Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneDeviceEnrollmentStatusPageWindows10: Cannot deploy to another tenant with cert-based auth #3442

Closed
ricmestre opened this issue Jul 7, 2023 · 3 comments · Fixed by #3878 or #3895
Closed

IntuneDeviceEnrollmentStatusPageWindows10: Cannot deploy to another tenant with cert-based auth #3442

ricmestre opened this issue Jul 7, 2023 · 3 comments · Fixed by #3878 or #3895
Labels
Bug Something isn't working Intune V1.23.628.1 Version 1.23.628.1 V1.23.705.1 Version 1.23.705.1

Comments

@ricmestre
Copy link
Contributor

Details of the scenario you tried and the problem that is occurring

After exporting two IntuneDeviceEnrollmentStatusPageWindows10 policies from one tenant (the default one assigned to all users/devices and another one custom) with cert-based auth when trying to apply the custom one to another tenant, also using certificate, it doesn't work complaining that it might be running in interactive mode.

Usually this problem is due to incorrect permissions nevertheless please note that in both tenants I've given the app and granted admin consent for the required permissions DeviceManagementServiceConfig.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All.

Trying to deploy it with credentials there's yet another problem that it detects that the resource is absent in the target tenant, Test-TargetResource returns false, but it doesn't create the resource at all, but I'd like to have the issue with the Service Principal with certificate solved, this one is not a priority for me right now, it's just for your information.

Verbose logs showing the problem

VERBOSE: [REDACTED]:[[IntuneDeviceEnrollmentStatusPageWindows10]IntuneDeviceEnrollmentStatusPageWindows10-REDACTED] Creating an Intune Device Enrollment Configuration for Windows10 with DisplayName {REDACTED}

VERBOSE: [REDACTED]:[[IntuneDeviceEnrollmentStatusPageWindows10]IntuneDeviceEnrollmentStatusPageWindows10-REDACTED] POST https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/REDACTED_Windows10EnrollmentCompletionPageConfiguration/assign with 815-byte payload

VERBOSE: [REDACTED]:[[IntuneDeviceEnrollmentStatusPageWindows10]IntuneDeviceEnrollmentStatusPageWindows10-REDACTED] received 841-byte response of content type application/json

PowerShell Desired State Configuration does not support execution of commands in an interactive mode. Please ensure that the underlying command is not prompting for user   input, such as missing mandatory parameter, confirmation prompt etc.
+ CategoryInfo          : OperationStopped: (:) [], CimException
+ FullyQualifiedErrorId : System.NotSupportedException
+ PSComputerName        : localhost

Suggested solution to the issue

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration ESP
{
    $OrganizationName = "REDACTED"

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.628.1'

    Node localhost
    {
        IntuneDeviceEnrollmentStatusPageWindows10 "IntuneDeviceEnrollmentStatusPageWindows10-REDACTED"
        {
            AllowDeviceResetOnInstallFailure        = $True;
            AllowDeviceUseOnInstallFailure          = $False;
            AllowLogCollectionOnInstallFailure      = $True;
            AllowNonBlockingAppInstallation         = $False;
            ApplicationId                           = "REDACTED";
            CertificateThumbprint                   = "REDACTED";
            Assignments                             = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = '#microsoft.graph.groupAssignmentTarget'
deviceAndAppManagementAssignmentFilterType = 'none'
deviceAndAppManagementAssignmentFilterId = '00000000-0000-0000-0000-000000000000'
groupId = 'REDACTED'
}
);
            BlockDeviceSetupRetryByUser             = $False;
            CustomErrorMessage                      = "Installation exceeded 2 hours time limit. Try again or contact your IT Service Desk for help.";
            DisableUserStatusTrackingAfterFirstUser = $True;
            DisplayName                             = "REDACTED";
            Ensure                                  = "Present";
            Id                                      = "REDACTED_Windows10EnrollmentCompletionPageConfiguration";
            InstallProgressTimeoutInMinutes         = 120;
            InstallQualityUpdates                   = $False;
            Priority                                = 1;
            ShowInstallationProgress                = $True;
            TenantId                                = $OrganizationName;
            TrackInstallProgressForAutopilotOnly    = $True;
        }
    }
}

ESP -ConfigurationData .\ConfigurationData.psd1

The operating system the target node is running

Win10

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.628.1
@ricmestre ricmestre mentioned this issue Jul 7, 2023
Closed
@andikrueger andikrueger added Intune Bug Something isn't working V1.23.628.1 Version 1.23.628.1 labels Jul 7, 2023
@ricmestre
Copy link
Contributor Author

Please update label to V1.23.705.1 since it also fails with latest version, tested it locally (not DevOps) with cert-based auth.

@andikrueger andikrueger added the V1.23.705.1 Version 1.23.705.1 label Jul 11, 2023
@ricmestre ricmestre mentioned this issue Oct 26, 2023
Closed
@richardjgreen richardjgreen mentioned this issue Nov 9, 2023
Closed
@William-Francillette
Copy link
Contributor

@ricmestre and @richardjgreen I'll have a look tonight after work it's probably something silly
Thanks for reporting the issue

@William-Francillette
Copy link
Contributor

Hi gents, I knew it was something silly
in function definition of Update-DeviceEnrollmentConfigurationPriority, the catch statement was missing ` to link New-M365DSCLogEntry to the parameter next line

Pushing PR now

@William-Francillette William-Francillette mentioned this issue Nov 9, 2023
Merged
@NikCharlebois NikCharlebois mentioned this issue Nov 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Intune V1.23.628.1 Version 1.23.628.1 V1.23.705.1 Version 1.23.705.1
Projects
None yet
Milestone
No milestone
3 participants
@andikrueger @William-Francillette @ricmestre