IntuneManagement
IntuneManagement copied to clipboard
Micke-K
Custom ADMX Profiles
Hi Mick!
Just to let you know, the export \ import functionality for the ADMX files doesn't appear to be working, seems to go through within the tool but it doesn't appear on the portal (unless I need to wait for quite a bit of time).
Also, related, if I manually upload the administrative templates that are backed by those custom ADMX files, all of the configuration settings are blank, I suspect this is due to the dependent admx file ID being different from what was originally exported.
Happy to provide any logs or anymore information for you :-).
Hello!
I tested this a lot so not sure what's going on. The admx implementation is a complex solution to support. Every time you import an admx file it gets unique IDs for all settings. That's why a policy doesn't work even if you import the same admx file. The IDs of the imported policy will not match the IDs of the admx object.
I'll see if I can get sone time to do some tests. Any log information would be great. Also, what admx are you using?
Cheers!
Hello,
I just did some testing. Did you have the admx/adml file available in the Export folder or in the "App packages folder"? The tool cannot export these files since there's no API for it. It will not import the policies with these files, which is probably the reason you can't see them.
Cheers!
Hello!
I'm closing this based on the assumption that the ADMX/ADML file were not available during import.
Let me know if you want to reopen it.
Cheers
Hi Micke,
Sorry about the LONG delay in getting back to you.
It sounds like I am going about this the wrong way then, just so I understand, I need to the do the following in this order to import custom ADMX backed profiles:
Import the ADMX\ADML directly into Intune (Can they be a newer version?) Add the ADMX\ADML files to the App Packages folder within the app Import the ADMX-backed profile itself.
Is that correct? What about if I have a ADMX-backed profile .JSON not previously exported using your toolset, will this work following the above?
At the moment, I am seeing errors of:
"<![LOG[Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations (Request ID: 4b911195-d59b-40de-8dde-75c95b97e4c2). Status code: BadRequest. Response message: Empty Payload. JSON content expected. Exception: The remote server returned an error: (400) Bad Request.]LOG]!><time="13:37:57.000+000" date="06-01-2023" component="Start-IntuneManagement" context="" type="3" thread="13432" file="Start-IntuneManagement">"
Thanks and sorry for the late reply!
Hello!
You can import ADMX/ADML with the tool but the files must be available during the import. Once they are imported, then you can import policies based on the ADMX file.
It should work as long as you have the json and the ADMX/ADML files and do it in the correct order.
Bulk import should take care of the order. If importing manually, then you have to make sure to import ADMX first. It might take some time before it is finished. Also, if it is a multi level ADMX (eg Mozilla/Firefox) then they have to be imported in the correct order as well.
It is just crazy complex in the background but I guess that was the only way of doing it. It's all about that each imported ADMX will end up with a unique ID and so will every policy as well. So importing them twice or in different environments, will generate completely "different" setting IDs in the background. So the script has to figure out the ID of the policy settings every single time which also makes it hard if you have imported two versions of the same ADMX file.
I hope that explains it a little bit more. Let me know if you still have problems import them.
Cheers!
Hi Micke,
Thanks for your reply, ah I see, that makes sense! So I did import the ADMX's in advance directly into the portal, then I tried the manual importing of the JSON files, but it just seemed to error out with the above error message. I can't help but think I am doing something wrong and maybe that the ADMX file that I have imported manually is NEWER than what the JSON file was based upon, would that break the import process?
Cheers!
Hello!
Could be case.
Can you zip the json and admx/adml and attach it here and I'll have a look.
Cheers!
Hi again,
Sure thing, attached is the ADMX \ ADML and the JSON. The JSON's all come from STIG, there's others that didn't work either but my testing was all performed on the Firefox ones that I've uploaded. ADMX and JSON.zip
Thanks for taking the time looking into this! :)
Hello
I had a look at this.
First, the json file you sent only has the settings so that will never import. How did you get that?
Second, something is broken. If I select details view of a custom ADMX policy, the policyConfigurationIngestionType is custom. If I load the full object, it changes to unknown. That behaviour must have changed because that breaks the logic in the script. So it is not working anymore because the script is expecting a value of custom for ADMX based policies. This is a requirement for it to allow export/import between environments. If it is custom, it will add additional properties to the export so it can identify the policies in the new environment.
I'll see if I can create a workaround for this somehow.
Cheers!
Hi Micke,
Thanks for looking into this, much appreciated. So I got these JSON files from STIGs GPO, here's the download page: https://public.cyber.mil/stigs/gpo/, if you unzip it, there will be another .zip file called 'Intune STIG Setting Baseline.zip' which then contains ANOTHER zip file called 'DISA Intune STIG Baselines_Apr2023.zip' and this folder contains all of the JSON files.
DISA Intune STIG Baselines_Apr2023.zip
I have attached it as a reference!
I had a look at this tonight but no quick fix yet.
It will be impossible to import the files from STIG. They don't have enough information for that. They have an ID for the policy but that is only valid in the environment it was exported. There is no way to figure out what policy setting it would be in other environments.
Cheers!
Hi Micke,
Thank you for looking into this, much appreciated. I guess I will build them from scratch!
Thanks,
Hi Micke,
Hope you're well,
So I manually built out the STIG baselines for Adobe Reader DC and Firefox using imported ADMX, I've exported them using your Intune Management tool, when I go to import into another environment the configuration settings are blank, I feel like I am not doing something right again, here's my steps:
1 - Export from existing environment 2 - Store source ADMX files into folder and make this folder known in the settings for 'App Packages Folder' 3 - Import the ADMX's via the Intune Management tool (This is a step I was unsure of, should I be importing manually via the Intune portal? I assumed not). 4 - Import the ADMX backed admin templates (Once ADMX import has completed).
Are any of these steps wrong? This is what I end up with:
Hello,
No, you're not doing anything wrong. It's broken. Something has changed in the API. The required info is not returned anymore when getting the full info about the policy. I am looking into this. I just haven't had much time lately.
Cheers!
Hello,
Try this version. I've managed to export Custom ADMX policies and then re-import them again. Even after deleting/re-importing Custom ADMX files.
Let me know if you have any questions.
Cheers!
Hi again,
Good news, all working for me too! I had to export again (previous export wouldn't work), but yeah all good now.
Thanks for this, really appreciated.
Hi Mick,
I've tried the export/import for Mozilla / Firefox ADMX templates and settings, but my policies are still empty in the new environment. I used the 3.9.1 version of the IntuneManagement tool and followed the steps described by @durrante, but no luck for me. The steps I took are: 1 - Export from existing environment 2 - Store source ADMX files into folder and make this folder known in the settings for 'App Packages Folder' 3 - Import the ADMX's via the Intune Management tool. 4 - Import the ADMX backed admin templates
I've added all the files involved in a zip: ADMX_Import.zip
Error log showing:
- Failed to invoke MS Graph with URL https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations/e2b955b8-d6c2-4765-b6d1-16bfaa72ade8/definitionValues (Request ID: fafadcfb-131e-4801-b3cc-dd1ed090821d). Status code: NotFound. Response message: . Response message: An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 3c5b818c-d3f0-485f-84af-01e4ad5fa31f - Url: https://fef.msub06.manage.microsoft.com/GroupPolicy/GroupPolicyAdminService/b15c97ad-ffff-2537-0807-092303264217/deviceManagement/groupPolicyConfigurations('e2b955b8-d6c2-4765-b6d1-16bfaa72ade8')/definitionValues?api-version=5018-11-06 Exception: The remote server returned an error: (404) Not Found.
- No custom ADMX definitiona found for setting Enabled
- Settings might not be available if imported in another environment
Best regards.
Hi @ewvbeek \ @Micke-K ,
I also experienced very similar issues last week, I am on leave this week but will happily send over logs to confirm the above once I'm back, but I am confident that the same issues were present.
Hello!
That is not good. That means MS probably changed something again. They did this in the most complicated way. At least for moving setting's between environments.
I'll have another look.
Cheers!
Hello!
Can you try this? I could import custom ADMX based policies again.
Cheers!
Attachment removed. Included in 3.9.2
3.9.2 fixes some issues with ADMX import.
There was another issue with this though that I fixed in issue 169.