Custom OMA-URI values encrypted after export/import

[easyngit]

Hi,

We have been seeing a weird issue after we have done an export and import to a tenant. All values from what we can tell get set as encrypted and all we see in the values is "***"

We discovered this issue first time when we tried to import some policies for Google Chrome. But we have also seen this happening to our ADMX OMA-URI policy for Lenovo Commercial Vantage. So far the only solution we have found is to manually recreate the values that get encrypted.

Edit: This has happened around 4 times the last 2 months.

[easyngit]

A workaround to this issue has been to click view on a file and click "Load Full" before doing the export. Seems like there is an issue with the secret during standard export.

[Micke-K]

Hello!

Thank you for reporting this. The secret values was something Microsoft introduced a few months ago. Strings are now stored as encrypted in Intune but support for this was implemented in a previous version.

I cannot replicate the issue with the latest version. I exported a Custom OMA-URI for Chrome. If I look at values without loading the Full View, value is ***** but in the exported file it is the actual string. I did NOT loaded the full value before export. I also did a Bulk Exporting of all Device Configuration profiles directly after I started the app and the actual strings values were exported.

What versions of EndpointManager.psm1 and MSGraph.ps1 do you have? Versions are available in About. It should be 3.1.11 and 3.1.6.

Note that the json files must be re-exported to get the decrypted strings in the json. Exported files with ***** values cannot be decrypted after export.

[Micke-K]

This is taken care of by the Start-PostGetDeviceConfiguration function in the EndpointManager.psm1 file. This function is called every time the full Device Configuration object is loaded e.g. View Full Object, Export Object, Document Object etc.

[Micke-K]

@easyngit Any update on this? Did you try re-export the profiles with the new version?

[easyngit]

@Micke-K Sorry for the late reply im away from work untill monday so will discuss this with my colleague then. If you want we can just close this issue now. Thanks for taking time responding! This is a great tool.

[Micke-K]

No problem and thank you! I'll close it when you have verified that it working.

Cheers!

[easyngit]

Hi Micke!

Sorry for the delayed response, we have been discussing this error this week and been trying to find out why this is happening. We have seen the error multiple times in our OMA URI policies but we have so far been unsuccessful in finding the culprit of why they don't retain their secret when exporting directly from the view without pressing View --> Load Full first.

I have created a meeting for tomorow with my colleague where we will try to troubleshoot further. Will come back to you tomorow.

[Micke-K]

I'm not sure if I misunderstood your problem. The values for OMA-URI will always be ***** when you view details and then visible when you load the full object. The full object is loaded during export so clear text values will be included in the export.

This is because Microsoft encrypts the strings and the API returns ***** when objects are loaded. A second API is required to decrypt the string. This is only called when loading the full object.

[easyngit]

Issue hasn't reccured this or last week so we suspect Microsoft had a issue they resolved. Gonna close this one.