Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Groups not assigned correctly to policies #4467

Closed
rbovenkampclearict opened this issue Mar 19, 2024 · 2 comments · Fixed by #4468 or #4512
Closed

Groups not assigned correctly to policies #4467

rbovenkampclearict opened this issue Mar 19, 2024 · 2 comments · Fixed by #4468 or #4512
Labels
Bug Something isn't working Intune V1.24.313.1 Version 1.24.313.1

Comments

@rbovenkampclearict
Copy link

Description of the issue

The groups and policies were exported from a source tenant and need to be imported into a clean new tenant. The groups are correctly imported into the new tenant, but the policies are not correctly linked to the groups. Also see the attached screenshots.

Schermafbeelding 2024-03-19 210253

Schermafbeelding 2024-03-19 210128

Microsoft 365 DSC Version

1.24.313.1

Which workloads are affected

Azure Active Directory, other

The DSC configuration

AADGroup "AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs"
        {
            Credential                    = $Credscredential;
            DisplayName                   = "Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs";
            Ensure                        = "Present";
            GroupTypes                    = @("DynamicMembership");
            Id                            = "7fa65f23-92fa-4e87-91d3-b7220fae82f1";
            MailEnabled                   = $False;
            MailNickname                  = "9b71a3fb-9";
            MemberOf                      = @();
            MembershipRule                = "(device.managementType -eq `"MDM`") and (device.deviceModel -notContains `"Cloud PC`")";
            MembershipRuleProcessingState = "On";
            Owners                        = @();
            SecurityEnabled               = $True;
    






        IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus"
        {
            allowarchivescanning                = "1";
            allowbehaviormonitoring             = "1";
            allowcloudprotection                = "1";
            allowemailscanning                  = "1";
            allowfullscanonmappednetworkdrives  = "1";
            allowfullscanremovabledrivescanning = "1";
            allowioavprotection                 = "1";
            allowonaccessprotection             = "1";
            allowrealtimemonitoring             = "1";
            allowscanningnetworkfiles           = "1";
            allowscriptscanning                 = "1";
            allowuseruiaccess                   = "1";
            Assignments                         = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '7fa65f23-92fa-4e87-91d3-b7220fae82f1'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'Janssen B.V. - All Windows 365 Cloud PCs'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'f45c44be-050a-420e-ac4c-30cd981feb85'
                }
            );
            checkforsignaturesbeforerunningscan = "1";
            cloudblocklevel                     = "2";
            Credential                          = $Credscredential;
            Description                         = "Janssen B.V. - Endpoint Security Antivirus - 25-12-2023 - Versie 1.0";
            DisplayName                         = "Janssen B.V. - Endpoint Security Antivirus";
            enablenetworkprotection             = "1";
            engineupdateschannel                = "0";
            Ensure                              = "Present";
            highseveritythreats                 = "quarantine";
            Identity                            = "ea0c3592-38cb-42ce-9abe-1dfbcd33f732";
            lowseveritythreats                  = "quarantine";
#            meteredconnectionupdates            = "1";
            moderateseveritythreats             = "quarantine";
            platformupdateschannel              = "0";
            puaprotection                       = "1";
            realtimescandirection               = "0";
            scanparameter                       = "1";
            schedulequickscantime               = 120;
            schedulescanday                     = "6";
            schedulescantime                    = 120;
            securityintelligenceupdateschannel  = "0";
            severethreats                       = "quarantine";
            signatureupdateinterval             = 8;
            submitsamplesconsent                = "3";
            templateId                          = "804339ad-1553-4478-a742-138fb5807418_1";
        }

Verbose logs showing the problem

VERBOSE: [CLE-CLI-995]: LCM:  [ Start  Resource ]  [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs]
VERBOSE: [CLE-CLI-995]: LCM:  [ Start  Test     ]  [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs]
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] Testing configuration of AzureAD Groups
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] Getting configuration of AzureAD Group
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] GroupID was specified
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] Couldn't get group by ID, trying by name
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] Current Values: AssignedToRole=()
Credential=***
DisplayName=Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs
Ensure=Absent
GroupTypes=(DynamicMembership)
Id=7fa65f23-92fa-4e87-91d3-b7220fae82f1
MailEnabled=False
MailNickname=9b71a3fb-9
MemberOf=()
Members=()
MembershipRule=(device.managementType -eq "MDM") and (device.deviceModel -notContains "Cloud PC")
MembershipRuleProcessingState=On
Owners=()
SecurityEnabled=True
Verbose=True
VERBOSE: [CLE-CLI-995]:                            [[AADGroup]AADGroup-Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs] Target Values: Credential=***
DisplayName=Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs
Ensure=Present
GroupTypes=(DynamicMembership)
Id=7fa65f23-92fa-4e87-91d3-b7220fae82f1
MailEnabled=False
MailNickname=9b71a3fb-9
MembershipRule=(device.managementType -eq "MDM") and (device.deviceModel -notContains "Cloud PC")
MembershipRuleProcessingState=On
SecurityEnabled=True
Verbose=True




Verbose=True
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] Target Values: Assignments=({dataType=#microsoft.graph.groupAssignmentTarget;
deviceAndAppManagementAssignmentFilterType=none; deviceAndAppManagementAssignmentFilterId=; groupId=7fa65f23-92fa-4e87-91d3-b7220fae82f1; groupDisplayName=Janssen B.V. - All Devices Managed by MDM Except Windows 365 Cloud PCs;
collectionId=},{dataType=#microsoft.graph.groupAssignmentTarget; deviceAndAppManagementAssignmentFilterType=none; deviceAndAppManagementAssignmentFilterId=; groupId=f45c44be-050a-420e-ac4c-30cd981feb85; groupDisplayName=Janssen B.V. - All Windows 365 Cloud PCs;
collectionId=})
Credential=***
Description=Janssen B.V. - Defender Update Controls - 25-12-2023 - Versie 1.0
DisplayName=Janssen B.V. - Defender Update Controls
engineupdateschannel=0
Ensure=Present
Identity=e912a675-c32b-48bf-b2ce-bdbc9059dcaf
platformupdateschannel=0
securityintelligenceupdateschannel=0
templateId=e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1
Verbose=True
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] Test-TargetResource returned False
VERBOSE: [CLE-CLI-995]: LCM:  [ End    Test     ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls]  in 2.1700 seconds.
VERBOSE: [CLE-CLI-995]: LCM:  [ Start  Set      ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls]
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] Checking for the Intune Endpoint Protection Policy {Janssen B.V. - Defender Update
 Controls}
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] No policy with Id {e912a675-c32b-48bf-b2ce-bdbc9059dcaf} was found. Trying to
retrieve by name {Janssen B.V. - Defender Update Controls}.
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] No policy with name {Janssen B.V. - Defender Update Controls} was found.
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] Creating new Endpoint Protection Policy {Janssen B.V. - Defender Update Controls}
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies with
6208-byte payload
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls] received 746-byte response of content type application/json
VERBOSE: [CLE-CLI-995]: LCM:  [ End    Set      ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls]  in 2.9330 seconds.
VERBOSE: [CLE-CLI-995]: LCM:  [ End    Resource ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Defender Update Controls]
VERBOSE: [CLE-CLI-995]: LCM:  [ Start  Resource ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus]
VERBOSE: [CLE-CLI-995]: LCM:  [ Start  Test     ]  [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus]
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus] Testing configuration of Endpoint Protection Policy {Janssen B.V. - Endpoint
Security Antivirus}
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus] Checking for the Intune Endpoint Protection Policy {Janssen B.V. - Endpoint
Security Antivirus}
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus] No policy with Id {ea0c3592-38cb-42ce-9abe-1dfbcd33f732} was found. Trying to
retrieve by name {Janssen B.V. - Endpoint Security Antivirus}.
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus] No policy with name {Janssen B.V. - Endpoint Security Antivirus} was found.
VERBOSE: [CLE-CLI-995]:                            [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Janssen B.V. - Endpoint Security Antivirus] Current Values: allowarchivescanning=1
allowbehaviormonitoring=1
allowcloudprotection=1
allowemailscanning=1

Environment Information + PowerShell Version

OsName               : Microsoft Windows 10 Business
OsOperatingSystemSKU : 48
OsArchitecture       : 64 bits
WindowsVersion       : 2009
WindowsBuildLabEx    : 19041.1.amd64fre.vb_release.191206-1406
OsLanguage           : nl-NL
OsMuiLanguages       : {nl-NL, de-DE}


Name                           Value
----                           -----
PSVersion                      5.1.19041.4170
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.4170
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
@rbovenkampclearict
Copy link
Author

rbovenkampclearict commented Mar 20, 2024

It seems that the added groups got a different group ID than the ID in the script? Any idea how to solve this?

Schermafbeelding 2024-03-20 072701

@ricmestre
Copy link
Contributor

If you are creating groups that you extracted from tenant A and re-importing them into tenant B is normal that they have different Ids, the same will happen with any resource you create that way.

Anyway I've tried to replicate your issue and there's a problem with the group assignments on several Intune resources, I'll raise a PR to fix this in a bit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Something isn't working Intune V1.24.313.1 Version 1.24.313.1
Projects
None yet
3 participants