search

almenscorner / IntuneCD

Tool to backup, update and document configurations in Intune
MIT License
277 stars 35 forks source link

[BUG] Compliance Policies not being added to Assignment report for new groups #201

Closed gmenziesint closed 3 months ago

gmenziesint commented 4 months ago

Describe the bug As per the title I can see that Compliance policies don't seem to be being added to the assignment report for new groups.

To Reproduce Steps to reproduce the behavior:

Create a new group Add a compliance policy to it and run the pipeline

Expected behavior Compliance policies to be shown in the assignment report for groups

Screenshots If applicable, add screenshots to help explain your problem.

Run type (please complete the following information):

Additional context Add any other context about the problem here.

almenscorner commented 4 months ago

I am unable to replicate this, I created a group and it was added to the assignment report successfully,

     {
          "groupName": "201testgroup",
          "groupType": "StaticMembership",
          "membershipRule": null,
          "assignedTo": {
               "Compliance Policies": [
                    {
                         "name": "placeholder",
                         "type": "iosCompliancePolicy",
                         "intent": ""
                    }
               ]
          }
     },

Is the group included on the configuration in the backup?

gmenziesint commented 4 months ago

Hmm let me send on some more information, I can't show the Android / iOS devices as we're targeting all users for them.

image Above is a compliance policy but when I look at the groups for this I can't see any of them showing as assigned, example below.

 {
          "groupName": "Intune: Windows AL Kiosk - All Devices",
          "groupType": "DynamicMembership",
          "membershipRule": "(device.devicePhysicalIds -any (_ -startswith \"[OrderID]:AL Kiosk\"))  and (device.deviceTrustType -eq \"AzureAD\")",
          "assignedTo": {
               "Settings Catalog": [
                    {
                         "name": "Windows AL Kiosk - Baseline Configs",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "Windows AL Kiosk - Kiosk Admins Allow Logon",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "IT Client - Baseline (Azure Joined)",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "Windows AL Kiosk - Baseline MS Edge configurations",
                         "type": "",
                         "intent": ""
                    }
               ],
               "Feature Updates": [
                    {
                         "name": "Windows AL Kiosk - Windows 11 23H2",
                         "type": "",
                         "intent": ""
                    }
               ],
               "Proactive Remediations": [
                    {
                         "name": "IT Client: Detect  Installed - All Devices",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "IT Client: Disable Fast Startup",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "IT Client: Enable System Guard Secure Launch",
                         "type": "",
                         "intent": ""
                    },
                    {
                         "name": "IT Client: Detect CrowdStrike Installed  - All Devices",
                         "type": "",
                         "intent": ""
                    }
               ],
               "Enrollment Profiles": [
                    {
                         "name": "Windows AL Kiosk",
                         "type": "azureADWindowsAutopilotDeploymentProfile",
                         "intent": ""
                    },
                    {
                         "name": "Windows AL Kiosk",
                         "type": "windows10EnrollmentCompletionPageConfiguration",
                         "intent": ""
                    }
               ],
               "Driver Updates": [
                    {
                         "name": "Windows AL Kiosk",
                         "type": "",
                         "intent": ""
                    }
               ],
               "Device Configurations": [
                    {
                         "name": "IT Client - Cert - Computer - SCEP (AADID)",
                         "type": "windows81SCEPCertificateProfile",
                         "intent": "apply"
                    },
                    {
                         "name": "IT Client - Network Profile",
                         "type": "windows81WifiImportConfiguration",
                         "intent": "apply"
                    },
                    {
                         "name": "Windows AL Kiosk - Update Ring",
                         "type": "windowsUpdateForBusinessConfiguration",
                         "intent": "apply"
                    },
                    {
                         "name": "IT Client - Cert )",
                         "type": "windows81TrustedRootCertificate",
                         "intent": "apply"
                    },
                    {
                         "name": "IT Client - Cert - ",
                         "type": "windows81TrustedRootCertificate",
                         "intent": "apply"
                    },
                    {
                         "name": "IT Client - Network Profile",
                         "type": "windows81WifiImportConfiguration",
                         "intent": "apply"
                    }
               ],
               "Applications": [
                    {
                         "name": "[Core] Azure Monitor Agent Client 1.23.0.0",
                         "type": "win32LobApp",
                         "intent": "required"
                    },

I've removed some identifiable information from here but this is all I can see for the various groups, no compliance policies.

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
  none
schedules:
  - cron: '0 */6 * * *'
    displayName: "Every 6 hours"
    branches:
      include:
      - main
    always: true

pool:
  vmImage: ubuntu-latest

jobs:
  - job: backup_document
    displayName: Backup Intune configuration
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

#Remove existing prod-backup directory
    - task: Bash@3
      displayName: Remove existing prod-backup directory
      inputs:
        targetType: 'inline'
        script: |
          rm -rfv "$(Build.SourcesDirectory)/prod-backup"
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

# Install IntuneCD
# https://github.com/almenscorner/IntuneCD
    - task: Bash@3
      displayName: Install IntuneCD Package V2.3.2
      inputs:
        targetType: 'inline'
        script: |
          pip3 install IntuneCD==2.3.2
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true

# Backup the latest configuration, using the current directory
    - task: Bash@3
      displayName: IntuneCD backup Start
      inputs:
        targetType: 'inline'
        script: |
          mkdir -p "$(Build.SourcesDirectory)/prod-backup"
          IntuneCD-startbackup \
          --mode=1 \
          --path "$(Build.SourcesDirectory)/prod-backup" \
          --exclude ConditionalAccess \
          --ignore-omasettings \
          --append-id \
          --autopilot \
          --audit
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
      env:
        TENANT_NAME: $(TENANT_NAME)
        CLIENT_ID: $(CLIENT_ID)
        CLIENT_SECRET: $(CLIENT_SECRET)

# Set git settings
    - task: Bash@3
      displayName: Configure Git Global Settings
      inputs:
        targetType: 'inline'
        script: |
          git config user.name $(USER_NAME)
          git config user.email $(USER_EMAIL)
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
# Commit changes and push to Azure DevOps repo
    - task: Bash@3
      displayName: Commit changes to Azure DevOps repo
      name: commitAndsetVariable
      inputs:
        targetType: 'inline'
        script: |
          DATEF=`date +%Y.%m.%d`
          git add --all
          # modified files in folder prod-backup
          var=$(git diff --name-only --staged -- prod-backup)
          echo "##vso[task.setVariable variable=CHANGE_DETECTED;isOutput=true;]$var"
          git commit -m "Intune config backup $DATEF"
          git push origin HEAD:main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

# Create markdown documentation
    - task: Bash@3
      displayName: Generate markdown document
      inputs:
        targetType: 'inline'
        script: |
          if [ ! -z "$(commitAndsetVariable.CHANGE_DETECTED)" ]
          then
            INTRO="Intune backup and documentation generated at $(Build.Repository.Uri) <img align=\"right\" width=\"96\" height=\"96\" src=\"./logo.png\">"
            IntuneCD-startdocumentation \
                --path="$(Build.SourcesDirectory)/prod-backup" \
                --outpath="$(Build.SourcesDirectory)/prod-as-built.md" \
                --tenantname=$TENANT_NAME \
                --intro="$INTRO" \
                #--split=Y
          else
            echo "no configuration backup change detected in the last commit, documentation will not be created"
          fi
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true
      env:
        TENANT_NAME: $(TENANT_NAME)

# Commit changes and push to repo
    - task: Bash@3
      displayName: Commit changes
      inputs:
        targetType: 'inline'
        script: |
          DATEF=`date +%Y.%m.%d`
          git add --all
          git commit -m "Intune config as-built $DATEF"
          git push origin HEAD:main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

  - job: tag
    displayName: Tag repo
    dependsOn: backup_document
    condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

# Set git global settings
    - task: Bash@3
      displayName: Configure Git
      inputs:
        targetType: 'inline'
        script: |
          git config user.name $(USER_NAME)
          git config user.email $(USER_EMAIL)
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: true

    - task: Bash@3
      displayName: Pull origin
      inputs:
        targetType: 'inline'
        script: |
          git pull origin main
        workingDirectory: '$(Build.SourcesDirectory)'
        failOnStderr: false

    - task: PowerShell@2
      displayName: Git tag
      inputs:
        targetType: 'inline'
        script: |
          # change in configuration backup folder detected, create TAG
          $DATEF= Get-Date -format "yyyy-MM-dd_THH-mm"
          git tag -a "v$DATEF" -m "Microsoft Intune configuration snapshot $DATEF"
          git push origin "v$DATEF" *> $null # even status information goes to stderr :(
        failOnStderr: true
        pwsh: false
        workingDirectory: '$(Build.SourcesDirectory)'

  - job: publish
    displayName: Publish as-built artifacts
    dependsOn: tag
    condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
    pool:
      vmImage: ubuntu-latest
    continueOnError: false
    steps:
    - checkout: self
      persistCredentials: true

Pipeline above that I'm using

gmenziesint commented 4 months ago

image

almenscorner commented 4 months ago

I've been trying to replicate but no success so far.

Do you see the same issue if you run the backup locally and not in a pipeline?

gmenziesint commented 4 months ago

I've been trying to replicate but no success so far.

Do you see the same issue if you run the backup locally and not in a pipeline?

It seems to be every group we use for Windows compliance policies if that is helpful? I'll need to take a look for running it locally been a while since I've done it :)

almenscorner commented 4 months ago

I tried specifically with a Windows compliance policy as well but is was also added to the report,

  {
       "name": "testwin",
       "type": "windows10CompliancePolicy",
       "intent": ""
  }
almenscorner commented 4 months ago

Can you provide the JSON for the policy not working so I can try with a replica?

gmenziesint commented 4 months ago

Is this suitable?

{
     "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
     "roleScopeTagIds": [
          "Default",
          "IT Client - Digital Signage",
          "IT Client"
     ],
     "description": "Policy Created on 7 Nov 2023",
     "displayName": "IT Client - Compliance - Bitlocker",
     "passwordRequired": false,
     "passwordBlockSimple": false,
     "passwordRequiredToUnlockFromIdle": false,
     "passwordMinutesOfInactivityBeforeLock": null,
     "passwordExpirationDays": null,
     "passwordMinimumLength": null,
     "passwordMinimumCharacterSetCount": null,
     "passwordRequiredType": "deviceDefault",
     "passwordPreviousPasswordBlockCount": null,
     "requireHealthyDeviceReport": false,
     "osMinimumVersion": null,
     "osMaximumVersion": null,
     "mobileOsMinimumVersion": null,
     "mobileOsMaximumVersion": null,
     "earlyLaunchAntiMalwareDriverEnabled": false,
     "bitLockerEnabled": false,
     "secureBootEnabled": false,
     "codeIntegrityEnabled": false,
     "memoryIntegrityEnabled": false,
     "kernelDmaProtectionEnabled": false,
     "virtualizationBasedSecurityEnabled": false,
     "firmwareProtectionEnabled": false,
     "storageRequireEncryption": true,
     "activeFirewallRequired": false,
     "defenderEnabled": false,
     "defenderVersion": null,
     "signatureOutOfDate": false,
     "rtpEnabled": false,
     "antivirusRequired": false,
     "antiSpywareRequired": false,
     "deviceThreatProtectionEnabled": false,
     "deviceThreatProtectionRequiredSecurityLevel": "unavailable",
     "configurationManagerComplianceRequired": false,
     "tpmRequired": false,
     "deviceCompliancePolicyScript": null,
     "validOperatingSystemBuildRanges": [],
     "scheduledActionsForRule": [
          {
               "ruleName": null,
               "scheduledActionConfigurations": [
                    {
                         "gracePeriodHours": 8640,
                         "actionType": "block",
                         "notificationTemplateId": "00000000-0000-0000-0000-000000000000",
                         "notificationMessageCCList": []
                    }
               ]
          }
     ],
     "assignments": [
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - Azure Joined (SPC)",
                    "groupType": "DynamicMembership",
                    "membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Shared PC\")) or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-6da8ac84-7813-4be7-89f8-b09b024abbcf\")) and device.deviceTrustType -eq \"AzureAD\""
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - TPM Not Present +",
                    "groupType": "StaticMembership"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - Azure Joined (SOC)",
                    "groupType": "DynamicMembership",
                    "membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Standard Office Client\")) or (device.enrollmentProfileName -eq \"IT Client: Standard Office Client\") or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-344520ed-7dde-42b8-9f06-0a9aeeb1b2e8\")) and device.deviceTrustType -eq \"AzureAD\" and (device.devicePhysicalIds -all (_ -ne \"[OrderID]:IT Client - Digital Signage\"))"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: Windows AL Kiosk - All Devices",
                    "groupType": "DynamicMembership",
                    "membershipRule": "(device.devicePhysicalIds -any (_ -startswith \"[OrderID]:AL Kiosk\"))  and (device.deviceTrustType -eq \"AzureAD\")"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - Shared PC - No Encryption +",
                    "groupType": "StaticMembership"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
                    "deviceAndAppManagementAssignmentFilterType": "exclude",
                    "groupName": "Intune: IT Client - GER Devices +",
                    "groupType": "StaticMembership"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
                    "deviceAndAppManagementAssignmentFilterType": "exclude",
                    "groupName": "Intune: IT Client - CCR Devices +",
                    "groupType": "StaticMembership"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
                    "deviceAndAppManagementAssignmentFilterType": "exclude",
                    "groupName": "Intune: IT Client - AMR Devices +",
                    "groupType": "StaticMembership"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - Azure Joined (DS)",
                    "groupType": "DynamicMembership",
                    "membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Digital Signage\")) or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-aa58b551-fafe-4b7e-a064-049aa655f9e1\") or (device.enrollmentProfileName -eq \"IT Client: Digital Signage\")) and device.deviceTrustType -eq \"AzureAD\""
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": null,
                    "deviceAndAppManagementAssignmentFilterType": "none",
                    "groupName": "Intune: IT Client - Azure Joined (SOC - CCR Devices)",
                    "groupType": "DynamicMembership",
                    "membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Standard Office Client (CCR)\")) or (device.enrollmentProfileName -eq \"IT Client: Standard Office Client | CCR\") and device.deviceTrustType -eq \"AzureAD\") and ((device.enrollmentProfileName -ne \"IT Client: Standard Office Client\") and (device.enrollmentProfileName -ne \"OfflineAutoPilotProfile-344520ed-7dde-42b8-9f06-0a9aeeb1b2e8\"))"
               }
          },
          {
               "source": "direct",
               "target": {
                    "@odata.type": "#microsoft.graph.groupAssignmentTarget",
                    "deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
                    "deviceAndAppManagementAssignmentFilterType": "exclude",
                    "groupName": "Intune: IT Client - GAR Devices +",
                    "groupType": "StaticMembership"
               }
          }
     ]
}
almenscorner commented 4 months ago

I was able to replicate it (kind of) where not all groups were included in the report, it looks like it is because the loop exited early and did not go through each assignment. I've changed this in 2.3.3-beta2, try this version and see if the report is now correct: pip3 install IntuneCD==2.3.3b2

gmenziesint commented 4 months ago

I was able to replicate it (kind of) where not all groups were included in the report, it looks like it is because the loop exited early and did not go through each assignment. I've changed this in 2.3.3-beta2, try this version and see if the report is now correct: pip3 install IntuneCD==2.3.3b2

That's resolved it, can see the compliance policies showing up in the assignment report now! Thank you! I'll leave this open until it's fully released then I'll close the issue

almenscorner commented 3 months ago

Fixed as of v2.3.3