Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneSettingCatalogASRRulesPolicyWindows10: Cannot be deployed #3961

Closed
ricmestre opened this issue Nov 29, 2023 · 5 comments · Fixed by #3990
Closed

IntuneSettingCatalogASRRulesPolicyWindows10: Cannot be deployed #3961

ricmestre opened this issue Nov 29, 2023 · 5 comments · Fixed by #3990
Labels
Bug Something isn't working Intune V1.23.1122.1 Version 1.23.1122.1

Comments

@ricmestre
Copy link
Contributor

ricmestre commented Nov 29, 2023
edited

Description of the issue

IntuneSettingCatalogASRRulesPolicyWindows10 cannot be deployed, the module was changed to not have Identity as mandatory but its corresponding schema wasn't changed so it complains about it as soon as you try to deploy the policy.

Microsoft 365 DSC Version

1.23.1122.1

Which workloads are affected

other

The DSC configuration

# Generated with Microsoft365DSC version 1.23.1122.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $Credential
)

Configuration IntuneSettingCatalogASRRulesPolicyWindows10
{
    param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    if ($null -eq $Credential)
    {
        <# Credentials #>
        $Credscredential = Get-Credential -Message "Credentials"

    }
    else
    {
        $CredsCredential = $Credential
    }

    $OrganizationName = $CredsCredential.UserName.Split('@')[1]

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.1122.1'

    Node localhost
    {
        IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1"
        {
            Assignments                                                                = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
            );
            attacksurfacereductiononlyexclusions                                       = @("Test 1", "Test2", "Test3");
            blockabuseofexploitedvulnerablesigneddrivers                               = "block";
            blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion = "audit";
            Credential                                                                 = $CredsCredential;
            DisplayName                                                                = "IntuneSettingCatalogASRRulesPolicyWindows10_1";
            Ensure                                                                     = "Present";
            Identity                                                                   = "80d22119-b8cf-466d-bfc5-c2dca1d90f43";
        }
    }
}

IntuneSettingCatalogASRRulesPolicyWindows10 -ConfigurationData .\ConfigurationData.psd1 -Credential $Credential

Verbose logs showing the problem

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' =
root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer G02PTXN03538 with user sid S-1-5-21-4015586115-2868605778-3706768115-272540.
VERBOSE: [G02PTXN03538]: LCM:  [ Start  Set      ]
VERBOSE: [G02PTXN03538]: LCM:  [ End    Set      ]
The command Get-TargetResource of the PS resource MSFT_IntuneSettingCatalogASRRulesPolicyWindows10 does not implement the key property Identity mentioned in the corresponding MOF schema file C:\Program
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1122.1\DscResources\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof as a mandatory parameter.
All key parameters mentioned in the schema file must be implemented by the command Get-TargetResource as mandatory function parameters.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : KeyParameterNotImplemented
    + PSComputerName        : localhost

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US, pt-PT}

Name                           Value
----                           -----
PSVersion                      5.1.22621.2428
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2428
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@ricmestre
Copy link
Contributor Author

ricmestre commented Nov 29, 2023
edited

Note that this is not the only issue with IntuneSettingCatalogASRRulesPolicyWindows10, after fixing the schema and trying to deploy it afterwards will result in always saying that the policy was not found and it tries to create a new one which is never created, it always end up with this.

VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] Checking for the      Intune Endpoint Protection Attack Surface Protection rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1}
VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] No Endpoint           Protection Attack Surface Protection rules Policy {80d22119-b8cf-466d-bfc5-c2dca1d90f43} was found
VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] No Endpoint           Protection Attack Surface Protection rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1} was found
VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] Creating new Endpoint  Protection Attack Surface Protection rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1}
VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] POST                  https://graph.microsoft.com/beta/deviceManagement/configurationPolicies with 9934-byte payload
VERBOSE: [REDACTED]:                            [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] received 920-byte     response of content type application/json
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]  [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1]  in 1.4590 seconds.
VERBOSE: [REDACTED]: LCM:  [ End    Resource ]  [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1]
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]    in  2.7000 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 2.748 seconds

and in Event Viewer

Error updating data:

{ Response status code does not indicate success: BadRequest (Bad Request). } \ at New-IntuneDeviceConfigurationPolicy, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1122.1\DscResources\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1: line 1185
 \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1122.1\DscResources\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1: line 471

@andikrueger andikrueger added Bug Something isn't working Intune V1.23.1122.1 Version 1.23.1122.1 labels Nov 29, 2023
@MKlingner MKlingner mentioned this issue Dec 1, 2023
Merged
@ricmestre ricmestre mentioned this issue Dec 1, 2023
Open
@andikrueger
Copy link
Collaborator

To summarise the actions to fix this issue

  1. make Identity an optional parameter in Schema and module
  2. Fix the implementation of how an object is grabbed from graph (if identity is present, grab by id, if nothing is found grab it with the display name)

@ricmestre
Copy link
Contributor Author

@andikrueger Correct, but for point 2 please see that it already tries to do that, it's just that for some reason it's not working because the policy never gets to be created so it never finds it either by Id or DisplayName. I didn't have time to look at the code to figure out what's the problem yet.

@MKlingner
Copy link
Contributor

@ricmestre i will rework my pull request and try to fix it as @andikrueger suggested

@Cyanic-Cloud
Copy link

I am having the same issue so a fix to this problem would be great, thanks in advance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Intune V1.23.1122.1 Version 1.23.1122.1
Projects
None yet
Milestone
No milestone
4 participants
@MKlingner @andikrueger @Cyanic-Cloud @ricmestre