microsoft Defender BitLocker settings
Failed to export object Exception: Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
Export WS-C-Windows Compliance - Microsoft Defender Firewall settings
Loading WS-C-Windows Compliance - Microsoft Defender Firewall settings
Failed to export object Exception: Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

Re-enabling Export Assignments, exports all Compliance Policies as expected.

Thank you for your great work, very much appreciated!

Is it possible to strip out the ID, Created Date, Modified Date of the JSON files that are exported please?

Hi,
I have used your tool quite a bit lately, and I seem to find new features all the time, and it is awesome!

I often end up importing policies and settings into a tenant, without assigning these in the process, as I feel I loose control of deployment. Due to this, I am assigning the policies afterwards, to existing groups, allowing us to better control the rollout, however it is rather time consuming :)

Have you considered adding an ASSIGN option to multiple policies/settings, like the option to export or compare functionality, allowing us to control assignments to multiple policies and settings?

Options:
Assign to: All Users, All Devices, named group(s).

Thank you for your great work, very much appreciated!

Hi Micke,

Endpoint protection policy documentation is reporting settings i don't have in the template (as per screenshots); yet i do have them defined in other "settings catalog" policies.

Hi,
Great project I've used its to export and import between tenants, it would be nice if we could import and replace the existing policy, this way we could use a single tenant as a source for all changes, and deploy.

I don't think I've missed anything in the documentation.

Thanks

Hi Micke - Device Platform Restrictions (and Default Device Limit Restrictions) pull the wrong default assignment.

Portal:

Doco:

Would it be possible to add support to run without the UI to complete certain tasks. Would be especially handy for including in automations

Awesome work on the tool BTW, has saved me countless hours, and love the recently added documentation capabilities

The App Protection / Configuration section works fine for Android and iOS app policies, but doesn't do anything (can't view, export, copy, import) with Windows Information Protection Policies.

I have ascertained that this is because they are named differently in PS - rather than managedAppProtection they are windowsInformationProtection policies.

Can someone who knows Powershell better than me add in the ability to manipulate these policies?

@Micke-K
For MSP's i think it would be useful, if we could use our "Guest" account(with the correct permissions).

After login, a selector for available tenants or a input for tenant id.

A tenant switcher would also be cool, so you dont have to start again

I got the below error message, while importing the configuration profile using this tool.
I tried one by one and a bulk import option but its not working. Export is working fine.
Even I tried to copy a configuration profile, it failed.

Can you please fix this.

Failed to invoke MSGraphRequest Exception: 400 Bad Request
{
"error": {
"code": "ModelValidationFailure",
"message": "Cannot convert the literal '/Date(1571240587193)/' to the expected type 'Edm.DateTimeOffset'.",
"innerError": {
"message": "Cannot convert the literal '/Date(1571240587193)/' to the expected type 'Edm.DateTimeOffset'.",
"request-id": "f173776b-a770-4a1e-a948-967b4a630684",
"date": "2020-04-08T15:02:26"
}
}
}

Hi,

This might a minor issues, however I most often (always'ish) run the IntuneManagement tool from within Windows Sandbox, as I do not want to have any "foreign" sign in information on my own computer, and I feel good about closing Windows Sandbox, and everything is cleared.

Have you considered, to add an option or a command line option to save settings to a file, e.g. a json file, allowing the setting to roam between devices and/or be saved when e.g. using Windows Sandbox environment or similar?

Thank you, this is, IMHO, the best Intune Management "extension" out there, keep up the good work!

PS: Sorry for keep throwing feature request you way :)

Hi,

I must echo @dotjesper thoughts on this! Its absolutely brillant and has saved a lot of time with cloning configuration policies, especially as the offical Microsoft Intune powershell module is not up to date and fails cloning configurations. Keep up the fantastic work!

Feature Request: Is it possible to extract the various powershell scripts and document those? e.g. install and uninstall scripts aswell as any custom detection scripts? etc I know files etc are encrypted and then decrypted on the device so not sure if this is possible, It would certainly make the documentation process more complete.

Many thanks Justin

Hi,
I have used your tool quite a bit lately, and come to use the Bulk Compare every time I need to find differences from a tenant and "my baseline", however I might compare with "to much".

Have you considered adding an option to compare settings files placed in two folders, allowing us to compare various exports, or event being able to compare multiple folders, e.g. comparing five #backups" to see the progress and changes over time?

Thank you for your great work, very much appreciated!

Hi,
Great project! This tools have soooo many features and nice additions, the Microsoft Endpoint Manager interface doesn't. I've used its to export and import between tenants - however; working for a Microsoft Partner, and often being invited into a customer tenant, being able to select the tenant ID as part of the login would greatly enhance the usability in these scenarios.

I don't think I've missed anything in the documentation.

Thank you for your great work, very much appreciated!

It looks like there may be a issue with the when trying to load App Protection objects it gives the following error:

Cannot find an overload for "new" and the argument count: "1".

When using conditional access, not all policies are returned or are exported. In my case only 13 policies returned which included the MS baseline policies. If you compare it to the GUI, it shows all policies up until the "load more" section.

Hi,
Great project! This tools have soooo many features and nice additions, the Microsoft Endpoint Manager interface doesn't.

Have you considered an option to import Conditional Access Policies with: Enforce Disabled state?

I don't think I've missed anything in the documentation.

Thank you for your great work, very much appreciated!

"Scope tag" is not captured in Device Filters

Hi there,

Thanks for this awesome tool, I've been using it for a while now, I've recently ran into this issue when bulk exporting configurations, 'Failed to export object Exception: Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.'

This has pretty much happened on every object, but it is rather inconsistent, only half of my configuration profiles have been exported.

Also, this has only just started recently, I downloaded a version 4 weeks ago that is working fine, seems to be with the latest version that this error persists.

Any ideas?

The following don't see to generate doco:

- Custom Device Type Restrictions
- Custom Intune Roles

Errors similar to the below...

Hi Micke,

First of all, a really big compliment for the developed tool. The development is really super well implemented. You have really closed the big gap that Microsoft has been leaving behind for several years.

Regarding my topic, when I tried the application category it imports not all our apps, seems it took the first ~1000 apps from the graph API. I assume that a limit is defined, and the graph call is not paging until the end. Would it possible to have this variable? We have really a mass of win32apps in intune (~4500).

A workaround would also helpful, I looked for the used graph call, I have found only in the "DocumentationCustom.psm1" the function Get-CDAllTenantApps with the limit 999, but I´m not sure is this the reason.

Thx
Andi

Output in word looks awesome but with Word not installed on the jumpbox I'm limited to csv. Have you considered markdown output?