Closed AFE88 closed 2 months ago
This one and #206 is addressed in the latest beta, try out 2.3.4-beta1 and let me know how you get on: pip3 install IntuneCD==2.3.4b1
. Note that you must set --exit-on-error
for IntuneCD to exit if an error occurs.
we tried the 2.3.4-beta1. The assignments of the autopilot profiles are still being deleted. The bug has not yet been fixed.
IntuneCD-startupdate -m 1 --exit-on-error --exclude DeviceManagementSettings ConditionalAccess Roles
I am not able to replicate this when running with or without -u
, the update run says:
Tue Jun 18 14:30:42 2024 [INFO] No changes found for Windows Enrollment Profile: Windows Deployment AAD2
And all assignments are intact
I think the issue is within the file WindowsEnrollmentProfile.py
- there I found the comment that # Windows enrollment profile assginment is handled differently, so we need to set the following attributes
in line 84 the removal is triggered for every item in the intune_data variable without any conditions-check - hence the removal of the assignments from the WindowsEnrollmentProfiles is always executed when the main
method in the WindowsEnrollmentProfileUpdateModule
class is called.
That behaviour is what has changed in the latest beta though as of: https://github.com/almenscorner/IntuneCD/commit/70dfbbe0743fccb0daccc43acf571f58ef239aae
In this beta the -u
flag is honored for Windows Enrollment Profiles as well, but it's also interesting that it, in no instance, is removing assignments from my configs no matter what I do
Do you have an export of a config which is facing the issue I can try with in my env?
What is your pipeline looking like?
Okay - let’s trace things back from the very beginning..
According to the documentation the -u parameter should trigger the assignments to be updated.
Hence - since we don’t use -u it should not be triggered?
So if I trace things back correctly this is what happens:
run_update.py line 82/83 makes -u
become update-assignments
Which is then handed to the run_update function (same file line 317)
This function passes it on to the update_intune function as assignment
(same file line 244)
update_intune.py line 23 passes it on as handle_assignment
as part of the params
The params
are passed on to the class WindowsEnrollmentProfileUpdateModule
, since it’s not excluded (same file line 120)
The class contains the main
method - which (if the path
string exists, which it does as it is set in the _init_
method in WindowsEnrollmentProfile.py line 25) starts to fill the intune_data
variable using the method get_downstream_data
(same file line 43)
So far as of the normal workflow -
there is however the handle_iterable_assignment
method that you defined to trigger once the handle_assignment
variable is set AND the config_type
is Windows Enrollment Profile
(BaseUpdateModule.py line 668)
This is called only if the variable downstream_object
is set (same file line 631)
All of this is part of the method process_update
(same file line 598)
Which IS called during the main
method in WindowsEnrollmentProfile.py line 66
So far as of the changes to the current beta-version - BUT -
Right AFTER the process_update
has finished and some manipulations to the diff_summary
variable have been made there’s this for-loop in WindowsEnrollmentProfile.py line 83 that looks suspicious to me, because this is sets the endpoint
variable to the assignment url and triggers a graph-api request using the delete
method
none of this ever runs through any sort of IF-check or is related in any other way to the -u parameter
So if my assumptions are correct the change made to the beta will not correct the issue that the tool will remove the assignment of existing Autopilot-Profiles in our PROD environment, which confirms our observations during testing the current beta. So there’s no point in providing any information about extracts of the profiles or our pipelines and configurations.
If you want to test it for yourself, you’re good to go ahead, create an Autopilot Profile in DEV and PROD, assign it to whatever you like and let Intune-CD run and do it’s job and observe the assignment disappear
Alright I was finally able to replicate. The removal of assignments happens when the profile from which the assignments is removed does not exist in the backup, the reason for this is because: https://github.com/almenscorner/IntuneCD/blob/a6935a81ffb8147770fcb7abb51d113420c616c4/src/IntuneCD/update/Intune/WindowsEnrollmentProfile.py#L85-L87 did not do a proper check if --remove
is in fact set.
Latest beta should fix this behaviour: pip3 install IntuneCD==2.3.4b2
thanks for the update, we have been able to verify the expected functionality 🙂
Thanks for confirming, I will merge the patch within the next day!
Describe the bug During the synchronization of Autopilot profiles in PROD tenants, existing assignments are deleted by IntuneCD (v2.3.3.3) even though the relevant parameters ("-u") are not set for the sync.
To Reproduce Steps to reproduce the behavior:
IntuneCD-startupdate -m 1 --report --exclude DeviceManagementSettings ConditionalAccess Roles
Expected behavior The existing assignments should not be deleted during synchronization if the update parameters are not set.
Screenshots No screenshots available.
Run type (please complete the following information):
Additional context Currently implemented workaround: Adding an additional exclusion for WindowsEnrollmentProfile.