Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,226 questions
MSGraph deviceManagement/Intents not showing in Endpoint Security when created via POST
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 64%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Geeves
16
Reputation points
Hopefully not too much of a complex question this.
When using the API. Creating a new Device Management Intent using POST and the below JSON, the policy will create, and give me an Id via the Graph Explorer. To which it can be assigned to a group and will apply, however this is never visible within Endpoint Manager -> Endpoint Security.
POST https://graph.microsoft.com/beta/deviceManagement/intents/
{
"@odata.type": "#microsoft.graph.deviceManagementIntent",
"displayName": "Bitlocker drive encryption policy.",
"description": "Bitlocker Drive Encryption policy for company owned devices.",
"roleScopeTagIds": [
"0"
],
"settings": [
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerEncryptDevice",
"valueJson": "true",
"value": true
},
{
"@odata.type": "#microsoft.graph.deviceManagementComplexSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerFixedDrivePolicy",
"valueJson": "{\"recoveryOptions\":{\"recoveryKeyUsage\":\"allowed\",\"recoveryInformationToStore\":\"passwordAndKey\",\"enableRecoveryInformationSaveToStore\":true,\"recoveryPasswordUsage\":\"required\",\"hideRecoveryOptions\":false,\"enableBitLockerAfterRecoveryInformationToStore\":true,\"blockDataRecoveryAgent\":false},\"requireEncryptionForWriteAccess\":false,\"encryptionMethod\":null}"
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerAllowStandardUserEncryption",
"valueJson": "true",
"value": true
},
{
"@odata.type": "#microsoft.graph.deviceManagementComplexSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerSystemDrivePolicy",
"valueJson": "{\"startupAuthenticationRequired\":true,\"startupAuthenticationTpmUsage\":\"required\",\"startupAuthenticationTpmPinUsage\":null,\"startupAuthenticationTpmKeyUsage\":\"blocked\",\"startupAuthenticationTpmPinAndKeyUsage\":null,\"startupAuthenticationBlockWithoutTpmChip\":true,\"prebootRecoveryEnableMessageAndUrl\":false,\"prebootRecoveryMessage\":null,\"prebootRecoveryUrl\":null,\"recoveryOptions\":{\"recoveryKeyUsage\":\"notConfigured\",\"recoveryInformationToStore\":\"passwordAndKey\",\"enableRecoveryInformationSaveToStore\":true,\"recoveryPasswordUsage\":\"allowed\",\"hideRecoveryOptions\":true,\"enableBitLockerAfterRecoveryInformationToStore\":true,\"blockDataRecoveryAgent\":false},\"encryptionMethod\":null,\"minimumPinLength\":10}"
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerDisableWarningForOtherDiskEncryption",
"valueJson": "true",
"value": true
},
{
"@odata.type": "#microsoft.graph.deviceManagementComplexSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerRemovableDrivePolicy",
"valueJson": "{\"encryptionMethod\":null,\"requireEncryptionForWriteAccess\":false,\"blockCrossOrganizationWriteAccess\":false}"
},
{
"@odata.type": "#microsoft.graph.deviceManagementStringSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerRecoveryPasswordRotation",
"valueJson": "\"enabledForAzureAdAndHybrid\"",
"value": "enabledForAzureAdAndHybrid"
},
{
"@odata.type": "#microsoft.graph.deviceManagementBooleanSettingInstance",
"definitionId": "deviceConfiguration--windows10EndpointProtectionConfiguration_bitLockerEnableStorageCardEncryptionOnMobile",
"valueJson": "false",
"value": false
}
]
}
If you then run a GET on https://graph.microsoft.com/beta/deviceManagement/intents - It will pull the policy.
Has anyone experienced this?
{count} votes
-
Lu Dai-MSFT 28,366 Reputation points2022-12-21T02:45:26.367+00:00 @Geeves Thanks for posting in our Q&A.
For this issue, please try to refresh the intune portal and check the baseline policies one by one to find if this target policy is listed.
If this policy still doesn't exists, it is suggested to create an intune premier support ticket to get more help. Here is the support link:
https://video2.skills-academy.com/en-us/mem/get-support#premier-and-unified-support-optionsThanks for your understanding and hope everything goes well with you.
-
Geeves 16 Reputation points
2022-12-21T20:50:26.787+00:00 I had waited for hours, tried multiple browsers and 2 separate computers. But still no policy showing up.
I have no premier or unified support, so that was not an option (As I would have gone down that path). Which is why I logged the question here. Hoping someone had come across this issue.
Sign in to comment