search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.47k stars 444 forks source link

IntuneSettingCatalogASRRulesPolicyWindows10: Not working #4844

Closed ricmestre closed 2 days ago

ricmestre commented 1 week ago

Description of the issue

@FabienTschanz The changes you've been doing to the settings catalog messed up IntuneSettingCatalogASRRulesPolicyWindows10 and I'm not able to deploy it anymore in my integration tests, the test I have for IntuneSettingCatalogCustomPolicyWindows10 succeeds but at this point I don't know if it's by chance or if it really works correctly.

Microsoft 365 DSC Version

1.24.626.1

Which workloads are affected

Intune

The DSC configuration

IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1"
        {
            Assignments                                                                = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            BlockAdobeReaderFromCreatingChildProcesses                                 = "block";
            BlockAllOfficeApplicationsFromCreatingChildProcesses                       = "audit";
            BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem          = "block";
            BlockExecutableContentFromEmailClientAndWebmail                            = "audit";
            BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion = "audit";
            BlockExecutionOfPotentiallyObfuscatedScripts                               = "audit";
            BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent          = "audit";
            BlockOfficeApplicationsFromCreatingExecutableContent                       = "audit";
            BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses                 = "audit";
            BlockOfficeCommunicationAppFromCreatingChildProcesses                      = "audit";
            BlockPersistenceThroughWMIEventSubscription                                = "audit";
            BlockProcessCreationsFromPSExecAndWMICommands                              = "audit";
            BlockUntrustedUnsignedProcessesThatRunFromUSB                              = "block";
            BlockWin32APICallsFromOfficeMacros                                         = "audit";
            Credential                                                                 = $Credscredential;
            Description                                                                = "Protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.";
            DisplayName                                                                = "IntuneSettingCatalogASRRulesPolicyWindows10_1";
            Ensure                                                                     = "Present";
            Identity                                                                   = "333fb616-8725-4c89-adf1-815911741012";
            UseAdvancedProtectionAgainstRansomware                                     = "block";
        }

Verbose logs showing the problem

[[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] Creating new Endpoint  Protection Attack Surface Reduction Rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1}                                                                                                                  [] : The request is invalid.
+ CategoryInfo          : InvalidOperation: ({ Headers = , b...urationPolicy }:) [], CimException
+ FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaDeviceManagementConfigurationPolicy_Create
+ PSComputerName        : localhost
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]  [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1]  in 4.0030 seconds.   The PowerShell DSC resource '[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1' with SourceInfo 'C:\temp\dsc\IntuneSettingCatalogASRRulesPolicyWindows10.ps1::34::9::IntuneSettingCatalogASRRulesPolicyWindows10' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName        : localhost
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName        : localhost

Environment Information + PowerShell Version

No response

FabienTschanz commented 6 days ago

@ricmestre Ok so that was strange. I took the latest module version and your configuration and tried to reproduce the issue. At first (for about 5 times when creating), I didn't succeed and the configuration was applied successfully without any issues. But after some time, I got the exact same error message.

The fix is more than simple: Just prevent PowerShell from mangling down a single-element array to the element itself... That's what my PR at #4845 does, simply forcing PowerShell to always return an array. No idea how that didn't cause a ruckus earlier, but well.