ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
dev
TenantAtlas/specs/023-endpoint-security-restore/plan.md
ahmido 69d98e925c feat/018-driver-updates-wufb (#27) 
Tenants: Tenant anlegen/öffnen → tenant_id, app_client_id, app_client_secret setzen → Make current (wichtig).
Inventory → Policies: oben Sync from Intune.
In der Tabelle nach Type = “Driver Updates (Windows)” (windowsDriverUpdateProfile) filtern und Policy öffnen.
Auf der Policy: Settings-Tab prüfen (Block „Driver Update Profile“), dann Capture snapshot klicken und unter Versions die Version ansehen.
Restore-Test (nur im Test-Tenant!): Version öffnen → Restore to Intune erst als Dry-run, dann Execute; danach unter Backups & Restore → Restore Runs Ergebnis prüfen (soll graph_path mit deviceManagement/windowsDriverUpdateProfiles/... zeigen).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #27
2026-01-04 00:38:54 +00:00

34 lines
2.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Plan: Endpoint Security Policy Restore (023)
**Branch**: `feat/023-endpoint-security-restore`
**Date**: 2026-01-03
**Input**: [spec.md](./spec.md)
**Status**: Implemented (ready to merge)
## Goal
Enable full restore execution for Endpoint Security Policies (`endpointSecurityPolicy`) instead of preview-only, with defensive validation around templates and settings payloads.
## Approach
1. Enable restore execution in `config/tenantpilot.php` by switching `endpointSecurityPolicy.restore` from `preview-only` to `enabled`.
2. Add template existence validation during restore preview:
- Resolve the snapshots `templateReference` (family/id/display name where available).
- Confirm the referenced template is resolvable in the target tenant before execution.
- Surface warnings in preview and fail execution with a clear error when missing.
3. Add settings instance validation prior to execution:
- Resolve template definitions for the target tenant.
- Validate that settings instances are structurally compatible with the resolved template.
- Treat validation failures as preview warnings, and block execution when the payload cannot be made safe.
4. Ensure restore uses the existing generic configuration policy create/update flow:
- Create when no match exists; update when matched (per existing restore matching rules).
- Apply assignments using existing mapping logic.
5. Add targeted tests covering:
- Create + update restore execution for `endpointSecurityPolicy`.
- Preview warnings and execution failure when template is missing.
- Settings validation failure paths.
- Assignment application expectations.
## Decisions / Notes
- Assume template identifiers may differ across tenants; prefer mapping by `templateFamily` with display-name fallback when required.
- Safety-first: if template resolution is ambiguous, treat as missing and block execution.
- Incident hardening: make restore failures actionable by surfacing Graph path/method and avoid unsafe fallback endpoints.
Reference in New Issue View Git Blame Copy Permalink