[GH-ISSUE #5410] [Bug]: Encrypted OMA-URI values in Intune device configuration policies are not handled #2610

New issue

Open

opened 2026-03-02 13:53:43 +03:00 by kerem · 2 comments

kerem commented 2026-03-02 13:53:43 +03:00

Owner

Copy link

Originally created by @alexrsagen on GitHub (Feb 20, 2026).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5410

Required confirmations before submitting

• I can reproduce this issue on the latest released versions of both CIPP and CIPP-API.
• I have searched existing issues (both open and closed) to avoid duplicates.
• I am not requesting general support; this is an actual bug report.

Issue Description

CIPP currently does not seem to handle encrypted OMA setting values.

These are used by Intune with the "Custom" policy template, which allows you to manually configure policies using OMA-URI.

Using the "Custom" policy template is necessary for new features, features that aren't yet included in a more specific policy template or settings catalog, or sometimes even for fully supported features such as Assigned Access or Local group membership, where the Intune UI is either simply wrong or doesn't allow you to provide all values supported by the setting.

When you access a policy containing an encrypted OMA setting value, you will get the value PGEvPg== (base64 encoded value of <a/>). This is just a placeholder value. We need to get the real value via the Graph API using the secretReferenceValueId property instead, which CIPP currently does not do.

• Graph API endpoint to get encrypted OMA setting values: https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-deviceconfiguration-getomasettingplaintextvalue?view=graph-rest-1.0
• PowerShell cmdlet to get encrypted OMA setting values: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement/get-mgdevicemanagementdeviceconfigurationomasettingplaintextvalue?view=graph-powershell-1.0

Steps to reproduce

1. In Intune, create a new device configuration policy
   • Platform: Windows 10 and later
   • Profile type: Templates
   • Template name: Custom
   • Name: CIPP-LocalUsersAndGroups-TestPolicy
2. Add a new OMA-URI setting to the configuration policy
   • Name: Local group membership
   • OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure
   • Data type: String (XML file)
   • Custom XML:

     <GroupConfiguration>
         <!-- BUILTIN\Users -->
         <accessgroup desc="S-1-5-32-545">
             <group action="U"/>
             <!-- BUILTIN\Authenticated Users -->
             <remove member="S-1-5-11"/>
             <!-- BUILTIN\Interactive -->
             <remove member="S-1-5-4"/>
             <!-- BUILTIN\Administrators -->
             <add member="S-1-5-32-544"/>
         </accessgroup>
     </GroupConfiguration>
     

3. In CIPP, go to Intune -> Device Management -> Configuration Policies, find the policy and select Actions -> Create template based on policy
4. In CIPP, go to Intune -> Device Management -> Policy Templates, find the policy template and select Actions -> Edit Template. Observe the OMA setting placeholder value.
5. In CIPP, go to Tenant Administration -> Standards & Drift -> Standards Management -> Templates and select Add a new template
6. Click Add Standard to Template, select Intune Template, select the previously template we created earlier based on Intune policy
7. Run the standard for a different tenant than the one the policy was exported from and check the logbook. Observe the error message listed under "Relevant Logs / Stack Trace".

Environment Type

Sponsored (paying) user

Front End Version

v10.0.9

Back End Version

v10.0.9

Relevant Logs / Stack Trace

Failed added policy CIPP-LocalUsersAndGroups-TestPolicy. Error:

{
"_version": 3,
"Message": "SecretReferenceValueId invalid for create. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: [guid] - Url: https://proxy.msub06.manage.microsoft.com/DeviceConfiguration_2602/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations?api-version=5026-01-10",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
}

Originally created by @alexrsagen on GitHub (Feb 20, 2026). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/5410 ### Required confirmations before submitting - [x] **I can reproduce this issue on the latest released versions** of both CIPP and CIPP-API. - [x] **I have searched existing issues** (both open and closed) to avoid duplicates. - [x] I am **not** requesting general support; this is an actual bug report. ### Issue Description CIPP currently does not seem to handle encrypted OMA setting values. These are used by Intune with the "Custom" policy template, which allows you to manually configure policies using OMA-URI. Using the "Custom" policy template is necessary for new features, features that aren't yet included in a more specific policy template or settings catalog, or sometimes even for fully supported features such as Assigned Access or Local group membership, where the Intune UI is either simply wrong or doesn't allow you to provide all values supported by the setting. When you access a policy containing an encrypted OMA setting value, you will get the value `PGEvPg==` (base64 encoded value of `<a/>`). This is just a placeholder value. We need to get the real value via the Graph API using the `secretReferenceValueId` property instead, **which CIPP currently does not do**. - Graph API endpoint to get encrypted OMA setting values: https://learn.microsoft.com/en-us/graph/api/intune-deviceconfig-deviceconfiguration-getomasettingplaintextvalue?view=graph-rest-1.0 - PowerShell cmdlet to get encrypted OMA setting values: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.devicemanagement/get-mgdevicemanagementdeviceconfigurationomasettingplaintextvalue?view=graph-powershell-1.0 ### Steps to reproduce 1. In Intune, create a new device configuration policy - Platform: Windows 10 and later - Profile type: Templates - Template name: Custom - Name: CIPP-LocalUsersAndGroups-TestPolicy 2. Add a new OMA-URI setting to the configuration policy - Name: Local group membership - OMA-URI: `./Device/Vendor/MSFT/Policy/Config/LocalUsersAndGroups/Configure` - Data type: String (XML file) - Custom XML: ```xml <GroupConfiguration> <!-- BUILTIN\Users --> <accessgroup desc="S-1-5-32-545"> <group action="U"/> <!-- BUILTIN\Authenticated Users --> <remove member="S-1-5-11"/> <!-- BUILTIN\Interactive --> <remove member="S-1-5-4"/> <!-- BUILTIN\Administrators --> <add member="S-1-5-32-544"/> </accessgroup> </GroupConfiguration> ``` 3. In CIPP, go to Intune -> Device Management -> Configuration Policies, find the policy and select Actions -> Create template based on policy 4. In CIPP, go to Intune -> Device Management -> Policy Templates, find the policy template and select Actions -> Edit Template. Observe the OMA setting placeholder value. 5. In CIPP, go to Tenant Administration -> Standards & Drift -> Standards Management -> Templates and select Add a new template 6. Click Add Standard to Template, select Intune Template, select the previously template we created earlier based on Intune policy 7. Run the standard **for a different tenant than the one the policy was exported from** and check the logbook. Observe the error message listed under "Relevant Logs / Stack Trace". ### Environment Type Sponsored (paying) user ### Front End Version v10.0.9 ### Back End Version v10.0.9 ### Relevant Logs / Stack Trace Failed added policy CIPP-LocalUsersAndGroups-TestPolicy. Error: ```json { "_version": 3, "Message": "SecretReferenceValueId invalid for create. - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: [guid] - Url: https://proxy.msub06.manage.microsoft.com/DeviceConfiguration_2602/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations?api-version=5026-01-10", "CustomApiErrorPhrase": "", "RetryAfter": null, "ErrorSourceService": "", "HttpHeaders": "{}" } ```

kerem added the

bug

unconfirmed-by-user

not-assigned

labels 2026-03-02 13:53:43 +03:00

kerem commented 2026-03-02 13:53:44 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Feb 20, 2026):

Thank you for reporting a potential bug. If you would like to work on this bug, please comment:

I would like to work on this please!

Thank you for helping us maintain the project!

<!-- gh-comment-id:3933713711 --> @github-actions[bot] commented on GitHub (Feb 20, 2026): Thank you for reporting a potential bug. If you would like to work on this bug, please comment: > I would like to work on this please! Thank you for helping us maintain the project!

kerem commented 2026-03-02 13:53:44 +03:00

Author

Owner

Copy link

@alexrsagen commented on GitHub (Feb 20, 2026):

Here's an example of how to use the mentioned Graph API to extract the encrypted OMA setting values:

github.com/eneerge/Azure-Intune-Export-DeviceConfiguration-Decrypts@798ca7d04f/DeviceConfiguration_Export.ps1 (L152-L213)

<!-- gh-comment-id:3933815885 --> @alexrsagen commented on GitHub (Feb 20, 2026): Here's an example of how to use the mentioned Graph API to extract the encrypted OMA setting values: https://github.com/eneerge/Azure-Intune-Export-DeviceConfiguration-Decrypts/blob/798ca7d04f38459d38e7b4334ae23e9d9c6b2a1b/DeviceConfiguration_Export.ps1#L152-L213

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#2610

No description provided.