Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneAntivirusPolicyWindows10SettingCatalog: Not working #4925

Closed
ricmestre opened this issue Jul 24, 2024 · 5 comments · Fixed by #4929 or #4944
Closed

IntuneAntivirusPolicyWindows10SettingCatalog: Not working #4925

ricmestre opened this issue Jul 24, 2024 · 5 comments · Fixed by #4929 or #4944

Comments

@ricmestre
Copy link
Contributor

Description of the issue

@FabienTschanz I did the tests on this one before they got merged but for some reason I can't get it working now, so I created one policy through the portal, exported it and then removed it through M365DSC without issues, but if I try to re-deploy it and test it afterwards it always says that it's not in desired state. After checking the portal again I don't see any AV exclusions in "Endpoint security | Antivirus" like it worked before but it's actually creating new Settings catalog policies in "Devices | Configuration" over and over again because the test returns false.

image

Microsoft 365 DSC Version

1.24.724.1

Which workloads are affected

Intune

The DSC configuration

IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-IntuneAntivirusPolicyWindows10SettingCatalog_1"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            Credential           = $Credscredential;
            Description          = "";
            DisplayName          = "IntuneAntivirusPolicyWindows10SettingCatalog_1";
            Ensure               = "Present";
            ExcludedExtensions   = @(".exe");
            ExcludedPaths        = @("C:\ExcludedFolder1\","C:\ExcludedFolder2\");
            ExcludedProcesses    = @("processes.exe","process2.exe");
            Identity             = "83898676-89a9-48cd-908c-51293e7d4ad7";
            templateId           = "45fea5e9-280d-4da1-9792-fb5736da0ca9_1";
        }

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

Win11 / PS5.1
@ricmestre
Copy link
Contributor Author

Creating the policy with DSC results in TemplateReference tree to be completely empty and therefore the filter in Get-TargetResource cannot find the policy and the test fails so that's why it keeps creating new "vanilla" settings catalog policies.

image

Whereas if I create the same policy through the portal it's correctly populated

image

@FabienTschanz FabienTschanz mentioned this issue Jul 25, 2024
Merged
@FabienTschanz
Copy link
Contributor

FabienTschanz commented Jul 25, 2024
edited
Loading

@ricmestre Got it, there was an Id too much in the property name... Bit sad that Graph still accepts the request but creates a policy that's empty, without any message whatsoever. In my opinion that should throw in the backend, since the policy can't be mapped to a proper template, and not silently accept it.

Edit: Seems like that's an intended way... For example the Windows Firewall profile for ConfigManager also has an empty template reference, but it will be fetched by technologies and creationSource. Please no more of this weird complex stuff, I soon can't take it anymore.

@ricmestre
Copy link
Contributor Author

@FabienTschanz I feel your pain, I've been having nightmares with these settings catalog policies for the past 2 years, every time I hear about them it gives me the heebie jeebies because after M365DSC deals with them I have to deal with another converter behind it I created to convert DSC to Markdown...

@dbrinkmann123
Copy link

@FabienTschanz I feel your pain, I've been having nightmares with these settings catalog policies for the past 2 years, every time I hear about them it gives me the heebie jeebies because after M365DSC deals with them I have to deal with another converter behind it I created to convert DSC to Markdown...

I'd like to hear more about this converter from DSC to Markdown

@ricmestre
Copy link
Contributor Author

I don't remember exactly right now the incantation but there's a cmdlet to export a config directly to Markdown, the issue is that it doesn't take care about nested CIM instances whereas mine does.

Short story, it's for a company so the code it's proprietary and I can't share it

@NikCharlebois NikCharlebois mentioned this issue Aug 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@dbrinkmann123 @FabienTschanz @ricmestre