-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IntuneEndpointDetectionAndResponsePolicyWindows10: Throws exception if blob is empty #5246
Comments
@FabienTschanz See below, I've created a new policy with type set to auto from connector, there's no blob so this must not throw an exception. PS C:\temp\dsc\IntuneEndpointDetectionAndResponsePolicyWindows10> $policySettings Name Value SampleSharing 1 |
Additionally changing the condition for the exception is not enough, this would never have worked. I've added a debug message to show me the contents of $BoundParameters, see below, which then gets me the Graph error message: "device_vendor_msft_windowsadvancedthreatprotection_configurationtype: Selected Option device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboarding_fromconnector does not match with the list of expected options: device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_offboard." Assignments=() |
@ricmestre I created #5254 which aims to address the issue. I currently don't have the infrastructure and capacity to test, but I think that's what should be changed here. Do you have the possibility to verify? |
Description of the issue
@FabienTschanz Your commit b48abe0 is now causing an exception if blob is empty, we have a policy in our tenant where the configuration type is not set and therefore the blob is empty as well, so if I try to export and then apply that to another tenant it causes the exception [0] to be thrown.
It's arguable if you should be allowed to have a policy without configuration type, the thing is that is still possible through Intune admin portal, but even if you don't agree that should be possible, see [1] where this is not mentioned anywhere so I kind of agree, BUT you must not throw an exception if you set the type to auto from connector which never has a blob assigned so the condition must be changed to factor this in.
Additionally you need to change $($DSCParams.ConfigurationType) in the exception line since $DSCParams is empty.
[0] https://github.com/microsoft/Microsoft365DSC/blame/76cbfa8d2be39fbe6cef5cd5e69f75d84b077a17/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1#L296
[1] https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy
Microsoft 365 DSC Version
1.24.1016.1
Which workloads are affected
Intune
The DSC configuration
Verbose logs showing the problem
PowerShell DSC resource MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 failed to execute Set-TargetResource functionality with error message: ConfigurationBlob is required for configurationType ''
Environment Information + PowerShell Version
Win11/PS5.1
The text was updated successfully, but these errors were encountered: