Closed gmenziesint closed 3 months ago
I am unable to replicate this, I created a group and it was added to the assignment report successfully,
{
"groupName": "201testgroup",
"groupType": "StaticMembership",
"membershipRule": null,
"assignedTo": {
"Compliance Policies": [
{
"name": "placeholder",
"type": "iosCompliancePolicy",
"intent": ""
}
]
}
},
Is the group included on the configuration in the backup?
Hmm let me send on some more information, I can't show the Android / iOS devices as we're targeting all users for them.
Above is a compliance policy but when I look at the groups for this I can't see any of them showing as assigned, example below.
{
"groupName": "Intune: Windows AL Kiosk - All Devices",
"groupType": "DynamicMembership",
"membershipRule": "(device.devicePhysicalIds -any (_ -startswith \"[OrderID]:AL Kiosk\")) and (device.deviceTrustType -eq \"AzureAD\")",
"assignedTo": {
"Settings Catalog": [
{
"name": "Windows AL Kiosk - Baseline Configs",
"type": "",
"intent": ""
},
{
"name": "Windows AL Kiosk - Kiosk Admins Allow Logon",
"type": "",
"intent": ""
},
{
"name": "IT Client - Baseline (Azure Joined)",
"type": "",
"intent": ""
},
{
"name": "Windows AL Kiosk - Baseline MS Edge configurations",
"type": "",
"intent": ""
}
],
"Feature Updates": [
{
"name": "Windows AL Kiosk - Windows 11 23H2",
"type": "",
"intent": ""
}
],
"Proactive Remediations": [
{
"name": "IT Client: Detect Installed - All Devices",
"type": "",
"intent": ""
},
{
"name": "IT Client: Disable Fast Startup",
"type": "",
"intent": ""
},
{
"name": "IT Client: Enable System Guard Secure Launch",
"type": "",
"intent": ""
},
{
"name": "IT Client: Detect CrowdStrike Installed - All Devices",
"type": "",
"intent": ""
}
],
"Enrollment Profiles": [
{
"name": "Windows AL Kiosk",
"type": "azureADWindowsAutopilotDeploymentProfile",
"intent": ""
},
{
"name": "Windows AL Kiosk",
"type": "windows10EnrollmentCompletionPageConfiguration",
"intent": ""
}
],
"Driver Updates": [
{
"name": "Windows AL Kiosk",
"type": "",
"intent": ""
}
],
"Device Configurations": [
{
"name": "IT Client - Cert - Computer - SCEP (AADID)",
"type": "windows81SCEPCertificateProfile",
"intent": "apply"
},
{
"name": "IT Client - Network Profile",
"type": "windows81WifiImportConfiguration",
"intent": "apply"
},
{
"name": "Windows AL Kiosk - Update Ring",
"type": "windowsUpdateForBusinessConfiguration",
"intent": "apply"
},
{
"name": "IT Client - Cert )",
"type": "windows81TrustedRootCertificate",
"intent": "apply"
},
{
"name": "IT Client - Cert - ",
"type": "windows81TrustedRootCertificate",
"intent": "apply"
},
{
"name": "IT Client - Network Profile",
"type": "windows81WifiImportConfiguration",
"intent": "apply"
}
],
"Applications": [
{
"name": "[Core] Azure Monitor Agent Client 1.23.0.0",
"type": "win32LobApp",
"intent": "required"
},
I've removed some identifiable information from here but this is all I can see for the various groups, no compliance policies.
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
none
schedules:
- cron: '0 */6 * * *'
displayName: "Every 6 hours"
branches:
include:
- main
always: true
pool:
vmImage: ubuntu-latest
jobs:
- job: backup_document
displayName: Backup Intune configuration
pool:
vmImage: ubuntu-latest
continueOnError: false
steps:
- checkout: self
persistCredentials: true
#Remove existing prod-backup directory
- task: Bash@3
displayName: Remove existing prod-backup directory
inputs:
targetType: 'inline'
script: |
rm -rfv "$(Build.SourcesDirectory)/prod-backup"
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: false
# Install IntuneCD
# https://github.com/almenscorner/IntuneCD
- task: Bash@3
displayName: Install IntuneCD Package V2.3.2
inputs:
targetType: 'inline'
script: |
pip3 install IntuneCD==2.3.2
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: true
# Backup the latest configuration, using the current directory
- task: Bash@3
displayName: IntuneCD backup Start
inputs:
targetType: 'inline'
script: |
mkdir -p "$(Build.SourcesDirectory)/prod-backup"
IntuneCD-startbackup \
--mode=1 \
--path "$(Build.SourcesDirectory)/prod-backup" \
--exclude ConditionalAccess \
--ignore-omasettings \
--append-id \
--autopilot \
--audit
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: true
env:
TENANT_NAME: $(TENANT_NAME)
CLIENT_ID: $(CLIENT_ID)
CLIENT_SECRET: $(CLIENT_SECRET)
# Set git settings
- task: Bash@3
displayName: Configure Git Global Settings
inputs:
targetType: 'inline'
script: |
git config user.name $(USER_NAME)
git config user.email $(USER_EMAIL)
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: true
# Commit changes and push to Azure DevOps repo
- task: Bash@3
displayName: Commit changes to Azure DevOps repo
name: commitAndsetVariable
inputs:
targetType: 'inline'
script: |
DATEF=`date +%Y.%m.%d`
git add --all
# modified files in folder prod-backup
var=$(git diff --name-only --staged -- prod-backup)
echo "##vso[task.setVariable variable=CHANGE_DETECTED;isOutput=true;]$var"
git commit -m "Intune config backup $DATEF"
git push origin HEAD:main
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: false
# Create markdown documentation
- task: Bash@3
displayName: Generate markdown document
inputs:
targetType: 'inline'
script: |
if [ ! -z "$(commitAndsetVariable.CHANGE_DETECTED)" ]
then
INTRO="Intune backup and documentation generated at $(Build.Repository.Uri) <img align=\"right\" width=\"96\" height=\"96\" src=\"./logo.png\">"
IntuneCD-startdocumentation \
--path="$(Build.SourcesDirectory)/prod-backup" \
--outpath="$(Build.SourcesDirectory)/prod-as-built.md" \
--tenantname=$TENANT_NAME \
--intro="$INTRO" \
#--split=Y
else
echo "no configuration backup change detected in the last commit, documentation will not be created"
fi
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: true
env:
TENANT_NAME: $(TENANT_NAME)
# Commit changes and push to repo
- task: Bash@3
displayName: Commit changes
inputs:
targetType: 'inline'
script: |
DATEF=`date +%Y.%m.%d`
git add --all
git commit -m "Intune config as-built $DATEF"
git push origin HEAD:main
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: false
- job: tag
displayName: Tag repo
dependsOn: backup_document
condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
pool:
vmImage: ubuntu-latest
continueOnError: false
steps:
- checkout: self
persistCredentials: true
# Set git global settings
- task: Bash@3
displayName: Configure Git
inputs:
targetType: 'inline'
script: |
git config user.name $(USER_NAME)
git config user.email $(USER_EMAIL)
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: true
- task: Bash@3
displayName: Pull origin
inputs:
targetType: 'inline'
script: |
git pull origin main
workingDirectory: '$(Build.SourcesDirectory)'
failOnStderr: false
- task: PowerShell@2
displayName: Git tag
inputs:
targetType: 'inline'
script: |
# change in configuration backup folder detected, create TAG
$DATEF= Get-Date -format "yyyy-MM-dd_THH-mm"
git tag -a "v$DATEF" -m "Microsoft Intune configuration snapshot $DATEF"
git push origin "v$DATEF" *> $null # even status information goes to stderr :(
failOnStderr: true
pwsh: false
workingDirectory: '$(Build.SourcesDirectory)'
- job: publish
displayName: Publish as-built artifacts
dependsOn: tag
condition: and(succeeded(), ne(dependencies.backup_document.outputs['commitAndsetVariable.CHANGE_DETECTED'], ''))
pool:
vmImage: ubuntu-latest
continueOnError: false
steps:
- checkout: self
persistCredentials: true
Pipeline above that I'm using
I've been trying to replicate but no success so far.
Do you see the same issue if you run the backup locally and not in a pipeline?
I've been trying to replicate but no success so far.
Do you see the same issue if you run the backup locally and not in a pipeline?
It seems to be every group we use for Windows compliance policies if that is helpful? I'll need to take a look for running it locally been a while since I've done it :)
I tried specifically with a Windows compliance policy as well but is was also added to the report,
{
"name": "testwin",
"type": "windows10CompliancePolicy",
"intent": ""
}
Can you provide the JSON for the policy not working so I can try with a replica?
Is this suitable?
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"Default",
"IT Client - Digital Signage",
"IT Client"
],
"description": "Policy Created on 7 Nov 2023",
"displayName": "IT Client - Compliance - Bitlocker",
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": null,
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"memoryIntegrityEnabled": false,
"kernelDmaProtectionEnabled": false,
"virtualizationBasedSecurityEnabled": false,
"firmwareProtectionEnabled": false,
"storageRequireEncryption": true,
"activeFirewallRequired": false,
"defenderEnabled": false,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": false,
"antivirusRequired": false,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [],
"scheduledActionsForRule": [
{
"ruleName": null,
"scheduledActionConfigurations": [
{
"gracePeriodHours": 8640,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": []
}
]
}
],
"assignments": [
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - Azure Joined (SPC)",
"groupType": "DynamicMembership",
"membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Shared PC\")) or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-6da8ac84-7813-4be7-89f8-b09b024abbcf\")) and device.deviceTrustType -eq \"AzureAD\""
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - TPM Not Present +",
"groupType": "StaticMembership"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - Azure Joined (SOC)",
"groupType": "DynamicMembership",
"membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Standard Office Client\")) or (device.enrollmentProfileName -eq \"IT Client: Standard Office Client\") or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-344520ed-7dde-42b8-9f06-0a9aeeb1b2e8\")) and device.deviceTrustType -eq \"AzureAD\" and (device.devicePhysicalIds -all (_ -ne \"[OrderID]:IT Client - Digital Signage\"))"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: Windows AL Kiosk - All Devices",
"groupType": "DynamicMembership",
"membershipRule": "(device.devicePhysicalIds -any (_ -startswith \"[OrderID]:AL Kiosk\")) and (device.deviceTrustType -eq \"AzureAD\")"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - Shared PC - No Encryption +",
"groupType": "StaticMembership"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
"deviceAndAppManagementAssignmentFilterType": "exclude",
"groupName": "Intune: IT Client - GER Devices +",
"groupType": "StaticMembership"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
"deviceAndAppManagementAssignmentFilterType": "exclude",
"groupName": "Intune: IT Client - CCR Devices +",
"groupType": "StaticMembership"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
"deviceAndAppManagementAssignmentFilterType": "exclude",
"groupName": "Intune: IT Client - AMR Devices +",
"groupType": "StaticMembership"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - Azure Joined (DS)",
"groupType": "DynamicMembership",
"membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Digital Signage\")) or (device.enrollmentProfileName -eq \"OfflineAutoPilotProfile-aa58b551-fafe-4b7e-a064-049aa655f9e1\") or (device.enrollmentProfileName -eq \"IT Client: Digital Signage\")) and device.deviceTrustType -eq \"AzureAD\""
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupName": "Intune: IT Client - Azure Joined (SOC - CCR Devices)",
"groupType": "DynamicMembership",
"membershipRule": "((device.devicePhysicalIds -any (_ -eq \"[OrderID]:IT Client - Standard Office Client (CCR)\")) or (device.enrollmentProfileName -eq \"IT Client: Standard Office Client | CCR\") and device.deviceTrustType -eq \"AzureAD\") and ((device.enrollmentProfileName -ne \"IT Client: Standard Office Client\") and (device.enrollmentProfileName -ne \"OfflineAutoPilotProfile-344520ed-7dde-42b8-9f06-0a9aeeb1b2e8\"))"
}
},
{
"source": "direct",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": "Windows Virtual Machines",
"deviceAndAppManagementAssignmentFilterType": "exclude",
"groupName": "Intune: IT Client - GAR Devices +",
"groupType": "StaticMembership"
}
}
]
}
I was able to replicate it (kind of) where not all groups were included in the report, it looks like it is because the loop exited early and did not go through each assignment. I've changed this in 2.3.3-beta2, try this version and see if the report is now correct: pip3 install IntuneCD==2.3.3b2
I was able to replicate it (kind of) where not all groups were included in the report, it looks like it is because the loop exited early and did not go through each assignment. I've changed this in 2.3.3-beta2, try this version and see if the report is now correct:
pip3 install IntuneCD==2.3.3b2
That's resolved it, can see the compliance policies showing up in the assignment report now! Thank you! I'll leave this open until it's fully released then I'll close the issue
Fixed as of v2.3.3
Describe the bug As per the title I can see that Compliance policies don't seem to be being added to the assignment report for new groups.
To Reproduce Steps to reproduce the behavior:
Create a new group Add a compliance policy to it and run the pipeline
Expected behavior Compliance policies to be shown in the assignment report for groups
Screenshots If applicable, add screenshots to help explain your problem.
Run type (please complete the following information):
Additional context Add any other context about the problem here.