400 bad request restoring EDR settings
Opened this issue · 1 comments
I backed up entire Intune setup from one tenant, then individually restored specific groups of settings to another tenant I manage. Although a lot of settings restored fine, I had some errors I didn't understand. This is the second:
PS C:\Users\ichil> Invoke-IntuneRestoreDeviceManagementIntent -Path c:\stuff\intunebackup
VERBOSE: Default EDR policy for all devices - Failed to restore Device Management Intent (Endpoint detection and response)
Invoke-IntuneRestoreDeviceManagementIntent : 400 Bad Request
{"error":{"code":"BadRequest","message":"{\r\n "_version": 3,\r\n "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 -
Activity ID: 153136c9-699a-4dd7-ab1a-63c73ba00d47 - Url: https://fef.msud01.manage.microsoft.com/DeviceManagementIntent/DeviceManagementIntentService/83661860-ffff-2121-0449-060208542767/devic
eManagement/templates%28%27e44c2ca3-2f9a-400a-a113-6cc88efd773d%27%29/microsoft.management.services.api.createInstance?api-version=5020-08-21",\r\n "CustomApiErrorPhrase": "",\r\n
"RetryAfter": null,\r\n "ErrorSourceService": "",\r\n "HttpHeaders":
"{}"\r\n}","innerError":{"date":"2022-06-06T02:37:51","request-id":"153136c9-699a-4dd7-ab1a-63c73ba00d47","client-request-id":"153136c9-699a-4dd7-ab1a-63c73ba00d47"}}}
At line:1 char:2
- Invoke-IntuneRestoreDeviceManagementIntent -Path c:\stuff\intuneback ...
-
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-IntuneRestoreDeviceManagementIntent
EDR JSON
{
"roleScopeTagIds": [
"0"
],
"settingsDelta": [
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"id": "40445d40-9dca-495b-a33d-9e4cda659a62",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionBlobType",
"valueJson": ""notConfigured"",
"value": "notConfigured"
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"id": "71cd7124-0693-4b3e-8260-8d5461f92358",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionAutoPopulateOnboardingBlob",
"valueJson": "true",
"value": true
},
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"id": "d7521428-ef6a-4c32-8cc6-4d74d1f1e35c",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionOffboardingBlob",
"valueJson": "null",
"value": null
},
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"id": "a086ef45-ff58-4b87-8fd4-a3e4cdfece5b",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionOffboardingFilename",
"valueJson": "null",
"value": null
},
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"id": "b865e289-01a6-452a-bb5d-947558d53d59",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionOnboardingBlob",
"valueJson": ""Value has been set"",
"value": "Value has been set"
},
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"id": "a5f5539f-c6be-4f94-968d-c9fded7bf8f0",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_advancedThreatProtectionOnboardingFilename",
"valueJson": "null",
"value": null
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"id": "55b5588f-127c-43d0-b2df-5deb0395bc2e",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_allowSampleSharing",
"valueJson": "true",
"value": true
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"id": "e6a69961-0bc9-468f-97d1-87d9ba87dc32",
"definitionId": "deviceConfiguration--windowsDefenderAdvancedThreatProtectionConfiguration_enableExpeditedTelemetryReporting",
"valueJson": "true",
"value": true
}
],
"description": "Default EDR policy for targetting all tenants devices, created by MDE.",
"displayName": "Default EDR policy for all devices"
}
I'm wondering whether this may be a consequence of having my intune backup and PS1 directories in a deeply nested folder hierarchy with long folder names? For example:
"C:\Users\ichil\OneDrive\Documents\WindowsPowerShell\Modules\IntuneBackupAndRestore\3.2.0\Public\Invoke-IntuneRestoreDeviceConfigurationAssignment.ps1"
"C:\Stuff\IntuneBackup\Settings Catalog\Assignments\PBC Activate tamper protection.json"
I also ran into this and decided to do developer tools > network and create a new EDR policy to see what the POST payload should be and its completely different from the export. Below is my payload that works
{ "name":"test", "description":"", "platforms":"windows10", "technologies":"mdm,microsoftSense", "roleScopeTagIds":[ "0" ], "settings":[ { "@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance":{ "@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId":"device_vendor_msft_windowsadvancedthreatprotection_configurationtype", "choiceSettingValue":{ "@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value":"device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector", "children":[ { "@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", "settingDefinitionId":"device_vendor_msft_windowsadvancedthreatprotection_onboarding_fromconnector", "simpleSettingValue":{ "@odata.type":"#microsoft.graph.deviceManagementConfigurationSecretSettingValue", "value":"Microsoft ATP connector enabled", "valueState":"NotEncrypted" } } ], "settingValueTemplateReference":{ "settingValueTemplateId":"e5c7c98c-c854-4140-836e-bd22db59d651" } }, "settingInstanceTemplateReference":{ "settingInstanceTemplateId":"23ab0ea3-1b12-429a-8ed0-7390cf699160" } } } ], "templateReference":{ "templateId":"0385b795-0f2f-44ac-8602-9f65bf6adede_1" } }