How to handle the Identify field in Intune resources

[Influencer101]

Details of the scenario you tried and the problem that is occurring

We're currently evaluating Microsoft365DSC to see if we can use it to keep the configuration of development tenant in sync with our production tenant. We did a little test by deploying a test ASR policy to our development tenant. The issue is that although the policy was created successfully, the resource (Intune ASR policy) never gets to a desired state because it checks for the original Identity, which of course isn't the same as Intune created a new Identity upon creation of the policy.

Verbose logs showing the problem

The screen shot below shows the entry in the event log after subsequent deployments.

Suggested solution to the issue

Please let us know how we can ensure the resource gets reported as in the desired state upon subsequent deployments. P.S. I tried to remove the Identify field from the config but that didn't work as the Identity field is reported as mandatory, see the screen shot below.

In addition, the event log also shows the following error events. It could be because it's trying to update the Identity value.

Thanks in advance for looking into this!

The DSC configuration that is used to reproduce the issue (as detailed as possible)

param (
)

Configuration M365TenantConfig
{
    param (
    )

    $OrganizationName = $ConfigurationData.NonNodeData.OrganizationName

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.809.1'

    Node localhost
    {
        IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-Test ASR Policy"
        {
            ApplicationId                              = $ConfigurationData.NonNodeData.ApplicationId;
            ApplicationSecret                          = New-Object System.Management.Automation.PSCredential ('ApplicationSecret', (ConvertTo-SecureString $ConfigurationData.NonNodeData.ApplicationSecret -AsPlainText -Force));
            Assignments                                = @();
            blockadobereaderfromcreatingchildprocesses = "block";
            Description                                = "This is the description"
            DisplayName                                = "Test ASR Policy"
            Ensure                                     = "Present";
            Identity                                   = "f73e7ecc-ccb5-4b8f-9e33-6324df9d5194";
            TenantId                                   = $OrganizationName;
        }
    }
}

M365TenantConfig -ConfigurationData .\ConfigurationData.psd1

The operating system the target node is running

OsName : Microsoft Windows 10 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture : 64-bit
WindowsVersion : 2009
WindowsBuildLabEx : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage : en-US
OsMuiLanguages : {en-US}

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.809.1

[andikrueger]

This is a known limitation of M365DSC right now and we are discussing alternatives in #3344. This was a change we made in April to better align with the ID problematic in a tenant.

In the current implementation, you need to change the ID after the initial run the the "real" ID within the portal.

[Influencer101]

Updating the ID may be a challenge if we want to deploy a single config to multiple tenants. Ideally we don't want having to deal with the ID for certain policies/configs. Thanks for the feedback and hope you find a good solution.

[jadamones]

I'm having trouble creating the ASR rules period. As mentioned in #2985 it should create the rule when using a dummy ID; however, when I deploy the configuration, I get the following:

[The command Get-TargetResource of the PS resource MSFT_IntuneSettingCatalogASRRulesPolicyWindows10 does not implement the key property Identity mentioned in the corresponding MOF schema file C:\Program       
Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1025.1\DscResources\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10\MSFT_IntuneSettingCatalogASRRulesPolicyWindows10.schema.mof as a mandatory
parameter. All key parameters mentioned in the schema file must be implemented by the command Get-TargetResource as mandatory function parameters.
    + CategoryInfo          : InvalidOperation: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : KeyParameterNotImplemented
    + PSComputerName        : localhost](url)

This is my DSC configuration:

> IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-ASR Baseline Policy"
>         {
>             ApplicationId                                                              = $ConfigurationData.NonNodeData.ApplicationId;
>             Assignments                                                                = @(
>                 MSFT_DeviceManagementConfigurationPolicyAssignments{
>                     deviceAndAppManagementAssignmentFilterType = 'none'
>                     dataType = '#microsoft.graph.allDevicesAssignmentTarget'
>                 }
>             );
>             attacksurfacereductiononlyexclusions                                       = @();
>             blockabuseofexploitedvulnerablesigneddrivers                               = "block";
>             blockadobereaderfromcreatingchildprocesses                                 = "block";
>             blockallofficeapplicationsfromcreatingchildprocesses                       = "block";
>             blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem          = "audit";
>             blockexecutablecontentfromemailclientandwebmail                            = "block";
>             blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion = "audit";
>             blockexecutionofpotentiallyobfuscatedscripts                               = "block";
>             blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent          = "block";
>             blockofficeapplicationsfromcreatingexecutablecontent                       = "block";
>             blockofficeapplicationsfrominjectingcodeintootherprocesses                 = "block";
>             blockofficecommunicationappfromcreatingchildprocesses                      = "block";
>             blockpersistencethroughwmieventsubscription                                = "block";
>             blockprocesscreationsfrompsexecandwmicommands                              = "block";
>             blockuntrustedunsignedprocessesthatrunfromusb                              = "block";
>             blockwin32apicallsfromofficemacros                                         = "block";
>             CertificateThumbprint                                                      = $ConfigurationData.NonNodeData.CertificateThumbprint;
>             Description                                                                = "";
>             DisplayName                                                                = "ASR Baseline Policy";
>             Ensure                                                                     = "Present";
>             Identity                                                                   = "703dff81-a023-4bbd-a0a3-2b68ed603eb9";
>             TenantId                                                                   = $OrganizationName;
>             useadvancedprotectionagainstransomware                                     = "block";
>         }

If I exclude the Identity property it fails to compile the mof. Any ideas what I might be overlooking?

[andikrueger]

Thanks for bringing this to our attention. This is a bug within in the schema.mof for this resource.

[ricmestre]

@andikrueger Same issue as reported in #3715 for another resource