Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneAccountProtection*Policy: After extract cannot compile to MOF if existing policies have Assignments set #3913

Closed
ricmestre opened this issue Nov 16, 2023 · 1 comment · Fixed by #3914 or #3985
Closed

IntuneAccountProtection*Policy: After extract cannot compile to MOF if existing policies have Assignments set #3913

ricmestre opened this issue Nov 16, 2023 · 1 comment · Fixed by #3914 or #3985

Comments

@ricmestre
Copy link
Contributor

Description of the issue

The existing 3 policies for IntuneAccountProtection*Policy can be extracted but cannot be compiled to MOF if Assignments is set, this is because the export still uses DeviceManagementConfigurationPolicyAssignments instead of IntuneAccountProtectionPolicyAssignments.

Microsoft 365 DSC Version

1.23.1115.1

Which workloads are affected

other

The DSC configuration

IntuneAccountProtectionPolicy "IntuneAccountProtectionPolicy-IntuneAccountProtectionPolicy_1"
        {
            Assignments                                        = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
            );
            Credential                                             = $Credscredential;
            deviceGuardLocalSystemAuthorityCredentialGuardSettings = "enableWithUEFILock";
            DisplayName                                            = "IntuneAccountProtectionPolicy_1";
            enhancedAntiSpoofingForFacialFeaturesEnabled           = $False;
            Ensure                                                 = "Present";
            Identity                                               = "15a53411-1ea4-4eeb-9f6f-44f75ffc7a87";
            pinLowercaseCharactersUsage                            = "notConfigured";
            pinRecoveryEnabled                                     = $False;
            pinSpecialCharactersUsage                              = "notConfigured";
            pinUppercaseCharactersUsage                            = "notConfigured";
            securityDeviceRequired                                 = $False;
            unlockWithBiometricsEnabled                            = $False;
            useCertificatesForOnPremisesAuthEnabled                = $False;
            useSecurityKeyForSignin                                = $False;
            windowsHelloForBusinessBlocked                         = "notConfigured";
        }

Verbose logs showing the problem

Write-NodeMOFFile : Invalid MOF definition for node 'localhost': Exception calling "ValidateInstanceText" with "1" argument(s): "Invalid embedded (reference) property value was found. The value object is of
class type 'MSFT_DeviceManagementConfigurationPolicyAssignments', which is not 'MSFT_IntuneAccountProtectionPolicyAssignments' or its derived classes."
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psm1:2369 char:21
+ ...             Write-NodeMOFFile $Name $mofNode $Script:NodeInstanceAlia ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Write-Error], InvalidOperationException
    + FullyQualifiedErrorId : InvalidMOFDefinition,Write-NodeMOFFile

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US, pt-PT}

Name                           Value
----                           -----
PSVersion                      5.1.22621.1778
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.1778
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@ricmestre ricmestre mentioned this issue Nov 16, 2023
Merged
@ricmestre
Copy link
Contributor Author

@andikrueger, @NikCharlebois By the way, I found out why we can't see the difference while patching some MOF files, this is because they are saved as UTF-16 LE instead of UTF-8 so it counts as binary patching and the patch is not displayed, not even locally in VSCode.

@ricmestre ricmestre changed the title IntuneAccountProtection*Policy: After extract cannot compiler to MOF if existing policies have Assignments set IntuneAccountProtection*Policy: After extract cannot compile to MOF if existing policies have Assignments set Nov 23, 2023
@NikCharlebois NikCharlebois mentioned this issue Nov 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@ricmestre