Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IntuneEndpointDetectionAndResponsePolicyWindows10: Throws exception if blob is empty #5246

Closed
ricmestre opened this issue Oct 22, 2024 · 3 comments · Fixed by #5254 or #5346
Closed

Comments

@ricmestre
Copy link
Contributor

Description of the issue

@FabienTschanz Your commit b48abe0 is now causing an exception if blob is empty, we have a policy in our tenant where the configuration type is not set and therefore the blob is empty as well, so if I try to export and then apply that to another tenant it causes the exception [0] to be thrown.

It's arguable if you should be allowed to have a policy without configuration type, the thing is that is still possible through Intune admin portal, but even if you don't agree that should be possible, see [1] where this is not mentioned anywhere so I kind of agree, BUT you must not throw an exception if you set the type to auto from connector which never has a blob assigned so the condition must be changed to factor this in.

Additionally you need to change $($DSCParams.ConfigurationType) in the exception line since $DSCParams is empty.

[0] https://github.com/microsoft/Microsoft365DSC/blame/76cbfa8d2be39fbe6cef5cd5e69f75d84b077a17/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1#L296
[1] https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy

Microsoft 365 DSC Version

1.24.1016.1

Which workloads are affected

Intune

The DSC configuration

    IntuneEndpointDetectionAndResponsePolicyWindows10 "IntuneEndpointDetectionAndResponsePolicyWindows10-IntuneEndpointDetectionAndResponsePolicyWindows10_1"
    {
        Assignments          = @();
        ConfigurationType    = "autofromconnector";
        Credential           = $Credscredential;
        Description          = "";
        DisplayName          = "IntuneEndpointDetectionAndResponsePolicyWindows10_1";
        Ensure               = "Present";
        Identity             = "83e155d5-f1f3-4ef9-9027-16cc24b22ae8";
        RoleScopeTagIds      = @("0");
        SampleSharing        = "1";
    }

Verbose logs showing the problem

PowerShell DSC resource MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 failed to execute Set-TargetResource functionality with error message: ConfigurationBlob is required for configurationType ''

  • CategoryInfo : InvalidOperation: (:) [], CimException
  • FullyQualifiedErrorId : ProviderOperationExecutionFailure
  • PSComputerName : localhost

Environment Information + PowerShell Version

Win11/PS5.1

@ricmestre
Copy link
Contributor Author

ricmestre commented Oct 22, 2024

@FabienTschanz See below, I've created a new policy with type set to auto from connector, there's no blob so this must not throw an exception.

PS C:\temp\dsc\IntuneEndpointDetectionAndResponsePolicyWindows10> $policySettings

Name Value


SampleSharing 1
ClientConfigurationPackageType autofromconnector
onboarding_fromconnector 15e4a02b-78c1-4af4-9b36-91ef0d71b834

@ricmestre
Copy link
Contributor Author

ricmestre commented Oct 22, 2024

Additionally changing the condition for the exception is not enough, this would never have worked. I've added a debug message to show me the contents of $BoundParameters, see below, which then gets me the Graph error message:

"device_vendor_msft_windowsadvancedthreatprotection_configurationtype: Selected Option device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboarding_fromconnector does not match with the list of expected options: device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_offboard."

Assignments=()
ClientConfigurationPackageType=onboarding_fromconnector
Description= DisplayName=IntuneEndpointDetectionAndResponsePolicyWindows10_1
Identity=83e155d5-f1f3-4ef9-9027-16cc24b22ae8
onboarding_fromconnector=
RoleScopeTagIds=(0)
SampleSharing=1

@FabienTschanz
Copy link
Contributor

@ricmestre I created #5254 which aims to address the issue. I currently don't have the infrastructure and capacity to test, but I think that's what should be changed here. Do you have the possibility to verify?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants