ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
e5ad9b6cf8
TenantAtlas/specs/023-endpoint-security-restore/plan.md
ahmido 69d98e925c feat/018-driver-updates-wufb (#27) 
Tenants: Tenant anlegen/öffnen → tenant_id, app_client_id, app_client_secret setzen → Make current (wichtig).
Inventory → Policies: oben Sync from Intune.
In der Tabelle nach Type = “Driver Updates (Windows)” (windowsDriverUpdateProfile) filtern und Policy öffnen.
Auf der Policy: Settings-Tab prüfen (Block „Driver Update Profile“), dann Capture snapshot klicken und unter Versions die Version ansehen.
Restore-Test (nur im Test-Tenant!): Version öffnen → Restore to Intune erst als Dry-run, dann Execute; danach unter Backups & Restore → Restore Runs Ergebnis prüfen (soll graph_path mit deviceManagement/windowsDriverUpdateProfiles/... zeigen).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local>
Reviewed-on: #27
2026-01-04 00:38:54 +00:00

2.0 KiB
Raw Blame History

Plan: Endpoint Security Policy Restore (023)

Branch: feat/023-endpoint-security-restore Date: 2026-01-03 Input: spec.md Status: Implemented (ready to merge)

Goal

Enable full restore execution for Endpoint Security Policies (endpointSecurityPolicy) instead of preview-only, with defensive validation around templates and settings payloads.

Approach

  1. Enable restore execution in config/tenantpilot.php by switching endpointSecurityPolicy.restore from preview-only to enabled.
  2. Add template existence validation during restore preview:
    • Resolve the snapshots templateReference (family/id/display name where available).
    • Confirm the referenced template is resolvable in the target tenant before execution.
    • Surface warnings in preview and fail execution with a clear error when missing.
  3. Add settings instance validation prior to execution:
    • Resolve template definitions for the target tenant.
    • Validate that settings instances are structurally compatible with the resolved template.
    • Treat validation failures as preview warnings, and block execution when the payload cannot be made safe.
  4. Ensure restore uses the existing generic configuration policy create/update flow:
    • Create when no match exists; update when matched (per existing restore matching rules).
    • Apply assignments using existing mapping logic.
  5. Add targeted tests covering:
    • Create + update restore execution for endpointSecurityPolicy.
    • Preview warnings and execution failure when template is missing.
    • Settings validation failure paths.
    • Assignment application expectations.

Decisions / Notes

  • Assume template identifiers may differ across tenants; prefer mapping by templateFamily with display-name fallback when required.
  • Safety-first: if template resolution is ambiguous, treat as missing and block execution.
  • Incident hardening: make restore failures actionable by surfacing Graph path/method and avoid unsafe fallback endpoints.