FabienTschanz
commented
1 month ago Does the error only occurs with this resource type? What happens if you call Connect-MgGraph and authenticate with the provided credentials there? Does that work?
Closed alexwjohnson closed 1 month ago
FabienTschanz
commented
1 month ago Does the error only occurs with this resource type? What happens if you call Connect-MgGraph and authenticate with the provided credentials there? Does that work?
alexwjohnson
commented
1 month ago Hi Fabien,
What happens if you call Connect-MgGraph and authenticate with the provided credentials there?
No issue with the Service Principle, or direct Invoke-RestMethod calls from a timeout perspective - using MgGraph or MSAL : E.G :
$scopes = 'https://graph.microsoft.com/.default' $authResult = Get-MsalToken -ClientId $client_Id -ClientSecret (ConvertTo-SecureString $clientSecret -AsPlainText -Force) -TenantId $tenant_Id -Scope $scopes; $accessToken = ConvertTo-SecureString "$($authResult.AccessToken)" -AsPlainText -Force; $myconnect = Connect-MgGraph -AccessToken $accessToken;
$myconnect Welcome to Microsoft Graph!
Connected via userprovidedaccesstoken access using 564a7e7f-fc5c-414c-9d0a-08fed5a3d06f Readme: https://aka.ms/graph/sdk/powershell SDK Docs: https://aka.ms/graph/sdk/powershell/docs API Docs: https://aka.ms/graph/docs
NOTE: You can use the -NoWelcome parameter to suppress this message._
$myTest = Get-MgBetaDeviceManagementDeviceCompliancePolicy -DeviceCompliancePolicyId $compliancePolicies[2].Id.ToString() -ExpandProperty "assignments,scheduledActionsForRule(`$expand=scheduledActionConfigurations)"
$myTest
Id CreatedDateTime Description DisplayName LastModifiedDateTime RoleScopeTagIds Version
0c64a126-8246-4b06-8230-6c829b2b31a9 16/12/2022 4:40:04 AM iOS MTD Compliance Policy iOS - MTD Compliance Policy 17/07/2024 10:11:51 AM {0} 4
Does the error only occurs with this resource type?
I am unit testing with Intune only. All tested configs fail with the same error. E.G :
_VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Micr
osoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PWI231107153731 with user sid S-1-5-21-2390724182-775950025-1378355663-323905.
VERBOSE: [PWI231107153731]: LCM: [ Start Set ]
VERBOSE: [PWI231107153731]: LCM: [ Start Resource ] [[IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10]IntuneDeviceConfigurationHealthMonitoringConfigurationPolicy
Windows10-Intune data collection policy]
VERBOSE: [PWI231107153731]: LCM: [ Start Test ] [[IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10]IntuneDeviceConfigurationHealthMonitoringConfigurationPolicy
Windows10-Intune data collection policy]
VERBOSE: [PWI231107153731]: [[IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10]IntuneDeviceConfigurationHealthMonitoringConfigurationPolicy
Windows10-Intune data collection policy] Testing configuration of the Intune Device Configuration Health Monitoring Configuration Policy for Windows10 with Id {6832ccb2-a7ff-479b-8e28-e4b
95afc8af8} and DisplayName {Intune data collection policy}
WARNING: [PWI231107153731]: [[IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10]IntuneDeviceConfigurationHealthMonitoringConfigurationPolicy
Windows10-Intune data collection policy] We recommend providing the tenant name in format
114238_20240930: unitTestRestoreConfig_Test2redo processing started - Environment: 'Redo'
VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = SendConfigurationApply,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer PWI231107153731 with user sid S-1-5-21-2390724182-775950025-1378355663-323905.
VERBOSE: [PWI231107153731]: LCM: [ Start Set ]
VERBOSE: [PWI231107153731]: LCM: [ Start Resource ] [[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [PWI231107153731]: LCM: [ Start Test ] [[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices]
VERBOSE: [PWI231107153731]: [[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Testing configuration of the Intune Device Enrollment Platform Restriction with Id {44419229-22b5-4787-a8ae-c416578c764e_DefaultPlatformRestrictions} and DisplayName {All users and all devices}
VERBOSE: [PWI231107153731]: [[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] Checking for the Intune Device Enrollment Restriction {All users and all devices}
WARNING: [PWI231107153731]: [[IntuneDeviceEnrollmentPlatformRestriction]IntuneDeviceEnrollmentPlatformRestriction-All users and all devices] We recommend providing the tenant name in format
FabienTschanz
commented
1 month ago @alexwjohnson Are you using a corporate proxy in your environment? It seems like that in an interactive session the connection to the Graph endpoint works fine, but not in the LCM, which runs in the SYSTEM context. Maybe you need to configure a proxy using winhttp set proxy?
alexwjohnson
commented
1 month ago Thx Fabian - verifying - and yes, most definitely a corporate proxy environment.
alexwjohnson
commented
1 month ago Have run several tests via the system proxy. I note that all export actions, across the same proxy work successfully. The outbound calls made by the 'Invoke CimMethod' appear to connect ok and return rc200 but then timeout after the approx 15 minute timeout. The only other message that may be interesting is a bad cert message issued as part of the ACK message back to the proxy..... See attached screen shots
alexwjohnson
commented
1 month ago I am now testing to see what results occur from another device - this time my laptop.
FabienTschanz
commented
1 month ago Hmm, that's strange. Don't have an explanation for it. Very keen to hear back from you with the results from your laptop.
alexwjohnson
commented
1 month ago Hi @FabienTschanz ,
This issue can be closed.
This is not an M365DSC issue.
I have been able to configure the solution to an environment with no winHTTP proxy setting, and have proven M365DSC works as designed.
That is, export, compile and deploy of a given artefact worked successfully.
I appreciate your input and support.
Description of the issue
Resource: IntuneDeviceCompliancePolicyWindows10
Error executing 'Start-DSCConfiguration' back to source instance - unit test failure.
Error Detail: 'ClientSecretCredential authentication failed: Request to the endpoint timed out.'
Both export and .mof generation work with no issue.
service principle api permissions applied as per m365dsc documentation for intune configurations
Using the same service principle for both export and deploy
Also checked expected permissions from cmdlet - these have also been applied
Microsoft 365 DSC Version
1.24.904.1
Which workloads are affected
Intune
The DSC configuration
Verbose logs showing the problem
Environment Information + PowerShell Version