search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.54k stars 473 forks source link

IntuneAntivirusPolicyWindows10SettingCatalog: Not working #4925

Closed ricmestre closed 1 month ago

ricmestre commented 1 month ago

Description of the issue

@FabienTschanz I did the tests on this one before they got merged but for some reason I can't get it working now, so I created one policy through the portal, exported it and then removed it through M365DSC without issues, but if I try to re-deploy it and test it afterwards it always says that it's not in desired state. After checking the portal again I don't see any AV exclusions in "Endpoint security | Antivirus" like it worked before but it's actually creating new Settings catalog policies in "Devices | Configuration" over and over again because the test returns false.

image

Microsoft 365 DSC Version

1.24.724.1

Which workloads are affected

Intune

The DSC configuration

IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-IntuneAntivirusPolicyWindows10SettingCatalog_1"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            Credential           = $Credscredential;
            Description          = "";
            DisplayName          = "IntuneAntivirusPolicyWindows10SettingCatalog_1";
            Ensure               = "Present";
            ExcludedExtensions   = @(".exe");
            ExcludedPaths        = @("C:\ExcludedFolder1\","C:\ExcludedFolder2\");
            ExcludedProcesses    = @("processes.exe","process2.exe");
            Identity             = "83898676-89a9-48cd-908c-51293e7d4ad7";
            templateId           = "45fea5e9-280d-4da1-9792-fb5736da0ca9_1";
        }

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

Win11 / PS5.1
ricmestre commented 1 month ago

Creating the policy with DSC results in TemplateReference tree to be completely empty and therefore the filter in Get-TargetResource cannot find the policy and the test fails so that's why it keeps creating new "vanilla" settings catalog policies.

image

Whereas if I create the same policy through the portal it's correctly populated

image

FabienTschanz commented 1 month ago

@ricmestre Got it, there was an Id too much in the property name... Bit sad that Graph still accepts the request but creates a policy that's empty, without any message whatsoever. In my opinion that should throw in the backend, since the policy can't be mapped to a proper template, and not silently accept it.

Edit: Seems like that's an intended way... For example the Windows Firewall profile for ConfigManager also has an empty template reference, but it will be fetched by technologies and creationSource. Please no more of this weird complex stuff, I soon can't take it anymore.

ricmestre commented 1 month ago

@fabientschanz I feel your pain, I've been having nightmares with these settings catalog policies for the past 2 years, every time I hear about them it gives me the heebie jeebies because after M365DSC deals with them I have to deal with another converter behind it I created to convert DSC to Markdown...

dbrinkmann123 commented 1 month ago

@FabienTschanz I feel your pain, I've been having nightmares with these settings catalog policies for the past 2 years, every time I hear about them it gives me the heebie jeebies because after M365DSC deals with them I have to deal with another converter behind it I created to convert DSC to Markdown...

I'd like to hear more about this converter from DSC to Markdown

ricmestre commented 1 month ago

I don't remember exactly right now the incantation but there's a cmdlet to export a config directly to Markdown, the issue is that it doesn't take care about nested CIM instances whereas mine does.

Short story, it's for a company so the code it's proprietary and I can't share it