IntuneDeviceConfigurationCustomPolicyWindows10: Error decrypting OmaSetting with SecretReferenceValueId

[skghq]

Description of the issue

When exporting IntuneDeviceConfigurationCustomPolicyWindows10 the majority fail. A handful work.

Command: Export-M365DSCConfiguration -Components @("IntuneDeviceConfigurationCustomPolicyWindows10") -Credential $Credential -Path $FilePath -FileName $FileName -Debug -Verbose

Produces (notice the error logs):

Connecting to {MicrosoftGraph}...✅ [1/1] Extracting [IntuneDeviceConfigurationCustomPolicyWindows10] using {Credentials}... |---[1/17] Allow Optional Content✅ |---[2/17] Credential Guard (test)✅ |---[3/17] XX Production Windows 11: Disable Comsumer Experience✅ |---[4/17] XX Production: Windows 10: Default apps Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[5/17] XX Production: Windows 11 -Skip Account Setup - ESP✅ |---[6/17] XX Production: Windows 11: Custom Start Layout Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[7/17] XX Production: Windows 11: Disable Cortana✅ |---[8/17] XX Production: Windows: Create Local Admin Account Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[9/17] XX Testing: Windows 11: Custom Start Layout 1 Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[10/17] XX Testing: Windows: Denver Local Time Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[11/17] xx-Disable-Copilot✅ |---[12/17] XXYY: Reference: Default apps (unassigned) Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[13/17] XXYY-Production-Custom device setups-(CSPs) Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[14/17] XX-Production-Windows 11-Default Apps Complete Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[15/17] OLD_XX Production: Windows 11: Default apps Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[16/17] W365: Default Application Settings Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ |---[17/17] W365: GDPR - AppLocker Policy Error Log created at {file://C:/temp/scott/debug2/cwd/3516-M365DSC-ErrorLog.log} ✅ ⌛ Export took {16 seconds} Transcript stopped, output file is C:\temp\scott\debug2\log\IntuneDeviceConfigurationCustomPolicyWindows10.txt

The error logs:

[2024/03/06 05:15:00]
{InvalidOperation}
Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success: Forbidden (Forbidden).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
"Error decrypting OmaSetting with SecretReferenceValueId secret_key"
at Get-OmaSettingPlainTextValue, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCDRGUtil.psm1: line 1397
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 119
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 590
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCReverse.psm1: line 649
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCUtil.psm1: line 1357
at <ScriptBlock>, <No file>: line 61

[2024/03/06 05:15:01]
{InvalidOperation}
Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success: Forbidden (Forbidden).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
"Error decrypting OmaSetting with SecretReferenceValueId secret_key:"
at Get-OmaSettingPlainTextValue, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCDRGUtil.psm1: line 1397
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 119
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 590
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCReverse.psm1: line 649
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCUtil.psm1: line 1357
at <ScriptBlock>, <No file>: line 61

Microsoft 365 DSC Version

1.24.228.1

Which workloads are affected

other

The DSC configuration

Export-M365DSCConfiguration -Components @("IntuneDeviceConfigurationCustomPolicyWindows10") -Credential $Credential -Path $FilePath -FileName $FileName # -Debug -Verbose

Verbose logs showing the problem

[2024/03/06 05:15:00]
{InvalidOperation}
Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success: Forbidden (Forbidden).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
"Error decrypting OmaSetting with SecretReferenceValueId secret_key"
at Get-OmaSettingPlainTextValue, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCDRGUtil.psm1: line 1397
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 119
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 590
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCReverse.psm1: line 649
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCUtil.psm1: line 1357
at <ScriptBlock>, <No file>: line 61

[2024/03/06 05:15:01]
{InvalidOperation}
Microsoft.Graph.PowerShell.Authentication.Helpers.HttpResponseException: Response status code does not indicate success: Forbidden (Forbidden).
   at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
"Error decrypting OmaSetting with SecretReferenceValueId secret_key:"
at Get-OmaSettingPlainTextValue, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCDRGUtil.psm1: line 1397
at Get-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 119
at Export-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\DSCResources\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10\MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1: line 590
at Start-M365DSCConfigurationExtract, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCReverse.psm1: line 649
at Export-M365DSCConfiguration, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.24.228.1\Modules\M365DSCUtil.psm1: line 1357
at <ScriptBlock>, <No file>: line 61

Environment Information + PowerShell Version

OsName               : Microsoft Windows Server 2019 Standard
OsOperatingSystemSKU : StandardServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.17763.5458
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.17763.5458
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[ricmestre]

@skghq: Please show the output of the following:

$Policies = Get-MgBetaDeviceManagementDeviceConfiguration `
    -ErrorAction SilentlyContinue | Where-Object -FilterScript {
        $_.AdditionalProperties.'@odata.type' -eq "#microsoft.graph.windows10CustomConfiguration"
    }

$it = 1
foreach ($Policy in $Policies)
{
    foreach ($omaSetting in $Policy.AdditionalProperties.omaSettings.secretReferenceValueId)
    {
        $Message = "{0}: {1} / {2}" -f $it, $Policy.DisplayName, $omaSetting
        Write-Output $Message
    }
    ++$it
}

[skghq]

Unredacted as it likely matters. Let me know when I can edit my comment:

4: FP: Production: Windows 10: Default apps / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_a4bb78a1-3272-4f19-845e-f504b65afc64_9f9e5b56-522e-4d47-8983-67a8d9cf099e
6: FP: Production: Windows 11: Custom Start Layout / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_ede5e770-2942-468d-82cb-e2e0892726e9_131da2ac-4d95-4e78-be65-8bebd466906d
8: FP: Production: Windows: Create Local Admin Account / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_ad482425-2c84-4a82-ac70-ba7da284ecfa_5427da49-8fa7-43a2-9d5e-08e471255b71
9: FP: Testing: Windows 11: Custom Start Layout 1 / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_d5997d37-b720-4c7b-99e6-42b6bc9e55ab_f2efe6f5-c01e-4f34-abf2-21b3c53e48fc
10: FP: Testing: Windows: Denver Local Time / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_fb4dab1b-5239-468a-9634-a2f9dbdcd327_6fb8de39-54b1-4659-9db8-0380f189be23
12: FPMX: Reference: Default apps (unassigned) / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_935c2ed8-edb7-4bb1-96d3-36187cec61f8_c9e2c933-a694-4d8e-ae24-02839b3367db
13: FPMX-Production-Custom device setups-(CSPs) / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_219dbd4b-95bc-49b5-bcf9-9512f2bdab69_631f4b0e-54b0-4f36-8f17-444777a82cc1
13: FPMX-Production-Custom device setups-(CSPs) / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_219dbd4b-95bc-49b5-bcf9-9512f2bdab69_e01fbb30-24da-44fb-8c17-4df1fa10f105
14: FP-Production-Windows 11-Default Apps Complete / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_d0007f27-f4b4-45ce-9d7e-fc859e2b420f_78bb73e4-97a7-4f12-a42a-3e66b19d415a
15: OLD_FP: Production: Windows 11: Default apps / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_55b73732-ba83-42e6-a500-030b79fc4237_a0e79366-398a-4cf9-91ab-41e8a46cae8c
16: W365: Default Application Settings / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_9f64119f-3b08-4968-8b57-92a02da2f6b9_b480ab01-0b58-4132-accc-bca265d24c28
17: W365: GDPR - AppLocker Policy / 3ac13eed-7b30-4d90-8300-5ebe12130cc8_befefd08-6623-4417-b999-4b0a55ec322e_1021029b-2f0e-44ad-9f2c-d0164e927e29

[skghq]

@ricmestre Forgot to tag you in last comment. Thanks -- I was hoping you would pick up this ticket.

[ricmestre]

That doesn't make sense, the errors you posted originally "Error decrypting OmaSetting with SecretReferenceValueId secret_key" and "Error decrypting OmaSetting with SecretReferenceValueId secret_key:", did you actually edited what was in the "secret_key"? Was it a GUID? I'm asking because that string should appear in what I requested you to post now and I don't see the string "secret_key" anywhere.

But in case that you edited that string and it was like a GUID then it means you, don't have permission to read those OMA settings and the code is actually correct.

[ricmestre]

You can test the below, it's the policy number 4 called "FP: Production: Windows 10: Default apps", it will give you the same forbidden error message.

$Uri = "/beta/deviceManagement/deviceConfigurations/a4bb78a1-3272-4f19-845e-f504b65afc64/getOmaSettingPlainTextValue(secretReferenceValueId='3ac13eed-7b30-4d90-8300-5ebe12130cc8_a4bb78a1-3272-4f19-845e-f504b65afc64_9f9e5b56-522e-4d47-8983-67a8d9cf099e')"
$Result = Invoke-MgGraphRequest -Method GET -Uri $Uri -ErrorAction Stop

[skghq]

@ricmestre Yes it was redacted and incomplete. Thanks for the bit of test code -- that lead to the actual problem. I have it working now. Added consent for DeviceManagementConfiguration.ReadWrite.All

I'm not closing this ticket -- in case something should be updated with Update-M365DSCAllowedGraphScopes ? Kind of a grey area since you need ReadWrite when only reading?

{"error":{"code":"Forbidden","message":"{\r\n  \"_version\": 3,\r\n  \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementConfiguration.ReadWrite.All - Operation ID (for customer 
support): 00000000-0000-0000-0000-000000000000 - Activity ID:

Let me know if I should close.

Thanks.

[ricmestre]

Did you have DeviceManagementConfiguration.Read.All already assigned to your account and it started working after you consent to ReadWrite?

That's not supposed to be required according to https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-deviceconfiguration-getomasettingplaintextvalue?view=graph-rest-beta, they say Read should be enough so probably it's an API problem.

[skghq]

@ricmestre : DeviceManagementConfiguration.Read.All has admin consent for the application. So not to my account -- but it should have worked if that was all that was required.

What do we do with API problems? Close this issue and let MSFT sort it out?

[ricmestre]

Yeah I meant the app, if that was the case then raise a ticket with MS support for your tenant.

I didn't test it yet on my side with Read only but probably I'll also have the same issue.

[skghq]

@ricmestre Outside the scope of MSFT365DSC -- How does this work with MSFT: We have multiple tenants. Would something like that be identified as a bug and rolled out globally, or, per tenant when requested?

[ricmestre]

I'm not from MS but if it's a global problem ideally it should be solved for everyone and not upon request, in your case if you have multiple tenants then just test it on all of them and if it also happens there as well then let them know, if it's just an isolated case (because you didn't test your other tenants) then they will probably not pay much attention to your ticket as they would if you tell them all your tenants have the same issue.

[skghq]

@ricmestre Thanks. Unfortunately I only have Intune with a single tenant.

Do you want me to leave this opened until you can test or close it out?

[ricmestre]

From one of those affected policies give me a screenshot of how it's setup, you can obfuscate the value just let me know if it's an integer or string and I can try to replicate on my side.

[ricmestre]

That one is not affected :)

Show me for example this one "FP: Production: Windows 10: Default apps", give me the full OMA-URI please.

[skghq]

@ricmestre gah! That's embarrassing... apologies :)

    IntuneDeviceConfigurationCustomPolicyWindows10 "IntuneDeviceConfigurationCustomPolicyWindows10-FP: Production: Windows 10: Default apps"
    {
        Assignments          = @(
            MSFT_DeviceManagementConfigurationPolicyAssignments{
                deviceAndAppManagementAssignmentFilterType = 'none'
                dataType = '#microsoft.graph.groupAssignmentTarget'
                groupId = '4a9cc2f0-0793-4ca0-8303-bb1fac64c068'
            }
            MSFT_DeviceManagementConfigurationPolicyAssignments{
                deviceAndAppManagementAssignmentFilterType = 'none'
                dataType = '#microsoft.graph.groupAssignmentTarget'
                groupId = '5321edcc-bc04-4a83-9a23-c83f89a7726e'
            }
            MSFT_DeviceManagementConfigurationPolicyAssignments{
                deviceAndAppManagementAssignmentFilterType = 'none'
                dataType = '#microsoft.graph.groupAssignmentTarget'
                groupId = '880051b1-84bd-411c-aef4-13ddaec33190'
            }
            MSFT_DeviceManagementConfigurationPolicyAssignments{
                deviceAndAppManagementAssignmentFilterType = 'none'
                dataType = '#microsoft.graph.groupAssignmentTarget'
                groupId = 'ae69d095-9c90-4886-aabd-011358229839'
            }
        );
        Credential           = $Credscredential;
        Description          = "";
        DisplayName          = "FP: Production: Windows 10: Default apps";
        Ensure               = "Present";
        Id                   = "a4bb78a1-3272-4f19-845e-f504b65afc64";
        OmaSettings          = @(
            MSFT_MicrosoftGraphomaSetting{
                Description = 'Default applications and associations'
                OmaUri = './Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration'
                Value = '<<<string length = 18808>>>'
                odataType = '#microsoft.graph.omaSettingString'
                IsEncrypted = $False
                DisplayName = 'DefaultAssociationsConfiguration'
            }
        );
        SupportsScopeTags    = $True;
    }

[ricmestre]

Got exactly the same issue as you, by any change is that string a base64 encoded value? Could you please check if the other affected policies also have base64 encoded values as their string?

[ricmestre]

Nah, never mind, I had another policy that always worked with a single integer and I can't extract it anymore without ReadWrite.

Definitely an API issue, but at the very least it's a documentation issue since it implies ReadWrite is not needed to call that function. You can mention this issue you raised here in your ticket so they can see the comments, but you should close it since it's not an M365DSC issue.

[ricmestre]

Actually... @andikrueger what about the settings.json file? it would need to be updated to have ReadWrite in the read section.

[skghq]

@ricmestre Since I had compiled the list before I saw your test with an integer... here it is anyways:

FP: Production: Windows 10: Default apps - string/Appears to be base64 encoded string. I didn't try decoding. FP: Production: Windows 11: Custom Start - string/JSON FP: Production: Windows: Create Local Admin Account - string/single word, integer FP: Testing: Windows 11: Custom Start Layout 1 - string/json FP: Testing: Windows: Denver Local Time - string/"Mountain standard Time" FPMX: Reference: Default apps (unassigned) - string/base64 FPMX-Production-Custom device setups-(CSPs) - 2 strings, 1 integer FP-Production-Windows 11-Default Apps Complete - string/base64 OLD_FP: Production: Windows 11: Default apps - string/base64 W365: Default Application Settings - string/base64 W365: GDPR - AppLocker Policy - string/xml

[skghq]

@ricmestre I have opened a support case. Let me know if anyone needs the number.

[skghq]

@andikrueger only keeping this open until you weigh in on @ricmestre 's comment re: settings.json.

It does seem that, despite documentation, ReadWrite is required.

Feel free to close otherwise.

[andikrueger]

@ricmestre: Could you raise an issue within the graph PowerShell SDK repo as well?

I just compared the list of permissions given by .read. and .readwrite. There is a difference in these endpoints

GET /deviceManagement/applePushNotificationCertificate/downloadApplePushNotificationCertificateSigningRequest GET /deviceManagement/userExperienceAnalyticsRemoteConnection/summarizeDeviceRemoteConnection GET /deviceManagement/userExperienceAnalyticsResourcePerformance/summarizeDeviceResourcePerformance GET /deviceManagement/userExperienceAnalyticsSummarizeWorkFromAnywhereDevices GET /deviceManagement/verifyWindowsEnrollmentAutoDiscovery

We recently introduced a QA pipeline to monitor the read section for only read permissions. We can overcome this by adding this resource to the Allow list, but I would prefer this to be properly fixed.

[ricmestre]

Since this is an API issue, which this is, their answer is always to raise a ticket with the support of the tenant. But maybe raise a ticket with the metadata team instead?

[skghq]

@ricmestre @andikrueger I opened a support case in my tenant. I opened it with the API/Graph team but it was handed over to the Intune team.

I spoke with the support tech and outlined the issue. I had also linked here so they had the complete history.

I was told since the case was reassigned to the Intune department, and not the API department, they had to close the ticket because I was able to work around it by granting Read/Write access.

They said they would share my feedback with the API team and they may send that over to engineering to resolve. All of that correspondence would be done outside of my case. They also said they would let me know if they hear back.

All of that being said... it's probably best to just add Read/Write to the default permissions to prevent more people from having the same issue until it is resolved?

Technically Read/Write is required by MSFT, due to what we deem as a bug, but it is required.

[ricmestre]

@andikrueger What do you think we should do here? It's clearly an API issue since their docs say Read is enough but actually isn't, and it's not an SDK problem so we cannot report this to the Graph PS SDK team.

Without changing this permission to ReadWrite the resource will fail to be processed correctly.

[andikrueger]

Thanks for the reminder on this topic. I’ll check if there are any update