search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.64k stars 505 forks source link

IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/IntuneSecurityBaselineMicrosoftEdge: Not deploying correctly #5378

Closed ricmestre closed 2 weeks ago

ricmestre commented 3 weeks ago

Description of the issue

I had tests that worked correctly but on latest version they're not anymore, these 2 resources deploy without errors but looking at the verbose logs looks like not all properties are being sent in the request and then Test-DscConfiguration then returns false. Check the 2 attached configuration for both these resources, and the properties that seem to be missing from the request, even though most likely there are more missing but I didn't bother to check.

IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy-IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy_1 -> PasswordAgeDays_AAD IntuneSecurityBaselineMicrosoftEdge-IntuneSecurityBaselineMicrosoftEdge_1 -> authschemes, MicrosoftEdge_HTTPAuthentication_AuthSchemes

Additionally I also have 5 IntuneDeviceConfigurationCustomPolicyWindows10 policies and one of them somehow stopped working for some random reason, this is super frustrating.

Microsoft 365 DSC Version

1.24.1106.3

Which workloads are affected

Intune

The DSC configuration

IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy "IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy-IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy_1"
        {
            AdministratorAccountName = "Administrator";
            ApplicationId            = $IntuneApplicationId;
            Assignments              = @(
                MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments{
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                    groupDisplayName = 'DummyGroupExclude'
                }
                MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments{
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'include'
                    deviceAndAppManagementAssignmentFilterId = 'd10a0779-7e0b-496f-81a2-f098aa09675f'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                    groupDisplayName = 'DummyGroupInclude'
                }
            );
            BackupDirectory          = 1;
            CertificateThumbprint    = $IntuneCertThumbprint;
            Description              = "My revised description";
            DisplayName              = "IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy_1";
            Ensure                   = "Present";
            Identity                 = "cf9b4992-e9cb-4ba0-b657-54977e65cf3a";
            PasswordAgeDays_AAD      = 20;
            TenantId                 = $OrganizationName;
        }
-------------------------------------------------------------------------------------------------------------------------
        IntuneSecurityBaselineMicrosoftEdge "IntuneSecurityBaselineMicrosoftEdge-IntuneSecurityBaselineMicrosoftEdge_1"
        {
            ApplicationId                                           = $IntuneApplicationId;
            Assignments                                             = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            authschemes                                             = "ntlm,negotiate";
            BasicAuthOverHttpEnabled                                = "0";
            BrowserLegacyExtensionPointsBlockingEnabled             = "1";
            CertificateThumbprint                                   = $IntuneCertThumbprint;
            Description                                             = "IntuneSecurityBaselineMicrosoftEdge_1";
            DisplayName                                             = "IntuneSecurityBaselineMicrosoftEdge_1";
            EdgeEnhanceImagesEnabled                                = "0";
            Ensure                                                  = "Present";
            ExtensionInstallBlocklist                               = "1";
            ExtensionInstallBlocklistDesc                           = @("*");
            Id                                                      = "4c45142a-87b4-4b36-8680-217c0e694780";
            InsecurePrivateNetworkRequestsAllowed                   = "0";
            InternetExplorerIntegrationReloadInIEModeAllowed        = "0";
            InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0";
            InternetExplorerModeToolbarButtonEnabled                = "0";
            MicrosoftEdge_HTTPAuthentication_AuthSchemes            = "1";
            NativeMessagingUserLevelHosts                           = "0";
            PreventSmartScreenPromptOverride                        = "1";
            PreventSmartScreenPromptOverrideForFiles                = "1";
            RoleScopeTagIds                                         = @("0");
            SharedArrayBufferUnrestrictedAccessAllowed              = "0";
            SitePerProcess                                          = "1";
            SmartScreenEnabled                                      = "1";
            SmartScreenPuaEnabled                                   = "1";
            SSLErrorOverrideAllowed                                 = "0";
            TenantId                                                = $OrganizationName;
            TyposquattingCheckerEnabled                             = "1";
            WebSQLAccess                                            = "0";
        }

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

Win11/PS5.1
ricmestre commented 3 weeks ago

@FabienTschanz Could you please check this?

FabienTschanz commented 3 weeks ago

@ricmestre On it. I'm confused because the first resource works with my test script but not with the DSC module...

FabienTschanz commented 3 weeks ago

Got the first problem (same as before, upper vs lower-case property naming...). Now tackling the second one, this one seems more complicated.