From ab827f2957b4899c63300ccd58af3055c8a91f01 Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Fri, 1 Dec 2023 07:40:34 +0100 Subject: [PATCH 1/7] IntuneSettingCatalogASRRulesPolicyWindows10: Fixed Schema Validation with parameter Identity made Mandatory --- CHANGELOG.md | 3 +++ .../MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 830057e90c..848b88e82b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ # UNRELEASED +* IntuneSettingCatalogASRRulesPolicyWindows10 + * Fixed Schema Validation with parameter Identity made Mandatory + FIXES [#3961](https://github.com/microsoft/Microsoft365DSC/issues/3961) * IntuneAntivirusPolicyWindows10SettingCatalog * Skipped settingValueTemplateReference and settingInstanceTemplateReference for severethreats, highseveritythreats, moderateseveritythreats, lowseveritythreats as per API requirements observed in the Intune portal FIXES [#3818](https://github.com/microsoft/Microsoft365DSC/issues/3818) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index a059ab3082..988978add4 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -4,7 +4,7 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, @@ -283,7 +283,7 @@ function Set-TargetResource [CmdletBinding()] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, @@ -540,7 +540,7 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - [Parameter()] + [Parameter(Mandatory = $true)] [System.String] $Identity, From fc6d98e8c71b1d1f297fee4127ff9cb0327e76ce Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Fri, 1 Dec 2023 07:51:06 +0100 Subject: [PATCH 2/7] update changelog --- CHANGELOG.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 256147b6c0..a484897505 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,26 +34,26 @@ IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined, IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Removed Id and all authentication parameters from PSBoundParameters in Test-TargetResource - FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) + FIXES [#3888](https://github.com/microsoft/Microsoft365DSC/issues/3888) * IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneDeviceEnrollmentStatusPageWindows10 * Fixed assignments using API call - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneWindowsAutopilotDeploymentProfileAzureADHybridJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) * IntuneWindowsAutopilotDeploymentProfileAzureADJoined * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment - FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) + FIXES [#3892](https://github.com/microsoft/Microsoft365DSC/issues/3892) * IntuneWindowsUpdateForBusinessRingUpdateProfileWindows10 * Modified assigned to use sdk instead of API call and added logic to use groupDisplayName in assignment * IntuneDeviceConfigurationPolicyWindows10 - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * IntuneDeviceEnrollmentStatusPageWindows10 * Fixed assignments using API call - FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) + FIXES [#3921](https://github.com/microsoft/Microsoft365DSC/issues/3921) * TeamsMessagingPolicy * Added support for properties AllowCommunicationComplianceEndUserReporting, AllowFluidCollaborate and AllowSecurityEndUserReporting. From 314a3239b9686d6f230a02f031315f8ecf7a99ec Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Fri, 1 Dec 2023 16:21:46 +0100 Subject: [PATCH 3/7] use M365DSCDRGUtil to fix ASRRulesPolicy --- ...SettingCatalogASRRulesPolicyWindows10.psm1 | 37 ++++++++++-------- ...gCatalogASRRulesPolicyWindows10.schema.mof | Bin 16772 -> 16776 bytes 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index 988978add4..894c62713b 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -4,7 +4,7 @@ function Get-TargetResource [OutputType([System.Collections.Hashtable])] param ( - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $Identity, @@ -239,19 +239,8 @@ function Get-TargetResource } } - $returnAssignments = @() - $returnAssignments += Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = @() - foreach ($assignmentEntry in $returnAssignments) - { - $assignmentValue = @{ - dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' - deviceAndAppManagementAssignmentFilterType = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.toString() - deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId - groupId = $assignmentEntry.Target.AdditionalProperties.groupId - } - $assignmentResult += $assignmentValue - } + $returnAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id + $assignmentResult = ConvertFrom-IntunePolicyAssignment -Assignments $returnAssignments $returnHashtable.Add('Assignments', $assignmentResult) Write-Verbose -Message "Found Endpoint Protection Attack Surface Protection rules Policy {$($policy.name)}" @@ -283,7 +272,7 @@ function Set-TargetResource [CmdletBinding()] param ( - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $Identity, @@ -490,8 +479,9 @@ function Set-TargetResource } if ($policy.id) { + $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash + -Targets $intuneAssignments } #endregion } @@ -540,7 +530,7 @@ function Test-TargetResource [OutputType([System.Boolean])] param ( - [Parameter(Mandatory = $true)] + [Parameter()] [System.String] $Identity, @@ -752,6 +742,19 @@ function Test-TargetResource $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment } + #GroupDisplayName Assignment + if (-not [String]::IsNullOrEmpty($assignment.groupDisplayName)) + { + $source = [Array]$ValuesToCheck.Assignments | Where-Object -FilterScript { $_.groupDisplayName -eq $assignment.groupDisplayName } + if (-not $source) + { + Write-Verbose -Message "Configuration drift: groupDisplayName {$($assignment.groupDisplayName)} not found" + $testResult = $false + break + } + $sourceHash = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + $testResult = Compare-M365DSCComplexObject -Source $sourceHash -Target $assignment + } #AllDevices/AllUsers assignment else { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof index 74aed24722b081a852f3482c8a4c1427b52617e6..84d1e0c2a4acdaa4c5ca8e4308157e886ffb908d 100644 GIT binary patch delta 22 ecmZo^X6$HY+)&3e`2xSjdlbKP&t`VOn&n+o<}ACU+D+I From c5cd2bf8baf8b671701f4c15dabbce0d2ad96996 Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Tue, 5 Dec 2023 09:28:34 +0100 Subject: [PATCH 4/7] fix error on getting policy by displayname & with empty assigments --- ...SettingCatalogASRRulesPolicyWindows10.psm1 | 22 +++++++++++++------ .../Modules/M365DSCDRGUtil.psm1 | 4 ++++ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index 894c62713b..e04ad2c1dc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -188,7 +188,7 @@ function Get-TargetResource if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Attack Surface Protection rules Policy {$Identity} was found" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy | Where-Object -FilterScript { $_.Name -eq "$DisplayName" -and $_.templateReference.TemplateId -eq "$templateReferenceId" } -ErrorAction silentlyContinue + $policy = Get-MgBetaDeviceManagementConfigurationPolicy | Where-Object -FilterScript { $_.Name -eq "$DisplayName" -and $_.templateReference.TemplateId -eq "$templateReferenceId" } | Select-Object -First 1 } if ($null -eq $policy) @@ -240,7 +240,14 @@ function Get-TargetResource } $returnAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $policy.Id - $assignmentResult = ConvertFrom-IntunePolicyAssignment -Assignments $returnAssignments + if ($returnAssignments.Count -gt 0) + { + $assignmentResult = ConvertFrom-IntunePolicyAssignment -Assignments $returnAssignments + } + else + { + $assignmentResult = @() + } $returnHashtable.Add('Assignments', $assignmentResult) Write-Verbose -Message "Found Endpoint Protection Attack Surface Protection rules Policy {$($policy.name)}" @@ -479,9 +486,9 @@ function Set-TargetResource } if ($policy.id) { - $intuneAssignments = ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash + $intuneAssignments = [Hashtable[]] (ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash) Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` - -Targets $intuneAssignments + -Targets ([Array]($intuneAssignments.target)) } #endregion } @@ -499,7 +506,7 @@ function Set-TargetResource #write-verbose -message ($settings|convertto-json -Depth 20) Update-IntuneDeviceConfigurationPolicy ` - -DeviceConfigurationPolicyId $Identity ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` -Name $DisplayName ` -Description $Description ` -TemplateReferenceId $templateReferenceId ` @@ -513,8 +520,9 @@ function Set-TargetResource { $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment } - Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $Identity ` - -Targets $assignmentsHash + $intuneAssignments = [Hashtable[]] (ConvertTo-IntunePolicyAssignment -Assignments $assignmentsHash) + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Targets ([Array]($intuneAssignments.target)) #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 307b4280a5..83667bea15 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -1253,6 +1253,10 @@ function Update-DeviceConfigurationPolicyAssignment foreach ($target in $targets) { $formattedTarget = @{"@odata.type" = $target.dataType} + if(-not $formattedTarget."@odata.type" -and $target."@odata.type") + { + $formattedTarget."@odata.type" = $target."@odata.type" + } if ($target.groupId) { $formattedTarget.Add('groupId',$target.groupId) From fe8caef4e556033da446b5da667dbbde4caa1533 Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Tue, 5 Dec 2023 09:33:56 +0100 Subject: [PATCH 5/7] update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d57a0a2119..611f5e5d98 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,8 @@ # UNRELEASED * IntuneSettingCatalogASRRulesPolicyWindows10 - * Fixed Schema Validation with parameter Identity made Mandatory + * Fixed Schema Validation + * Fixed Import with unknown ID of Policy and Assignments by using DisplayName FIXES [#3961](https://github.com/microsoft/Microsoft365DSC/issues/3961) * DEPENDENCIES * Updated MSCloudLoginAssistant to version 1.1.1. From 553a617ee51475ea06d329c794938ec0600e5feb Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Mon, 11 Dec 2023 15:14:09 +0100 Subject: [PATCH 6/7] update schema --- ...gCatalogASRRulesPolicyWindows10.schema.mof | Bin 16776 -> 16766 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof index 84d1e0c2a4acdaa4c5ca8e4308157e886ffb908d..bef985e88651981f825054989f14b4238bc5025e 100644 GIT binary patch delta 24 gcmeBZX8hO0xM2b>t2aX`L*-;fG5O8=cuyGv0BcJKO#lD@ delta 34 ocmey@#MsfyxM2b>e-J||Lm@*cLncEJkd-p|pqBjRExf0U0mKvwIRF3v From 9c0575938a58f5a5f0e201a33e79453ab3c3fa9d Mon Sep 17 00:00:00 2001 From: "ITACS\\mk" Date: Fri, 15 Dec 2023 09:10:14 +0100 Subject: [PATCH 7/7] throw Error instead of using the first found one --- .../MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 index e04ad2c1dc..8ab4c12b0e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10/MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.psm1 @@ -188,7 +188,12 @@ function Get-TargetResource if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Attack Surface Protection rules Policy {$Identity} was found" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy | Where-Object -FilterScript { $_.Name -eq "$DisplayName" -and $_.templateReference.TemplateId -eq "$templateReferenceId" } | Select-Object -First 1 + $policy = Get-MgBetaDeviceManagementConfigurationPolicy | Where-Object -FilterScript { $_.Name -eq "$DisplayName" -and $_.templateReference.TemplateId -eq "$templateReferenceId" } + + if ($policy.Count -gt 1) + { + throw "Multiple Endpoint Protection Attack Surface Protection rules Policies with DisplayName '{$DisplayName}' were found!" + } } if ($null -eq $policy)