Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneDeviceConfigurationScepCertificatePolicyWindows10: Cannot be deployed to another tenant #3965

Closed
ricmestre opened this issue Nov 29, 2023 · 0 comments · Fixed by #4400 or #4447
Closed

IntuneDeviceConfigurationScepCertificatePolicyWindows10: Cannot be deployed to another tenant #3965

ricmestre opened this issue Nov 29, 2023 · 0 comments · Fixed by #4400 or #4447
Labels
Bug Something isn't working Intune V1.23.1122.1 Version 1.23.1122.1

Comments

@ricmestre
Copy link
Contributor

Description of the issue

IntuneDeviceConfigurationScepCertificatePolicyWindows10 works without issues within the boundaries of the same tenant, it can be exported, deleted, redeployed and updated, nevertheless it won't work applying to another tenant and that's because it expects a property called RootCertificateId which is assigned with the Id of a policy of type IntuneDeviceConfigurationTrustedCertificatePolicyWindows10 and of course the target tenant will have different Ids for these policies.

In order to fix this the policy should also have a RootCertificateDisplayName property to which to fallback in case RootCertificateId is not found and therefore try to find the policy by its name instead of the Id.

Microsoft 365 DSC Version

1.23.1122.1

Which workloads are affected

other

The DSC configuration

# Generated with Microsoft365DSC version 1.23.1122.1
# For additional information on how to use Microsoft365DSC, please visit https://aka.ms/M365DSC
param (
    [parameter()]
    [System.Management.Automation.PSCredential]
    $Credential
)

Configuration IntuneDeviceConfigurationScepCertificatePolicyWindows10
{
    param (
        [parameter()]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    if ($null -eq $Credential)
    {
        <# Credentials #>
        $Credscredential = Get-Credential -Message "Credentials"

    }
    else
    {
        $CredsCredential = $Credential
    }

    $OrganizationName = $CredsCredential.UserName.Split('@')[1]

    Import-DscResource -ModuleName 'Microsoft365DSC' -ModuleVersion '1.23.1122.1'

    Node localhost
    {
        IntuneDeviceConfigurationScepCertificatePolicyWindows10 "IntuneDeviceConfigurationScepCertificatePolicyWindows10-IntuneDeviceConfigurationScepCertificatePolicyWindows10_1"
        {
            Assignments                    = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            CertificateStore               = "user";
            CertificateValidityPeriodScale = "years";
            CertificateValidityPeriodValue = 5;
            Credential                     = $Credscredential;
            DisplayName                    = "IntuneDeviceConfigurationScepCertificatePolicyWindows10_1";
            Ensure                         = "Present";
            ExtendedKeyUsages              = @(
                MSFT_MicrosoftGraphextendedKeyUsage{
                    ObjectIdentifier = '1.3.6.1.5.5.7.3.2'
                    Name = 'Client Authentication'
                }
            );
            HashAlgorithm                  = "sha2";
            Id                             = "9f6d5d49-06f1-4a9e-89a6-565b2632c99e";
            KeySize                        = "size2048";
            KeyStorageProvider             = "useTpmKspOtherwiseUseSoftwareKsp";
            KeyUsage                       = "digitalSignature";
            RenewalThresholdPercentage     = 20;
            RootCertificateId              = "73f15a93-c1a0-4999-8e85-f47b183bdd3a";
            ScepServerUrls                 = @("https://mydomain.com/certsrv/mscep/mscep.dll");
            SubjectAlternativeNameType     = "none";
            SubjectNameFormat              = "custom";
            SubjectNameFormatString        = "CN={{UserName}},E={{EmailAddress}}";
        }
    }
}

IntuneDeviceConfigurationScepCertificatePolicyWindows10 -ConfigurationData .\ConfigurationData.psd1 -Credential $Credential

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US, pt-PT}

Name                           Value
----                           -----
PSVersion                      5.1.22621.2428
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22621.2428
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working Intune V1.23.1122.1 Version 1.23.1122.1
Projects
None yet
Milestone
No milestone
2 participants
@andikrueger @ricmestre