Merge pull request #657 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Modules/CIPPCore/Public/Add-CIPPScheduledTask.ps1

@@ -46,6 +46,20 @@ function Add-CIPPScheduledTask {
                 return "Could not run task: $ErrorMessage"
             }
         } else {
+            # Generate RowKey early to use in duplicate check
+            if (!$Task.RowKey) {
+                $RowKey = (New-Guid).Guid
+            } else {
+                $RowKey = $Task.RowKey
+            }
+
+            # Check for duplicate RowKey (prevents race conditions)
+            $Filter = "PartitionKey eq 'ScheduledTask' and RowKey eq '$RowKey'"
+            $ExistingTaskByKey = (Get-CIPPAzDataTableEntity @Table -Filter $Filter)
+            if ($ExistingTaskByKey) {
+                return "Task with ID $RowKey already exists"
+            }
+
             if ($DisallowDuplicateName) {
                 $Filter = "PartitionKey eq 'ScheduledTask' and Name eq '$($Task.Name)'"
                 $ExistingTask = (Get-CIPPAzDataTableEntity @Table -Filter $Filter)
@@ -110,11 +124,8 @@ function Add-CIPPScheduledTask {
             }
             $AdditionalProperties = ([PSCustomObject]$AdditionalProperties | ConvertTo-Json -Compress)
             if ($Parameters -eq 'null') { $Parameters = '' }
-            if (!$Task.RowKey) {
-                $RowKey = (New-Guid).Guid
-            } else {
-                $RowKey = $Task.RowKey
-            }
+
+            # RowKey already generated during duplicate check above
 
             $Recurrence = if ([string]::IsNullOrEmpty($task.Recurrence.value)) {
                 $task.Recurrence

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecScheduledCommand.ps1

@@ -35,6 +35,48 @@ function Push-ExecScheduledCommand {
         Remove-Variable -Name ScheduledTaskId -Scope Script -ErrorAction SilentlyContinue
         return
     }
+    # Task should be 'Pending' (queued by orchestrator) or 'Running' (retry/recovery)
+    # We accept both to handle edge cases
+
+    # Check for rerun protection - prevent duplicate executions within the recurrence interval
+    if ($task.Recurrence -and $task.Recurrence -ne '0') {
+        # Calculate interval in seconds from recurrence string
+        $IntervalSeconds = switch -Regex ($task.Recurrence) {
+            '^(\d+)$' { [int64]$matches[1] * 86400 }  # Plain number = days
+            '(\d+)m$' { [int64]$matches[1] * 60 }
+            '(\d+)h$' { [int64]$matches[1] * 3600 }
+            '(\d+)d$' { [int64]$matches[1] * 86400 }
+            default { 0 }
+        }
+
+        if ($IntervalSeconds -gt 0) {
+            # Round down to nearest 15-minute interval (900 seconds) since that's when orchestrator runs
+            # This prevents rerun blocking issues due to slight timing variations
+            $FifteenMinutes = 900
+            $AdjustedInterval = [Math]::Floor($IntervalSeconds / $FifteenMinutes) * $FifteenMinutes
+
+            # Ensure we have at least one 15-minute interval
+            if ($AdjustedInterval -lt $FifteenMinutes) {
+                $AdjustedInterval = $FifteenMinutes
+            }
+            # Use task RowKey as API identifier for rerun cache
+            $RerunParams = @{
+                TenantFilter = $Tenant
+                Type         = 'ScheduledTask'
+                API          = $task.RowKey
+                Interval     = $AdjustedInterval
+                BaseTime     = [int64]$task.ScheduledTime
+                Headers      = $Headers
+            }
+
+            $IsRerun = Test-CIPPRerun @RerunParams
+            if ($IsRerun) {
+                Write-Information "Scheduled task $($task.Name) for tenant $Tenant was recently executed. Skipping to prevent duplicate execution."
+                Remove-Variable -Name ScheduledTaskId -Scope Script -ErrorAction SilentlyContinue
+                return
+            }
+        }
+    }
 
     if ($task.Trigger) {
         # Extract trigger data from the task and process

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecAppInsightsQuery.ps1

@@ -24,13 +24,12 @@ function Invoke-ExecAppInsightsQuery {
     try {
         $LogData = Get-ApplicationInsightsQuery -Query $Query
 
-        $Body = @{
+        $Body = ConvertTo-Json -Depth 10 -Compress -InputObject @{
             Results  = @($LogData)
             Metadata = @{
                 Query = $Query
             }
-        } | ConvertTo-Json -Depth 10 -Compress
-
+        }
         return [HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
             Body       = $Body

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Core/Invoke-ExecListBackup.ps1

@@ -31,11 +31,22 @@ function Invoke-ExecListBackup {
                     Items        = $properties.Name
                 }
             } else {
+                # Prefer stored indicator (BackupIsBlob) to avoid reading Backup field
+                $isBlob = $false
+                if ($null -ne $item.PSObject.Properties['BackupIsBlob']) {
+                    try { $isBlob = [bool]$item.BackupIsBlob } catch { $isBlob = $false }
+                } else {
+                    # Fallback heuristic for legacy rows if property missing
+                    if ($null -ne $item.PSObject.Properties['Backup']) {
+                        $b = $item.Backup
+                        if ($b -is [string] -and ($b -like 'https://*' -or $b -like 'http://*')) { $isBlob = $true }
+                    }
+                }
                 [PSCustomObject]@{
                     BackupName = $item.RowKey
                     Timestamp  = $item.Timestamp
+                    Source     = if ($isBlob) { 'blob' } else { 'table' }
                 }
-
             }
         }
         $Result = $Processed | Sort-Object Timestamp -Descending

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-AddScheduledItem.ps1

@@ -32,7 +32,7 @@ function Invoke-AddScheduledItem {
         $ScheduledTask = @{
             Task                  = $Request.Body
             Headers               = $Request.Headers
-            hidden                = $hidden
+            Hidden                = $hidden
             DisallowDuplicateName = $Request.Query.DisallowDuplicateName
             DesiredStartTime      = $Request.Body.DesiredStartTime
         }

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Scheduler/Invoke-ListScheduledItems.ps1

@@ -22,9 +22,9 @@ function Invoke-ListScheduledItems {
         $SearchTitle = $Request.query.SearchTitle ?? $Request.body.SearchTitle
 
         if ($ShowHidden -eq $true) {
-            $ScheduledItemFilter.Add('Hidden eq true')
+            $ScheduledItemFilter.Add("(Hidden eq true or Hidden eq 'True')")
         } else {
-            $ScheduledItemFilter.Add('Hidden eq false')
+            $ScheduledItemFilter.Add("(Hidden eq false or Hidden eq 'False')")
         }
 
         if ($Name) {
@@ -43,6 +43,7 @@ function Invoke-ListScheduledItems {
         $HiddenTasks = $true
     }
     $Tasks = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+    Write-Information "Retrieved $($Tasks.Count) scheduled tasks from storage."
     if ($Type) {
         $Tasks = $Tasks | Where-Object { $_.command -eq $Type }
     }
@@ -58,8 +59,12 @@ function Invoke-ListScheduledItems {
         $AllowedTenantDomains = $TenantList | Where-Object -Property customerId -In $AllowedTenants | Select-Object -ExpandProperty defaultDomainName
         $Tasks = $Tasks | Where-Object -Property Tenant -In $AllowedTenantDomains
     }
-    $ScheduledTasks = foreach ($Task in $tasks) {
+
+    Write-Information "Found $($Tasks.Count) scheduled tasks after filtering and access check."
+
+    $ScheduledTasks = foreach ($Task in $Tasks) {
         if (!$Task.Tenant -or !$Task.Command) {
+            Write-Information "Skipping invalid scheduled task entry: $($Task.RowKey)"
             continue
         }
 

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/CIPP/Settings/Invoke-ExecRestoreBackup.ps1

@@ -12,13 +12,26 @@ function Invoke-ExecRestoreBackup {
     try {
 
         if ($Request.Body.BackupName -like 'CippBackup_*') {
-            $Table = Get-CippTable -tablename 'CIPPBackup'
-            $Backup = Get-CippAzDataTableEntity @Table -Filter "RowKey eq '$($Request.Body.BackupName)' or OriginalEntityId eq '$($Request.Body.BackupName)'"
+            # Use Get-CIPPBackup which already handles fetching from blob storage
+            $Backup = Get-CIPPBackup -Type 'CIPP' -Name $Request.Body.BackupName
             if ($Backup) {
-                $BackupData = $Backup.Backup | ConvertFrom-Json -ErrorAction SilentlyContinue | Select-Object * -ExcludeProperty ETag, Timestamp
+                $raw = $Backup.Backup
+                $BackupData = $null
+
+                # Get-CIPPBackup already fetches blob content, so raw should be JSON string
+                try {
+                    if ($raw -is [string]) {
+                        $BackupData = $raw | ConvertFrom-Json -ErrorAction Stop
+                    } else {
+                        $BackupData = $raw | Select-Object * -ExcludeProperty ETag, Timestamp
+                    }
+                } catch {
+                    throw "Failed to parse backup JSON: $($_.Exception.Message)"
+                }
+
                 $BackupData | ForEach-Object {
                     $Table = Get-CippTable -tablename $_.table
-                    $ht2 = @{ }
+                    $ht2 = @{}
                     $_.psobject.properties | ForEach-Object { $ht2[$_.Name] = [string]$_.Value }
                     $Table.Entity = $ht2
                     Add-CIPPAzDataTableEntity @Table -Force

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-ListAppProtectionPolicies.ps1

@@ -25,7 +25,7 @@
             @{
                 id     = 'ManagedAppPolicies'
                 method = 'GET'
-                url    = '/deviceAppManagement/managedAppPolicies?$expand=assignments&$orderby=displayName'
+                url    = '/deviceAppManagement/managedAppPolicies?$orderby=displayName'
             }
             @{
                 id     = 'MobileAppConfigurations'
@@ -41,60 +41,58 @@
 
         $GraphRequest = [System.Collections.Generic.List[object]]::new()
 
-        # Process Managed App Policies - these need separate assignment lookups
+        # Process Managed App Policies - these need separate assignment lookups as the ManagedAppPolicies endpoint does not support $expand
         $ManagedAppPolicies = ($BulkResults | Where-Object { $_.id -eq 'ManagedAppPolicies' }).body.value
         if ($ManagedAppPolicies) {
-            # Build bulk requests for assignments of policies that support them
-            $AssignmentRequests = [System.Collections.Generic.List[object]]::new()
-            foreach ($Policy in $ManagedAppPolicies) {
-                # Only certain policy types support assignments endpoint
-                $odataType = $Policy.'@odata.type'
-                if ($odataType -match 'androidManagedAppProtection|iosManagedAppProtection|windowsManagedAppProtection|targetedManagedAppConfiguration') {
-                    $urlSegment = switch -Wildcard ($odataType) {
-                        '*androidManagedAppProtection*' { 'androidManagedAppProtections' }
-                        '*iosManagedAppProtection*' { 'iosManagedAppProtections' }
-                        '*windowsManagedAppProtection*' { 'windowsManagedAppProtections' }
-                        '*targetedManagedAppConfiguration*' { 'targetedManagedAppConfigurations' }
-                    }
-                    if ($urlSegment) {
-                        $AssignmentRequests.Add(@{
-                                id     = $Policy.id
-                                method = 'GET'
-                                url    = "/deviceAppManagement/$urlSegment('$($Policy.id)')/assignments"
-                            })
+            # Get all @odata.type and deduplicate them
+            $OdataTypes = ($ManagedAppPolicies | Select-Object -ExpandProperty '@odata.type' -Unique) -replace '#microsoft.graph.', ''
+            $ManagedAppPoliciesBulkRequests = foreach ($type in $OdataTypes) {
+                # Translate to URL segments
+                $urlSegment = switch ($type) {
+                    'androidManagedAppProtection' { 'androidManagedAppProtections' }
+                    'iosManagedAppProtection' { 'iosManagedAppProtections' }
+                    'mdmWindowsInformationProtectionPolicy' { 'mdmWindowsInformationProtectionPolicies' }
+                    'windowsManagedAppProtection' { 'windowsManagedAppProtections' }
+                    'targetedManagedAppConfiguration' { 'targetedManagedAppConfigurations' }
+                    default { $null }
+                }
+                Write-Information "Type: $type => URL Segment: $urlSegment"
+                if ($urlSegment) {
+                    @{
+                        id     = $type
+                        method = 'GET'
+                        url    = "/deviceAppManagement/${urlSegment}?`$expand=assignments&`$orderby=displayName"
                     }
                 }
             }
 
-            # Fetch assignments in bulk if we have any
-            $AssignmentResults = @{}
-            if ($AssignmentRequests.Count -gt 0) {
-                $AssignmentBulkResults = New-GraphBulkRequest -Requests $AssignmentRequests -tenantid $TenantFilter
-                foreach ($result in $AssignmentBulkResults) {
-                    if ($result.body.value) {
-                        $AssignmentResults[$result.id] = $result.body.value
-                    }
-                }
+            $ManagedAppPoliciesBulkResults = New-GraphBulkRequest -Requests $ManagedAppPoliciesBulkRequests -tenantid $TenantFilter
+            # Do this horriblenes as a workaround, as the results dont return with a odata.type property
+            $ManagedAppPolicies = $ManagedAppPoliciesBulkResults | ForEach-Object {
+                $URLName = $_.id
+                $_.body.value | Add-Member -NotePropertyName 'URLName' -NotePropertyValue $URLName -Force
+                $_.body.value
             }
 
+
+
             foreach ($Policy in $ManagedAppPolicies) {
-                $policyType = switch -Wildcard ($Policy.'@odata.type') {
-                    '*androidManagedAppProtection*' { 'Android App Protection' }
-                    '*iosManagedAppProtection*' { 'iOS App Protection' }
-                    '*windowsManagedAppProtection*' { 'Windows App Protection' }
-                    '*mdmWindowsInformationProtectionPolicy*' { 'Windows Information Protection (MDM)' }
-                    '*windowsInformationProtectionPolicy*' { 'Windows Information Protection' }
-                    '*targetedManagedAppConfiguration*' { 'App Configuration (MAM)' }
-                    '*defaultManagedAppProtection*' { 'Default App Protection' }
+                $policyType = switch ($Policy.'URLName') {
+                    'androidManagedAppProtection' { 'Android App Protection'; break }
+                    'iosManagedAppProtection' { 'iOS App Protection'; break }
+                    'windowsManagedAppProtection' { 'Windows App Protection'; break }
+                    'mdmWindowsInformationProtectionPolicy' { 'Windows Information Protection (MDM)'; break }
+                    'windowsInformationProtectionPolicy' { 'Windows Information Protection'; break }
+                    'targetedManagedAppConfiguration' { 'App Configuration (MAM)'; break }
+                    'defaultManagedAppProtection' { 'Default App Protection'; break }
                     default { 'App Protection Policy' }
                 }
 
                 # Process assignments
                 $PolicyAssignment = [System.Collections.Generic.List[string]]::new()
                 $PolicyExclude = [System.Collections.Generic.List[string]]::new()
-                $Assignments = $AssignmentResults[$Policy.id]
-                if ($Assignments) {
-                    foreach ($Assignment in $Assignments) {
+                if ($Policy.assignments) {
+                    foreach ($Assignment in $Policy.assignments) {
                         $target = $Assignment.target
                         switch ($target.'@odata.type') {
                             '#microsoft.graph.allDevicesAssignmentTarget' { $PolicyAssignment.Add('All Devices') }
@@ -112,7 +110,7 @@
                 }
 
                 $Policy | Add-Member -NotePropertyName 'PolicyTypeName' -NotePropertyValue $policyType -Force
-                $Policy | Add-Member -NotePropertyName 'URLName' -NotePropertyValue 'managedAppPolicies' -Force
+                # $Policy | Add-Member -NotePropertyName 'URLName' -NotePropertyValue 'managedAppPolicies' -Force
                 $Policy | Add-Member -NotePropertyName 'PolicySource' -NotePropertyValue 'AppProtection' -Force
                 $Policy | Add-Member -NotePropertyName 'PolicyAssignment' -NotePropertyValue ($PolicyAssignment -join ', ') -Force
                 $Policy | Add-Member -NotePropertyName 'PolicyExclude' -NotePropertyValue ($PolicyExclude -join ', ') -Force

Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-UserTasksOrchestrator.ps1

@@ -10,8 +10,11 @@ function Start-UserTasksOrchestrator {
     param()
 
     $Table = Get-CippTable -tablename 'ScheduledTasks'
-    $1HourAgo = (Get-Date).AddHours(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-    $Filter = "PartitionKey eq 'ScheduledTask' and (TaskState eq 'Planned' or TaskState eq 'Failed - Planned' or (TaskState eq 'Running' and Timestamp lt datetime'$1HourAgo'))"
+    $30MinutesAgo = (Get-Date).AddMinutes(-30).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+    $4HoursAgo = (Get-Date).AddHours(-4).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+    # Pending = orchestrator queued, Running = actively executing
+    # Pick up: Planned, Failed-Planned, stuck Pending (>30min), or stuck Running (>4hr for large AllTenants tasks)
+    $Filter = "PartitionKey eq 'ScheduledTask' and (TaskState eq 'Planned' or TaskState eq 'Failed - Planned' or (TaskState eq 'Pending' and Timestamp lt datetime'$30MinutesAgo') or (TaskState eq 'Running' and Timestamp lt datetime'$4HoursAgo'))"
     $tasks = Get-CIPPAzDataTableEntity @Table -Filter $Filter
 
     $RateLimitTable = Get-CIPPTable -tablename 'SchedulerRateLimits'
@@ -49,11 +52,14 @@ function Start-UserTasksOrchestrator {
         $currentUnixTime = [int64](([datetime]::UtcNow) - (Get-Date '1/1/1970')).TotalSeconds
         if ($currentUnixTime -ge $task.ScheduledTime) {
             try {
+                # Update task state to 'Pending' immediately to prevent concurrent orchestrator runs from picking it up
+                # 'Pending' = orchestrator has picked it up and is queuing commands
+                # 'Running' = actual execution is happening (set by Push-ExecScheduledCommand)
                 $null = Update-AzDataTableEntity -Force @Table -Entity @{
                     PartitionKey = $task.PartitionKey
                     RowKey       = $task.RowKey
                     ExecutedTime = "$currentUnixTime"
-                    TaskState    = 'Planned'
+                    TaskState    = 'Pending'
                 }
                 $task.Parameters = $task.Parameters | ConvertFrom-Json -AsHashtable
                 $task.AdditionalProperties = $task.AdditionalProperties | ConvertFrom-Json