[BUG] - Deletion of autopilot assignments

[AFE88]

Describe the bug During the synchronization of Autopilot profiles in PROD tenants, existing assignments are deleted by IntuneCD (v2.3.3.3) even though the relevant parameters ("-u") are not set for the sync.

To Reproduce Steps to reproduce the behavior:

1. Use IntuneCD v2.3.3.3 in a GitLab pipeline.
2. Execute the following command: IntuneCD-startupdate -m 1 --report --exclude DeviceManagementSettings ConditionalAccess Roles
3. Observe the synchronization of Autopilot profiles.
4. Notice that existing assignments are deleted.

Expected behavior The existing assignments should not be deleted during synchronization if the update parameters are not set.

Screenshots No screenshots available.

Run type (please complete the following information):

• Mode: 1
• Client: Pipeline
• Version: 2.3.3.3

Additional context Currently implemented workaround: Adding an additional exclusion for WindowsEnrollmentProfile.

[almenscorner]

This one and #206 is addressed in the latest beta, try out 2.3.4-beta1 and let me know how you get on: pip3 install IntuneCD==2.3.4b1. Note that you must set --exit-on-error for IntuneCD to exit if an error occurs.

[AFE88]

we tried the 2.3.4-beta1. The assignments of the autopilot profiles are still being deleted. The bug has not yet been fixed.

IntuneCD-startupdate -m 1 --exit-on-error --exclude DeviceManagementSettings ConditionalAccess Roles

[almenscorner]

I am not able to replicate this when running with or without -u, the update run says: Tue Jun 18 14:30:42 2024 [INFO] No changes found for Windows Enrollment Profile: Windows Deployment AAD2

And all assignments are intact

[AFE88]

I think the issue is within the file WindowsEnrollmentProfile.py - there I found the comment that # Windows enrollment profile assginment is handled differently, so we need to set the following attributes

in line 84 the removal is triggered for every item in the intune_data variable without any conditions-check - hence the removal of the assignments from the WindowsEnrollmentProfiles is always executed when the main method in the WindowsEnrollmentProfileUpdateModule class is called.

[almenscorner]

That behaviour is what has changed in the latest beta though as of: https://github.com/almenscorner/IntuneCD/commit/70dfbbe0743fccb0daccc43acf571f58ef239aae

In this beta the -u flag is honored for Windows Enrollment Profiles as well, but it's also interesting that it, in no instance, is removing assignments from my configs no matter what I do

[almenscorner]

Do you have an export of a config which is facing the issue I can try with in my env?

[almenscorner]

What is your pipeline looking like?

[AFE88]

Okay - let’s trace things back from the very beginning..

According to the documentation the -u parameter should trigger the assignments to be updated.

Hence - since we don’t use -u it should not be triggered?

So if I trace things back correctly this is what happens:

• run_update.py line 82/83 makes -u become update-assignments

• Which is then handed to the run_update function (same file line 317)

• This function passes it on to the update_intune function as assignment (same file line 244)

• update_intune.py line 23 passes it on as handle_assignment as part of the params

• The params are passed on to the class WindowsEnrollmentProfileUpdateModule, since it’s not excluded (same file line 120)

• The class contains the main method - which (if the path string exists, which it does as it is set in the _init_ method in WindowsEnrollmentProfile.py line 25) starts to fill the intune_data variable using the method get_downstream_data (same file line 43)

• So far as of the normal workflow -

• there is however the handle_iterable_assignment method that you defined to trigger once the handle_assignment variable is set AND the config_type is Windows Enrollment Profile (BaseUpdateModule.py line 668)

• This is called only if the variable downstream_object is set (same file line 631)

• All of this is part of the method process_update (same file line 598)

• Which IS called during the main method in WindowsEnrollmentProfile.py line 66

• So far as of the changes to the current beta-version - BUT -

• Right AFTER the process_update has finished and some manipulations to the diff_summary variable have been made there’s this for-loop in WindowsEnrollmentProfile.py line 83 that looks suspicious to me, because this is sets the endpoint variable to the assignment url and triggers a graph-api request using the delete method 

• none of this ever runs through any sort of IF-check or is related in any other way to the -u parameter

So if my assumptions are correct the change made to the beta will not correct the issue that the tool will remove the assignment of  existing Autopilot-Profiles in our PROD environment, which confirms our observations during testing the current beta. So there’s no point in providing any information about extracts of the profiles or our pipelines and configurations.

If you want to test it for yourself, you’re good to go ahead, create an Autopilot Profile in DEV and PROD, assign it to whatever you like and let Intune-CD run and do it’s job and observe the assignment disappear

[almenscorner]

Alright I was finally able to replicate. The removal of assignments happens when the profile from which the assignments is removed does not exist in the backup, the reason for this is because: https://github.com/almenscorner/IntuneCD/blob/a6935a81ffb8147770fcb7abb51d113420c616c4/src/IntuneCD/update/Intune/WindowsEnrollmentProfile.py#L85-L87 did not do a proper check if --remove is in fact set.

Latest beta should fix this behaviour: pip3 install IntuneCD==2.3.4b2

[AFE88]

thanks for the update, we have been able to verify the expected functionality 🙂

[almenscorner]

Thanks for confirming, I will merge the patch within the next day!