search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.55k stars 486 forks source link

IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10: Cannot deploy to another tenant #3438

Closed ricmestre closed 2 months ago

ricmestre commented 1 year ago

Details of the scenario you tried and the problem that is occurring

The exported blueprint, see below, can be redeployed to the same tenant since the Test succeeds, nevertheless trying to deploy it to another tenant fails with an error message when calling New-MgDeviceManagementWindowsFeatureUpdateProfile, also see below.

Verbose logs showing the problem

# [...]

[[IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10]IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10-REDACTED] Creating
 an Intune Windows Update For Business Feature Update Profile for Windows10 with DisplayName {REDACTED}
{
  "_version": 3,
  "Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 53adab70-a0bc-4808-b518-513fcfe6c74e - Url:
4-21",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}
    + CategoryInfo          : InvalidOperation: ({ body = Micros...UpdateProfile }:) [], CimException
    + FullyQualifiedErrorId : BadRequest,Microsoft.Graph.PowerShell.Cmdlets.NewMgDeviceManagementWindowFeatureUpdateProfile_Create
    + PSComputerName        : localhost

Suggested solution to the issue

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# Generated with Microsoft365DSC version 1.23.628.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $Credential
)

Configuration Feature
{
    param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    if ($null -eq $Credential)
    {
        <# Credentials #>
        $Credscredential = Get-Credential -Message "Credentials"

    }
    else
    {
        $CredsCredential = $Credential
    }

    $OrganizationName = $CredsCredential.UserName.Split('@')[1]

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.628.1'

    Node localhost
    {
        IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10 "IntuneWindowsUpdateForBusinessFeatureUpdateProfileWindows10-REDACTED"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
            );
            Credential           = $Credscredential;
            Description          = "";
            DisplayName          = "REDACTED";
            Ensure               = "Present";
            FeatureUpdateVersion = "Windows 10, version 21H2";
            Id                   = "REDACTED";
            RolloutSettings      = MSFT_MicrosoftGraphwindowsUpdateRolloutSettings{
                OfferEndDateTimeInUTC = '2023-07-15T11:55:01.2680000+00:00'
                OfferStartDateTimeInUTC = '2023-07-22T11:55:01.2680000+00:00'
                OfferIntervalInDays = 7
            };
        }
    }
}

Feature -ConfigurationData .\ConfigurationData.psd1 -Credential $Credential

The operating system the target node is running

Win10

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.628.1

ricmestre commented 1 year ago

Please update label to V1.23.705.1 since it also fails with latest version, tested it locally (not DevOps) with cert-based auth.

richardjgreen commented 11 months ago

We get the same Bad Request error on 1.23.906.1 too.

ricmestre commented 11 months ago

This was not yet solved, so it actually happens on latest release 1.23.1018.1 as well.

William-Francillette commented 11 months ago

Hi @ricmestre and @richardjgreen

The way this policy is managed in the API is tricky - I had issue while creating and testing this resource due to the OfferStartDateTimeInUTC - try changing this date manually in your export to the time of your run and it should work

ricmestre commented 11 months ago

@William-Francillette I just tested it and that doesn't solve the issue, both OfferStartDateTimeInUTC and OfferEndDateTimeInUTC from my export are dates in past so I tried first to change OfferEndDateTimeInUTC for a future date and got the same error message, after that then I also tried to change OfferStartDateTimeInUTC and still had the same behavior.

William-Francillette commented 11 months ago

Do you get the same issue if you try with the Graph sdk for example ? When I tested it, it was very restrictive but can have another look in the evening

ricmestre commented 11 months ago

Yes, same issue using cmdlet New-MgBetaDeviceManagementWindowsFeatureUpdateProfile directly, but there's really something fishy happening with RolloutSettings property since if I remove the parameter I'm able to create the profile and of course also works with M365DSC if I remove that property from the export.

William-Francillette commented 11 months ago

I'm not surprised this policy is very restrictive but this is more on the API side of things not even the sdk

ricmestre commented 11 months ago

Yep it definitely looks like a problem on the API side or we just didn't learn how to tame it yet :)

@peombwa Hi, could you please share your thoughts about this issue?

ricmestre commented 10 months ago

Any updates on this issue?