Cannot convert the "MSFT_DeviceManagementConfigurationPolicyAssignments" value of type

[hvdbrink]

Details of the scenario you tried and the problem that is occurring

I'm trying to import DSC resources to intune after exporting them from another tenant.
Creating the MOF goes on without a issue, but once I start the configuration and it gets to the App Configuration Policies, those fail because the assignments can't be read.

Verbose logs showing the problem

Cannot process argument transformation on parameter 'Target'. Cannot convert the "MSFT_DeviceManagementConfigurationPolicyAssignments" value of type "Microsoft.Management.Infrastructure.CimInstance#MSFT_DeviceManagementConfigurationPolicyAssignments" to type "System.Collections.Hashtable".             + CategoryInfo          : InvalidData: (:) [], CimException 
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Compare-M365DSCComplexObject
+ PSComputerName        : localhost        

The PowerShell DSC resource '[IntuneApplicationControlPolicyWindows10]2730ed1b-0b6c-40d5-93f6-277cf97f3111' with SourceInfo 'Z:\onedrive\2023\M365\Intune-RWO-V.ps1::122::9::IntuneApplicationControlPolicyWindows10' threw one or more non-terminating errors while running the Test-TargetResource       functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo          : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName        : localhost   

Suggested solution to the issue

The DSC configuration that is used to reproduce the issue (as detailed as possible)

This is the full configuration for the app that fails, doesn't matter which one it is, Android, iOS
{
IntuneAppConfigurationPolicy c304e0a4-75b6-464d-84d6-ebcdbc4427b4
{
Assignments =
MSFT_DeviceManagementConfigurationPolicyAssignments{
deviceAndAppManagementAssignmentFilterType = 'none'
dataType = '#microsoft.graph.groupAssignmentTarget'
groupId = '9eef68d0-e0ec-4d1e-9cbb-568d42a86142'
};
Credential = $Credscredential;
CustomSettings = @(
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = ' WebProtection'
value = 'true'
}
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = 'DefenderEndUserTrustFlowEnable'
value = 'false'
}
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = 'DefenderNetworkProtectionAutoRemediation'
value = 'true'
}
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = 'DefenderNetworkProtectionPrivacy'
value = 'true'
}
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = 'DefenderExcludeURLInReport '
value = 'false'
}
MSFT_IntuneAppConfigurationPolicyCustomSetting {
name = 'DefenderSendFeedback '
value = 'false'
});
Description = "Configuration for MAM device concerning MS defender for iOS";
DisplayName = "$OrganizationName -iOS-MS defender ATP MAM";
Ensure = "Present";
}

The operating system the target node is running

OsName : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage : en-US
OsMuiLanguages : {en-US, en-GB}

Version of the DSC module that was used ('dev' if using current dev branch)

Release 1.23.111.1

[William-Francillette]

Hi @hvdbrink, could you confirm if the issue is with IntuneApplicationControlPolicyWindows10 or with the IntuneAppProtectionPolicyAndroid/iOS please
The error and the trace you submitted are from different resources

Thanks

[hvdbrink]

Added the error with some verbose information from the import, the first one is from iOS, i'm checking if this also happens for android and W10.

VERBOSE: [LAP70223281]:                            [[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea] No App Configuration Policy with displayName {RWOV-iOS-MS defender ATP MAM} was found 
VERBOSE: [LAP70223281]:                            [[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea] Current Values: Assignments=({dataType=#microsoft.graph.groupAssignmentTarget; 
deviceAndAppManagementAssignmentFilterType=none; deviceAndAppManagementAssignmentFilterId=; groupId=9eef68d0-e0ec-4d1e-9cbb-568d42a86142; collectionId=}); Credential=***;
CustomSettings=({name= WebProtection; value=true},{name=DefenderEndUserTrustFlowEnable; value=false},{name=DefenderNetworkProtectionAutoRemediation; value=true},{name=DefenderNetworkProtectionPrivacy;      
value=true},{name=DefenderExcludeURLInReport ; value=false},{name=DefenderSendFeedback ; value=false}); Description=Configuration for MAM device concerning MS defender for iOS; DisplayName=RWOV-iOS-MS      
defender ATP MAM; Ensure=Absent; Verbose=True
VERBOSE: [LAP70223281]:                            [[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea] Target Values: Assignments=({dataType=#microsoft.graph.groupAssignmentTarget;         
deviceAndAppManagementAssignmentFilterType=none; deviceAndAppManagementAssignmentFilterId=; groupId=9eef68d0-e0ec-4d1e-9cbb-568d42a86142; collectionId=}); Credential=***;
CustomSettings=({name= WebProtection; value=true},{name=DefenderEndUserTrustFlowEnable; value=false},{name=DefenderNetworkProtectionAutoRemediation; value=true},{name=DefenderNetworkProtectionPrivacy;      
value=true},{name=DefenderExcludeURLInReport ; value=false},{name=DefenderSendFeedback ; value=false}); Description=Configuration for MAM device concerning MS defender for iOS; DisplayName=RWOV-iOS-MS      
defender ATP MAM; Ensure=Present; Verbose=True
Cannot process argument transformation on parameter 'Target'. Cannot convert the "MSFT_DeviceManagementConfigurationPolicyAssignments" value of type "Microsoft.Management.Infrastructure.CimInstance#MSFT_De
viceManagementConfigurationPolicyAssignments" to type "System.Collections.Hashtable".
    + CategoryInfo          : InvalidData: (:) [], CimException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Compare-M365DSCComplexObject
    + PSComputerName        : localhost
 
VERBOSE: [LAP70223281]:                            [[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea] Test-TargetResource returned False
VERBOSE: [LAP70223281]: LCM:  [ End    Test     ]  [[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea]  in 7.2830 seconds.
The PowerShell DSC resource '[IntuneAppConfigurationPolicy]0ac93379-2e5c-40c1-bf79-9875f9f1f7ea' with SourceInfo 'Z:\2023\M365\Intune-RWO-V.ps1::34::9::IntuneAppConfigurationPolicy' threw one or more non-t 
erminating errors while running the Test-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : localhost
 
VERBOSE: [LAP70223281]: LCM:  [ Start  Resource ]  [[IntuneAppConfigurationPolicy]2d79cc35-6b27-465a-858c-6f652bbb4120]
VERBOSE: [LAP70223281]: LCM:  [ Start  Test     ]  [[IntuneAppConfigurationPolicy]2d79cc35-6b27-465a-858c-6f652bbb4120]

[ykuijs]

Issue occurs when the policy does not exist yet. In that case, the code returns the nullReturn value, which is basically the inputted data with Ensure=Absent.

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1

Lines 69 to 81 in 74c7cf5

	$nullResult = $PSBoundParameters
	$nullResult.Ensure = 'Absent'
	try
	{
	$configPolicy = Get-MgDeviceAppManagementTargetedManagedAppConfiguration -Filter "displayName eq '$DisplayName'" `
	-ErrorAction Stop
	if ($null -eq $configPolicy)
	{
	Write-Verbose -Message "No App Configuration Policy with displayName {$DisplayName} was found"
	return $nullResult
	}

If the test method then processes the returned information from the Get method, the Assignment parameter contains the CIM instance, which it is unable to convert into a hashtable resulting in the error:

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppConfigurationPolicy/MSFT_IntuneAppConfigurationPolicy.psm1

Lines 357 to 377 in 74c7cf5

	if ($CurrentValues.Assignments)
	{
	if ($CurrentValues.Assignments.count -ne $ValuesToCheck.Assignments.count)
	{
	Write-Verbose -Message "Configuration drift: Number of assignment has changed - current {$($CurrentValues.Assignments.count)} target {$($ValuesToCheck.Assignments.count)}"
	return $false
	}
	foreach ($assignment in $CurrentValues.Assignments)
	{
	#GroupId Assignment
	if (-not [String]::IsNullOrEmpty($assignment.groupId))
	{
	$source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupId -eq $assignment.groupId }
	if (-not $source)
	{
	Write-Verbose -Message "Configuration drift: groupId {$($assignment.groupId)} not found"
	$testResult = $false
	break;
	}
	$sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source
	$testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment

Now checking what has to be changed to fix the issue.

[ykuijs]

Changed the nullReturn value to only export the mandatory parameters instead of copying the PSBoundParameters variable. Code now works as expected.

Fix will be included in a next PR