almenscorner / IntuneCD

Tool to backup, update and document configurations in Intune
MIT License
289 stars 38 forks source link

[BUG] Duplicates of Endpoint secuirty policies #208

Closed EirikNess closed 1 month ago

EirikNess commented 2 months ago

Describe the bug I recently noticed that Attack surface reduction policies (specifically Exploit Protection settings) are being duplicated when running intunecd update. image

I see an update from microsoft that will move endpoint security policies to the settings catalog: https://techcommunity.microsoft.com/t5/intune-customer-success/endpoint-security-policies-migrating-to-the-unified-settings/ba-p/3890989

This may explain the issue, and i see when i updated our master branch from our baseline-tenant, i see that it would move the windows exploit protection policy from management intents to the settings catalog. image

For now it is just happening to this one policy, but i would assume it would hit other policies later on.

On one of our tenants the policy got duplicated 6 times when I came back from summer vacation.

To Reproduce Steps to reproduce the behavior: Backup baseline tenant with intunecd Run intunecd update on another tenant

Expected behavior Nothing should happen to the policy since we did not make any changes to it.

Screenshots If applicable, add screenshots to help explain your problem. image

image

Run type (please complete the following information):

Additional context Add any other context about the problem here.

almenscorner commented 2 months ago

I tried repro the issue by creating an Attack Surface Reduction policy for Exploit Protection, run the backup and then the update. If the policy exists it does not create it again in my case, if it does not exist it is created.

So far I have not been able to repro the duplication of the policy

EirikNess commented 2 months ago

Thanks for testing it out. Did you see where intunecd placed the exploit protection policy? If it was placed under the settings catalog or in the Management Intents-folder? I have a theory that this may cause issues on policies created before the change microsoft have implemented this summer where intunecd places the policy under management intents.

Here is the new policy that seems to have been migrated to the settings catalog: image

While we get duplicates of the same setting with the old view: image

almenscorner commented 2 months ago

It is placed under Settings Catalog as I did not have a policy created prior to the change by Microsoft, If you are able to provide me a copy of the policy I can try manually create it under management intents and then run the update

EirikNess commented 2 months ago

Had to consult with the security team to give me the thumbs up to share it :) Let me know if the format is wrong xxx_Mandatory - Windows Exploit Protection.json

almenscorner commented 2 months ago

Tried having the settings catalog profile and this one under the management intent folder, in my case it just says that no updates are found and then it is not doing anything else, i.e. it keeps both the Management Intent and Settings Catalog up-to-date but does not create additional replicas.

Is your Management Intent removed from the folder in the backup and only the settings catalog is left?

almenscorner commented 1 month ago

Please verify if v2.3.6 resolves this issue, there were some updates made regarding settings catalog policies

EirikNess commented 1 month ago

Hi, tested out v2.3.6 and it resolved the issue. Thanks! :)

almenscorner commented 1 month ago

Thanks for verifying!

Resolved in #215