Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneSettingCatalogASRRulesPolicyWindows10: Not working #4844

Closed
ricmestre opened this issue Jul 5, 2024 · 1 comment · Fixed by #4845 or #4855
Closed

IntuneSettingCatalogASRRulesPolicyWindows10: Not working #4844

ricmestre opened this issue Jul 5, 2024 · 1 comment · Fixed by #4845 or #4855
Labels
Bug Something isn't working Intune V1.24.626.1 Version 1.24.626.1

Comments

@ricmestre
Copy link
Contributor

Description of the issue

@FabienTschanz The changes you've been doing to the settings catalog messed up IntuneSettingCatalogASRRulesPolicyWindows10 and I'm not able to deploy it anymore in my integration tests, the test I have for IntuneSettingCatalogCustomPolicyWindows10 succeeds but at this point I don't know if it's by chance or if it really works correctly.

Microsoft 365 DSC Version

1.24.626.1

Which workloads are affected

Intune

The DSC configuration

IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1"
        {
            Assignments                                                                = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            BlockAdobeReaderFromCreatingChildProcesses                                 = "block";
            BlockAllOfficeApplicationsFromCreatingChildProcesses                       = "audit";
            BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem          = "block";
            BlockExecutableContentFromEmailClientAndWebmail                            = "audit";
            BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion = "audit";
            BlockExecutionOfPotentiallyObfuscatedScripts                               = "audit";
            BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent          = "audit";
            BlockOfficeApplicationsFromCreatingExecutableContent                       = "audit";
            BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses                 = "audit";
            BlockOfficeCommunicationAppFromCreatingChildProcesses                      = "audit";
            BlockPersistenceThroughWMIEventSubscription                                = "audit";
            BlockProcessCreationsFromPSExecAndWMICommands                              = "audit";
            BlockUntrustedUnsignedProcessesThatRunFromUSB                              = "block";
            BlockWin32APICallsFromOfficeMacros                                         = "audit";
            Credential                                                                 = $Credscredential;
            Description                                                                = "Protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.";
            DisplayName                                                                = "IntuneSettingCatalogASRRulesPolicyWindows10_1";
            Ensure                                                                     = "Present";
            Identity                                                                   = "333fb616-8725-4c89-adf1-815911741012";
            UseAdvancedProtectionAgainstRansomware                                     = "block";
        }

Verbose logs showing the problem

[[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] Creating new Endpoint  Protection Attack Surface Reduction Rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1}                                                                                                                  [] : The request is invalid.
+ CategoryInfo          : InvalidOperation: ({ Headers = , b...urationPolicy }:) [], CimException
+ FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaDeviceManagementConfigurationPolicy_Create
+ PSComputerName        : localhost
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]  [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1]  in 4.0030 seconds.   The PowerShell DSC resource '[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1' with SourceInfo 'C:\temp\dsc\IntuneSettingCatalogASRRulesPolicyWindows10.ps1::34::9::IntuneSettingCatalogASRRulesPolicyWindows10' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName        : localhost
VERBOSE: [REDACTED]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName        : localhost

Environment Information + PowerShell Version

No response
@FabienTschanz FabienTschanz mentioned this issue Jul 5, 2024
Merged
@FabienTschanz
Copy link
Contributor

@ricmestre Ok so that was strange. I took the latest module version and your configuration and tried to reproduce the issue. At first (for about 5 times when creating), I didn't succeed and the configuration was applied successfully without any issues. But after some time, I got the exact same error message.

The fix is more than simple: Just prevent PowerShell from mangling down a single-element array to the element itself... That's what my PR at #4845 does, simply forcing PowerShell to always return an array. No idea how that didn't cause a ruckus earlier, but well.

@andikrueger andikrueger added Bug Something isn't working Intune V1.24.626.1 Version 1.24.626.1 labels Jul 6, 2024
@NikCharlebois NikCharlebois mentioned this issue Jul 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Intune V1.24.626.1 Version 1.24.626.1
Projects
None yet
Milestone
No milestone
3 participants
@andikrueger @FabienTschanz @ricmestre