From 2180c91e49c9b4e261d7451b9c6e58fffe53f570 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 11 Nov 2025 11:03:17 -0500 Subject: [PATCH 1/4] extract value from FileTypeAction fixes ticket 34382084239 --- ...Invoke-CIPPStandardMalwareFilterPolicy.ps1 | 39 ++++++++++--------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 index 2bae9f7d7439..97f7b4b32ed9 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardMalwareFilterPolicy.ps1 @@ -75,10 +75,9 @@ function Invoke-CIPPStandardMalwareFilterPolicy { try { $CurrentState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterPolicy' | - Where-Object -Property Name -EQ $PolicyName | - Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress - } - catch { + Where-Object -Property Name -EQ $PolicyName | + Select-Object Name, EnableFileFilter, FileTypeAction, FileTypes, ZapEnabled, QuarantineTag, EnableInternalSenderAdminNotifications, InternalSenderAdminAddress, EnableExternalSenderAdminNotifications, ExternalSenderAdminAddress + } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the MalwareFilterPolicy state for $Tenant. Error: $ErrorMessage" -Sev Error return @@ -92,27 +91,29 @@ function Invoke-CIPPStandardMalwareFilterPolicy { $ExpectedFileTypes = $DefaultFileTypes + @($Settings.OptionalFileTypes.Split(',').Trim()) } + $FileTypeAction = $Settings.FileTypeAction.value ?? $Settings.FileTypeAction ?? 'Quarantine' + $StateIsCorrect = ($CurrentState.Name -eq $PolicyName) -and - ($CurrentState.EnableFileFilter -eq $true) -and - ($CurrentState.FileTypeAction -eq $Settings.FileTypeAction) -and - (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and - ($CurrentState.ZapEnabled -eq $true) -and - ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and - ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and - (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and - ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and - (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress)) + ($CurrentState.EnableFileFilter -eq $true) -and + ($CurrentState.FileTypeAction -eq $FileTypeAction) -and + (!(Compare-Object -ReferenceObject $CurrentState.FileTypes -DifferenceObject $ExpectedFileTypes)) -and + ($CurrentState.ZapEnabled -eq $true) -and + ($CurrentState.QuarantineTag -eq $Settings.QuarantineTag) -and + ($CurrentState.EnableInternalSenderAdminNotifications -eq $Settings.EnableInternalSenderAdminNotifications) -and + (($null -eq $Settings.InternalSenderAdminAddress) -or ($CurrentState.InternalSenderAdminAddress -eq $Settings.InternalSenderAdminAddress)) -and + ($CurrentState.EnableExternalSenderAdminNotifications -eq $Settings.EnableExternalSenderAdminNotifications) -and + (($null -eq $Settings.ExternalSenderAdminAddress) -or ($CurrentState.ExternalSenderAdminAddress -eq $Settings.ExternalSenderAdminAddress)) $AcceptedDomains = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-AcceptedDomain' $RuleState = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-MalwareFilterRule' | - Where-Object -Property Name -EQ $RuleName | - Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs + Where-Object -Property Name -EQ $RuleName | + Select-Object Name, MalwareFilterPolicy, Priority, RecipientDomainIs $RuleStateIsCorrect = ($RuleState.Name -eq $RuleName) -and - ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and - ($RuleState.Priority -eq 0) -and - (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name)) + ($RuleState.MalwareFilterPolicy -eq $PolicyName) -and + ($RuleState.Priority -eq 0) -and + (!(Compare-Object -ReferenceObject $RuleState.RecipientDomainIs -DifferenceObject $AcceptedDomains.Name)) if ($Settings.remediate -eq $true) { @@ -122,7 +123,7 @@ function Invoke-CIPPStandardMalwareFilterPolicy { $cmdParams = @{ EnableFileFilter = $true FileTypes = $ExpectedFileTypes - FileTypeAction = $Settings.FileTypeAction + FileTypeAction = $FileTypeAction ZapEnabled = $true QuarantineTag = $Settings.QuarantineTag EnableInternalSenderAdminNotifications = $Settings.EnableInternalSenderAdminNotifications From 79b314a95d43f4f2048f71f15d32eab964e519e8 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 11 Nov 2025 11:12:24 -0500 Subject: [PATCH 2/4] fix: state comparison for spoofwarn fixes https://github.com/KelvinTegelaar/CIPP/issues/4836 --- .../Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 index f86655371873..11676a8f2146 100644 --- a/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 +++ b/Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardSpoofWarn.ps1 @@ -44,8 +44,7 @@ function Invoke-CIPPStandardSpoofWarn { try { $CurrentInfo = (New-ExoRequest -tenantid $Tenant -cmdlet 'Get-ExternalInOutlook') - } - catch { + } catch { $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the SpoofWarn state for $Tenant. Error: $ErrorMessage" -Sev Error return @@ -53,6 +52,8 @@ function Invoke-CIPPStandardSpoofWarn { # Get state value using null-coalescing operator $state = $Settings.state.value ?? $Settings.state + + $IsEnabled = $state -eq 'enabled' $AllowListAdd = $Settings.AllowListAdd.value ?? $Settings.AllowListAdd # Test if all entries in the AllowListAdd variable are in the AllowList @@ -131,7 +132,7 @@ function Invoke-CIPPStandardSpoofWarn { if ($Settings.report -eq $true) { Add-CIPPBPAField -FieldName 'SpoofingWarnings' -FieldValue $CurrentInfo.Enabled -StoreAs bool -Tenant $Tenant - if ($AllowListCorrect -eq $true -and $CurrentInfo.Enabled -eq $status) { + if ($AllowListCorrect -eq $true -and $CurrentInfo.Enabled -eq $IsEnabled) { $FieldValue = $true } else { $FieldValue = $CurrentInfo | Select-Object Enabled, AllowList From c0820ee396b5e3ff726784aea7fd08bb0848c2be Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 11 Nov 2025 11:23:11 -0500 Subject: [PATCH 3/4] resolve username to guid for scheduled tasks --- .../CIPPCore/Public/Remove-CIPPGroupMember.ps1 | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1 b/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1 index c723ff2d77e7..d3f7f3d7f0cf 100644 --- a/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1 +++ b/Modules/CIPPCore/Public/Remove-CIPPGroupMember.ps1 @@ -7,13 +7,22 @@ function Remove-CIPPGroupMember( [string]$APIName = 'Remove Group Member' ) { try { - if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) } - # $MemberIDs = 'https://graph.microsoft.com/v1.0/directoryObjects/' + (New-GraphGetRequest -uri "https://graph.microsoft.com/beta/users/$($Member)" -tenantid $TenantFilter).id - # $AddMemberBody = "{ `"members@odata.bind`": $(ConvertTo-Json @($MemberIDs)) }" if ($GroupType -eq 'Distribution list' -or $GroupType -eq 'Mail-Enabled Security') { $Params = @{ Identity = $GroupId; Member = $Member; BypassSecurityGroupManagerCheck = $true } $null = New-ExoRequest -tenantid $TenantFilter -cmdlet 'Remove-DistributionGroupMember' -cmdParams $Params -UseSystemMailbox $true } else { + if ($Member -match '^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$') { + Write-Information "Member $Member is a GUID, proceeding with removal." + } else { + Write-Information "Member $Member is not a GUID, attempting to resolve to object ID." + if ($Member -like '*#EXT#*') { $Member = [System.Web.HttpUtility]::UrlEncode($Member) } + $UserObject = New-GraphGetRequest -uri "https://graph.microsoft.com/v1.0/users/$($Member)?`$select=id" -tenantid $TenantFilter + if ($null -eq $UserObject.id) { + throw "Could not resolve user $Member to an object ID." + } + $Member = $UserObject.id + Write-Information "Resolved member to object ID: $Member" + } $null = New-GraphPostRequest -uri "https://graph.microsoft.com/beta/groups/$($GroupId)/members/$($Member)/`$ref" -tenantid $TenantFilter -type DELETE -body '{}' -Verbose } $Results = "Successfully removed user $($Member) from $($GroupId)." From 04ade5954c55f49ce17b2633dcec47f185ac8b15 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Tue, 11 Nov 2025 11:45:43 -0500 Subject: [PATCH 4/4] function offloading tweaks --- Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 index c17c4dd61100..7632261e1a46 100644 --- a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 +++ b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 @@ -10,9 +10,11 @@ function Get-CIPPTimerFunctions { # Check running nodes $VersionTable = Get-CIPPTable -tablename 'Version' - $Nodes = Get-CIPPAzDataTableEntity @VersionTable -Filter "PartitionKey eq 'Version' and RowKey ne 'Version'" | Where-Object { $_.RowKey -match '-' } - $AvailableNodes = $Nodes.RowKey | ForEach-Object { ($_ -split '-')[1] } + $Nodes = Get-CIPPAzDataTableEntity @VersionTable -Filter "PartitionKey eq 'Version' and RowKey ne 'Version'" + $FunctionName = $env:WEBSITE_SITE_NAME + $MainFunctionVersion = ($Nodes | Where-Object { $_.RowKey -eq $FunctionName }).Version + $AvailableNodes = $Nodes.RowKey | Where-Object { $_.RowKey -match '-' -and $_.Version -eq $MainFunctionVersion } | ForEach-Object { ($_ -split '-')[1] } # Get node name if ($FunctionName -match '-') { @@ -22,7 +24,7 @@ function Get-CIPPTimerFunctions { } $RunOnProcessor = $true - if ($Config -and $Config.state -eq $true) { + if ($Config -and $Config.state -eq $true -and $AvailableNodes.Count -gt 0) { if ($env:CIPP_PROCESSOR -ne 'true') { $RunOnProcessor = $false }