Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IntuneDeviceConfigurationEndpointProtectionPolicyWindows10: Cannot deploy to another tenant with cert-based auth #3444

Closed
ricmestre opened this issue Jul 7, 2023 · 4 comments
Labels
Bug Something isn't working Intune Pending Information V1.23.628.1 Version 1.23.628.1 V1.23.705.1 Version 1.23.705.1

Comments

@ricmestre
Copy link
Contributor

Details of the scenario you tried and the problem that is occurring

This resource suffers from the same issue as #3442, trying to apply the config to another with cert-based auth fails with PowerShell Desired State Configuration does not support execution of commands in an interactive mode and both the source and target tenants have the app configured and with grant admin consent for permission DeviceManagementConfiguration.ReadWrite.All as per settings.json.

Verbose logs showing the problem

[[IntuneDeviceConfigurationEndpointProtectionPolicyWindows10]IntuneDeviceConfigurationEndpointProtectionPolicyWindows10-REDACTED] Creating an Intune Device Configuration Endpoint Protection Policy for Windows10 with DisplayName {REDACTED}
VERBOSE: [REDACTED]:

[[IntuneDeviceConfigurationEndpointProtectionPolicyWindows10]IntuneDeviceConfigurationEndpointProtectionPolicyWindows10-REDACTED] POST https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations/REDACTED/assign with 872-byte payload
VERBOSE: [REDACTED]:

[[IntuneDeviceConfigurationEndpointProtectionPolicyWindows10]IntuneDeviceConfigurationEndpointProtectionPolicyWindows10-REDACTED] received 799-byte response of content type application/json

PowerShell Desired State Configuration does not support execution of commands in an interactive mode. Please ensure that the underlying command is not prompting for user input, such as missing mandatory parameter, confirmation prompt etc.

  • CategoryInfo : OperationStopped: (:) [], CimException
  • FullyQualifiedErrorId : System.NotSupportedException
  • PSComputerName : localhost

Suggested solution to the issue

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

Configuration EndpointProtection
{
    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.628.1'

    Node localhost
    {
        IntuneDeviceConfigurationEndpointProtectionPolicyWindows10 "IntuneDeviceConfigurationEndpointProtectionPolicyWindows10-REDACTED"
        {
            ApplicationGuardAllowFileSaveOnHost                                          = $False;
            ApplicationGuardAllowPersistence                                             = $False;
            ApplicationGuardAllowPrintToLocalPrinters                                    = $False;
            ApplicationGuardAllowPrintToNetworkPrinters                                  = $False;
            ApplicationGuardAllowPrintToPDF                                              = $False;
            ApplicationGuardAllowPrintToXPS                                              = $False;
            ApplicationGuardAllowVirtualGPU                                              = $False;
            ApplicationGuardBlockClipboardSharing                                        = "notConfigured";
            ApplicationGuardBlockFileTransfer                                            = "notConfigured";
            ApplicationGuardBlockNonEnterpriseContent                                    = $False;
            ApplicationGuardCertificateThumbprints                                       = @();
            ApplicationGuardEnabled                                                      = $False;
            ApplicationGuardEnabledOptions                                               = "notConfigured";
            ApplicationGuardForceAuditing                                                = $False;
            AppLockerApplicationControl                                                  = "notConfigured";
            ApplicationId                                                                = "REDACTED"
            Assignments                                                                  = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = 'REDACTED'
                }
            );
            BitLockerAllowStandardUserEncryption                                         = $False;
            BitLockerDisableWarningForOtherDiskEncryption                                = $False;
            BitLockerEnableStorageCardEncryptionOnMobile                                 = $False;
            BitLockerEncryptDevice                                                       = $False;
            BitLockerFixedDrivePolicy                                                    = MSFT_MicrosoftGraphbitLockerFixedDrivePolicy{
                RequireEncryptionForWriteAccess = $False
            };
            BitLockerRecoveryPasswordRotation                                            = "notConfigured";
            BitLockerRemovableDrivePolicy                                                = MSFT_MicrosoftGraphbitLockerRemovableDrivePolicy{
                BlockCrossOrganizationWriteAccess = $False
                RequireEncryptionForWriteAccess = $False
            };
            BitLockerSystemDrivePolicy                                                   = MSFT_MicrosoftGraphbitLockerSystemDrivePolicy{
                PrebootRecoveryEnableMessageAndUrl = $False
                StartupAuthenticationTpmPinUsage = 'blocked'
                StartupAuthenticationTpmPinAndKeyUsage = 'blocked'
                StartupAuthenticationRequired = $False
                StartupAuthenticationTpmUsage = 'blocked'
                StartupAuthenticationTpmKeyUsage = 'blocked'
                StartupAuthenticationBlockWithoutTpmChip = $False
            };
            CertificateThumbprint                                                        = "REDACTED";
            DefenderAdditionalGuardedFolders                                             = @();
            DefenderAdobeReaderLaunchChildProcess                                        = "notConfigured";
            DefenderAdvancedRansomewareProtectionType                                    = "notConfigured";
            DefenderAttackSurfaceReductionExcludedPaths                                  = @();
            DefenderBlockPersistenceThroughWmiType                                       = "userDefined";
            DefenderEmailContentExecution                                                = "userDefined";
            DefenderEmailContentExecutionType                                            = "userDefined";
            DefenderFileExtensionsToExclude                                              = @();
            DefenderFilesAndFoldersToExclude                                             = @();
            DefenderGuardedFoldersAllowedAppPaths                                        = @();
            DefenderGuardMyFoldersType                                                   = "userDefined";
            DefenderNetworkProtectionType                                                = "notConfigured";
            DefenderOfficeAppsExecutableContentCreationOrLaunch                          = "userDefined";
            DefenderOfficeAppsExecutableContentCreationOrLaunchType                      = "userDefined";
            DefenderOfficeAppsLaunchChildProcess                                         = "userDefined";
            DefenderOfficeAppsLaunchChildProcessType                                     = "userDefined";
            DefenderOfficeAppsOtherProcessInjection                                      = "userDefined";
            DefenderOfficeAppsOtherProcessInjectionType                                  = "userDefined";
            DefenderOfficeCommunicationAppsLaunchChildProcess                            = "notConfigured";
            DefenderOfficeMacroCodeAllowWin32Imports                                     = "userDefined";
            DefenderOfficeMacroCodeAllowWin32ImportsType                                 = "userDefined";
            DefenderPreventCredentialStealingType                                        = "notConfigured";
            DefenderProcessCreation                                                      = "userDefined";
            DefenderProcessCreationType                                                  = "userDefined";
            DefenderProcessesToExclude                                                   = @();
            DefenderScriptDownloadedPayloadExecution                                     = "userDefined";
            DefenderScriptDownloadedPayloadExecutionType                                 = "userDefined";
            DefenderScriptObfuscatedMacroCode                                            = "userDefined";
            DefenderScriptObfuscatedMacroCodeType                                        = "userDefined";
            DefenderSecurityCenterBlockExploitProtectionOverride                         = $False;
            DefenderSecurityCenterITContactDisplay                                       = "notConfigured";
            DefenderSecurityCenterNotificationsFromApp                                   = "notConfigured";
            DefenderUntrustedExecutable                                                  = "userDefined";
            DefenderUntrustedExecutableType                                              = "userDefined";
            DefenderUntrustedUSBProcess                                                  = "userDefined";
            DefenderUntrustedUSBProcessType                                              = "userDefined";
            DeviceGuardEnableSecureBootWithDMA                                           = $False;
            DeviceGuardEnableVirtualizationBasedSecurity                                 = $False;
            DeviceGuardLaunchSystemGuard                                                 = "notConfigured";
            DeviceGuardLocalSystemAuthorityCredentialGuardSettings                       = "notConfigured";
            DeviceGuardSecureBootWithDMA                                                 = "notConfigured";
            DisplayName                                                                  = "REDACTED";
            DmaGuardDeviceEnumerationPolicy                                              = "deviceDefault";
            Ensure                                                                       = "Present";
            FirewallCertificateRevocationListCheckMethod                                 = "deviceDefault";
            FirewallIPSecExemptionsAllowDHCP                                             = $False;
            FirewallIPSecExemptionsAllowICMP                                             = $False;
            FirewallIPSecExemptionsAllowNeighborDiscovery                                = $False;
            FirewallIPSecExemptionsAllowRouterDiscovery                                  = $False;
            FirewallIPSecExemptionsNone                                                  = $False;
            FirewallPacketQueueingMethod                                                 = "deviceDefault";
            FirewallPreSharedKeyEncodingMethod                                           = "deviceDefault";
            FirewallProfileDomain                                                        = MSFT_MicrosoftGraphwindowsFirewallNetworkProfile{
                PolicyRulesFromGroupPolicyNotMerged = $True
                InboundNotificationsBlocked = $False
                OutboundConnectionsRequired = $False
                GlobalPortRulesFromGroupPolicyNotMerged = $True
                ConnectionSecurityRulesFromGroupPolicyNotMerged = $True
                UnicastResponsesToMulticastBroadcastsRequired = $False
                PolicyRulesFromGroupPolicyMerged = $False
                UnicastResponsesToMulticastBroadcastsBlocked = $False
                IncomingTrafficRequired = $False
                IncomingTrafficBlocked = $False
                ConnectionSecurityRulesFromGroupPolicyMerged = $False
                StealthModeRequired = $False
                InboundNotificationsRequired = $False
                AuthorizedApplicationRulesFromGroupPolicyMerged = $False
                InboundConnectionsBlocked = $False
                OutboundConnectionsBlocked = $False
                StealthModeBlocked = $False
                GlobalPortRulesFromGroupPolicyMerged = $False
                SecuredPacketExemptionBlocked = $False
                SecuredPacketExemptionAllowed = $False
                InboundConnectionsRequired = $False
                FirewallEnabled = 'allowed'
                AuthorizedApplicationRulesFromGroupPolicyNotMerged = $True
            };
            FirewallProfilePrivate                                                       = MSFT_MicrosoftGraphwindowsFirewallNetworkProfile{
                PolicyRulesFromGroupPolicyNotMerged = $True
                InboundNotificationsBlocked = $False
                OutboundConnectionsRequired = $False
                GlobalPortRulesFromGroupPolicyNotMerged = $True
                ConnectionSecurityRulesFromGroupPolicyNotMerged = $True
                UnicastResponsesToMulticastBroadcastsRequired = $False
                PolicyRulesFromGroupPolicyMerged = $False
                UnicastResponsesToMulticastBroadcastsBlocked = $False
                IncomingTrafficRequired = $False
                IncomingTrafficBlocked = $False
                ConnectionSecurityRulesFromGroupPolicyMerged = $False
                StealthModeRequired = $False
                InboundNotificationsRequired = $False
                AuthorizedApplicationRulesFromGroupPolicyMerged = $False
                InboundConnectionsBlocked = $False
                OutboundConnectionsBlocked = $False
                StealthModeBlocked = $False
                GlobalPortRulesFromGroupPolicyMerged = $False
                SecuredPacketExemptionBlocked = $False
                SecuredPacketExemptionAllowed = $False
                InboundConnectionsRequired = $False
                FirewallEnabled = 'allowed'
                AuthorizedApplicationRulesFromGroupPolicyNotMerged = $True
            };
            FirewallProfilePublic                                                        = MSFT_MicrosoftGraphwindowsFirewallNetworkProfile{
                PolicyRulesFromGroupPolicyNotMerged = $True
                InboundNotificationsBlocked = $False
                OutboundConnectionsRequired = $False
                GlobalPortRulesFromGroupPolicyNotMerged = $True
                ConnectionSecurityRulesFromGroupPolicyNotMerged = $True
                UnicastResponsesToMulticastBroadcastsRequired = $False
                PolicyRulesFromGroupPolicyMerged = $False
                UnicastResponsesToMulticastBroadcastsBlocked = $False
                IncomingTrafficRequired = $False
                IncomingTrafficBlocked = $False
                ConnectionSecurityRulesFromGroupPolicyMerged = $False
                StealthModeRequired = $False
                InboundNotificationsRequired = $False
                AuthorizedApplicationRulesFromGroupPolicyMerged = $False
                InboundConnectionsBlocked = $False
                OutboundConnectionsBlocked = $False
                StealthModeBlocked = $False
                GlobalPortRulesFromGroupPolicyMerged = $False
                SecuredPacketExemptionBlocked = $False
                SecuredPacketExemptionAllowed = $False
                InboundConnectionsRequired = $False
                FirewallEnabled = 'allowed'
                AuthorizedApplicationRulesFromGroupPolicyNotMerged = $True
            };
            Id                                                                           = "REDACTED";
            LanManagerAuthenticationLevel                                                = "lmAndNltm";
            LanManagerWorkstationDisableInsecureGuestLogons                              = $False;
            LocalSecurityOptionsAdministratorElevationPromptBehavior                     = "notConfigured";
            LocalSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares          = $False;
            LocalSecurityOptionsAllowPKU2UAuthenticationRequests                         = $False;
            LocalSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool      = $False;
            LocalSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn              = $False;
            LocalSecurityOptionsAllowUIAccessApplicationElevation                        = $False;
            LocalSecurityOptionsAllowUIAccessApplicationsForSecureLocations              = $False;
            LocalSecurityOptionsAllowUndockWithoutHavingToLogon                          = $False;
            LocalSecurityOptionsBlockMicrosoftAccounts                                   = $False;
            LocalSecurityOptionsBlockRemoteLogonWithBlankPassword                        = $False;
            LocalSecurityOptionsBlockRemoteOpticalDriveAccess                            = $False;
            LocalSecurityOptionsBlockUsersInstallingPrinterDrivers                       = $False;
            LocalSecurityOptionsClearVirtualMemoryPageFile                               = $False;
            LocalSecurityOptionsClientDigitallySignCommunicationsAlways                  = $False;
            LocalSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers      = $False;
            LocalSecurityOptionsDetectApplicationInstallationsAndPromptForElevation      = $False;
            LocalSecurityOptionsDisableAdministratorAccount                              = $False;
            LocalSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees   = $False;
            LocalSecurityOptionsDisableGuestAccount                                      = $False;
            LocalSecurityOptionsDisableServerDigitallySignCommunicationsAlways           = $False;
            LocalSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees   = $False;
            LocalSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts              = $False;
            LocalSecurityOptionsDoNotRequireCtrlAltDel                                   = $False;
            LocalSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange        = $False;
            LocalSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser                = "notConfigured";
            LocalSecurityOptionsHideLastSignedInUser                                     = $False;
            LocalSecurityOptionsHideUsernameAtSignIn                                     = $False;
            LocalSecurityOptionsInformationDisplayedOnLockScreen                         = "notConfigured";
            LocalSecurityOptionsInformationShownOnLockScreen                             = "notConfigured";
            LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients             = "none";
            LocalSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers             = "none";
            LocalSecurityOptionsOnlyElevateSignedExecutables                             = $False;
            LocalSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares             = $False;
            LocalSecurityOptionsSmartCardRemovalBehavior                                 = "noAction";
            LocalSecurityOptionsStandardUserElevationPromptBehavior                      = "notConfigured";
            LocalSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation           = $False;
            LocalSecurityOptionsUseAdminApprovalMode                                     = $False;
            LocalSecurityOptionsUseAdminApprovalModeForAdministrators                    = $False;
            LocalSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations = $False;
            SmartScreenBlockOverrideForFiles                                             = $False;
            SmartScreenEnableInShell                                                     = $False;
            SupportsScopeTags                                                            = $True;
            WindowsDefenderTamperProtection                                              = "notConfigured";
            TenantId                                                                     = "REDACTED";
            XboxServicesAccessoryManagementServiceStartupMode                            = "manual";
            XboxServicesEnableXboxGameSaveTask                                           = $False;
            XboxServicesLiveAuthManagerServiceStartupMode                                = "manual";
            XboxServicesLiveGameSaveServiceStartupMode                                   = "manual";
            XboxServicesLiveNetworkingServiceStartupMode                                 = "manual";
        }
    }
}

EndpointProtection -ConfigurationData .\ConfigurationData.psd1

The operating system the target node is running

Win10

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.628.1

@andikrueger andikrueger added Bug Something isn't working Intune V1.23.628.1 Version 1.23.628.1 labels Jul 7, 2023
@ricmestre
Copy link
Contributor Author

Please update label to V1.23.705.1 since it also fails with latest version, tested it locally (not DevOps) with cert-based auth.

@andikrueger andikrueger added the V1.23.705.1 Version 1.23.705.1 label Jul 11, 2023
@ricmestre
Copy link
Contributor Author

This resource now works for deploying to another tenant, but when re-deploying with the same values the tests fails so it tries to update the policies even though they are all correct as in the blueprint configuration.

@andikrueger
Copy link
Collaborator

Please try to remove the ID from you blueprint in the clone scenario.

@ricmestre
Copy link
Contributor Author

@andikrueger That wasn't the issue, the policy can be deployed now but suffers the same issue as explained on #3888 but in this case the problem wasn't the Id, it was that I was using certificate thumbprint and that property wasn't being removed, it's weird that sometimes it would say that resource was in desired state and other times it didn't but after making the same changes I did on #3893 now it always succeeded so I pushed those changes to my PR and this can be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working Intune Pending Information V1.23.628.1 Version 1.23.628.1 V1.23.705.1 Version 1.23.705.1
Projects
None yet
Development

No branches or pull requests

2 participants