[BUG] Duplicates of Endpoint secuirty policies

Question

[BUG] Duplicates of Endpoint secuirty policies

Closed this issue 3 days ago · 8 comments

Describe the bug
I recently noticed that Attack surface reduction policies (specifically Exploit Protection settings) are being duplicated when running intunecd update.

I see an update from microsoft that will move endpoint security policies to the settings catalog:
https://techcommunity.microsoft.com/t5/intune-customer-success/endpoint-security-policies-migrating-to-the-unified-settings/ba-p/3890989

This may explain the issue, and i see when i updated our master branch from our baseline-tenant, i see that it would move the windows exploit protection policy from management intents to the settings catalog.

For now it is just happening to this one policy, but i would assume it would hit other policies later on.

On one of our tenants the policy got duplicated 6 times when I came back from summer vacation.

To Reproduce
Steps to reproduce the behavior:
Backup baseline tenant with intunecd
Run intunecd update on another tenant

Expected behavior
Nothing should happen to the policy since we did not make any changes to it.

Screenshots
If applicable, add screenshots to help explain your problem.

Run type (please complete the following information):

Mode: 1
Client Pipeline
Version 2.3.3b1

Additional context
Add any other context about the problem here.

Answer 1 · 2024-08-29T07:06:04.000Z

I tried repro the issue by creating an Attack Surface Reduction policy for Exploit Protection, run the backup and then the update. If the policy exists it does not create it again in my case, if it does not exist it is created.

So far I have not been able to repro the duplication of the policy

Answer 2 · 2024-08-29T07:35:38.000Z

Thanks for testing it out.
Did you see where intunecd placed the exploit protection policy? If it was placed under the settings catalog or in the Management Intents-folder?
I have a theory that this may cause issues on policies created before the change microsoft have implemented this summer where intunecd places the policy under management intents.

Here is the new policy that seems to have been migrated to the settings catalog:

While we get duplicates of the same setting with the old view:

Answer 3 · 2024-08-29T07:40:56.000Z

It is placed under Settings Catalog as I did not have a policy created prior to the change by Microsoft, If you are able to provide me a copy of the policy I can try manually create it under management intents and then run the update

Answer 4 · 2024-08-29T08:05:30.000Z

Had to consult with the security team to give me the thumbs up to share it :)
Let me know if the format is wrong
xxx_Mandatory - Windows Exploit Protection.json

Answer 5 · 2024-08-29T09:14:23.000Z

Tried having the settings catalog profile and this one under the management intent folder, in my case it just says that no updates are found and then it is not doing anything else, i.e. it keeps both the Management Intent and Settings Catalog up-to-date but does not create additional replicas.

Is your Management Intent removed from the folder in the backup and only the settings catalog is left?

Answer 6 · 2024-09-04T14:20:33.000Z

Please verify if v2.3.6 resolves this issue, there were some updates made regarding settings catalog policies

Answer 7 · 2024-09-10T11:17:47.000Z

Hi, tested out v2.3.6 and it resolved the issue. Thanks! :)

Answer 8 · 2024-09-10T11:24:35.000Z

Thanks for verifying!

Resolved in #215