Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IntuneDeviceConfigurationScepCertificatePolicyWindows10/IntuneDeviceConfigurationWiredNetworkPolicyWindows10: Cannot update #5650

Open
ricmestre opened this issue Jan 20, 2025 · 3 comments
Open

IntuneDeviceConfigurationScepCertificatePolicyWindows10/IntuneDeviceConfigurationWiredNetworkPolicyWindows10: Cannot update #5650

ricmestre opened this issue Jan 20, 2025 · 3 comments

Comments

@ricmestre
Copy link
Contributor

ricmestre commented Jan 20, 2025
edited
Loading

Description of the issue

This was working before so I'm not sure when it started happening, I'm currently able to create a IntuneDeviceConfigurationScepCertificatePolicyWindows10 policy but I can't update it afterwards, nevertheless I can delete it without issues.

Is this a Graph issue (looks like it assuming the error message is valid) or did they update something in the backend and now the body is not being sent correctly when updating the resource?

Microsoft 365 DSC Version

1.25.115.1

Which workloads are affected

Intune

The DSC configuration

        IntuneDeviceConfigurationTrustedCertificatePolicyWindows10 "IntuneDeviceConfigurationTrustedCertificatePolicyWindows10-Test____Trusted_certificate_Policy_____Test__"
        {
            ApplicationId          = $IntuneApplicationId;
            Assignments            = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            CertFileName           = "RootCA.cer";
            CertificateThumbprint  = $IntuneCertThumbprint;
            DestinationStore       = "computerCertStoreRoot";
            DisplayName            = "Test: | Trusted certificate Policy | [(Test)]";
            Ensure                 = "Present";
            Id                     = "169bf4fc-5914-40f4-ad33-48c225396183";
            TenantId               = $OrganizationName;
            TrustedRootCertificate = "MIIEEjCCAvqgAwIBAgIPAMEAizw8iBHRPvZj7N9AMA0GCSqGSIb3DQEBBAUAMHAxKzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBNaWNyb3NvZnQgQ29ycC4xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEhMB8GA1UEAxMYTWljcm9zb2Z0IFJvb3QgQXV0aG9yaXR5MB4XDTk3MDExMDA3MDAwMFoXDTIwMTIzMTA3MDAwMFowcDErMCkGA1UECxMiQ29weXJpZ2h0IChjKSAxOTk3IE1pY3Jvc29mdCBDb3JwLjEeMBwGA1UECxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSEwHwYDVQQDExhNaWNyb3NvZnQgUm9vdCBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpAr3BcOY78k4bKJ+XeF4w6qKpjSVf+P6VTKO3/p2iID58UaKboo9gMmvRQmR57qx2yVTa8uuchhyPn4Rms8VremIj1h083g8BkuiWxL8tZpqaaCaZ0Dosvwy1WCbBRucKPjiWLKkoOajsSYNC44QPu5psVWGsgnyhYC13TOmZtGQ7mlAcMQgkFJ+p55ErGOY9mGMUYFgFZZ8dN1KH96fvlALGG9O/VUWziYC/OuxUlE6u/ad6bXROrxjMlgkoIQBXkGBpN7tLEgc8Vv9b+6RmCgim0oFWV++2O14WgXcE2va+roCV/rDNf9anGnJcPMq88AijIjCzBoXJsyB3E4XfAgMBAAGjgagwgaUwgaIGA1UdAQSBmjCBl4AQW9Bw72lyniNRfhSyTY7/y6FyMHAxKzApBgNVBAsTIkNvcHlyaWdodCAoYykgMTk5NyBNaWNyb3NvZnQgQ29ycC4xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEhMB8GA1UEAxMYTWljcm9zb2Z0IFJvb3QgQXV0aG9yaXR5gg8AwQCLPDyIEdE+9mPs30AwDQYJKoZIhvcNAQEEBQADggEBAJXoC8CN85cYNe24ASTYdxHzXGAyn54Lyz4FkYiPyTrmIfLwV5MstaBHyGLv/NfMOztaqTZUaf4kbT/JzKreBXzdMY09nxBwarv+Ek8YacD80EPjEVogT+pie6+qGcgrNyUtvmWhEoolD2Oj91Qc+SHJ1hXzUqxuQzIH/YIX+OVnbA1R9r3xUse958Qw/CAxCYgdlSkaTdUdAqXxgOADtFv0sd3IV+5lScdSVLa0AygS/5DW8AiPfriXxas3LOR65Kh343agANBqP8HSNorgQRKoNWorats14dQcBOSoRQTIWjM4bk0cDWK3CqKM09VUP0bNHFWmcNsSOoeTdZ+n0qA=";
        }
IntuneDeviceConfigurationScepCertificatePolicyWindows10 "IntuneDeviceConfigurationScepCertificatePolicyWindows10-IntuneDeviceConfigurationScepCertificatePolicyWindows10_1"
        {
            ApplicationId                  = $IntuneApplicationId;
            Assignments                    = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            CertificateStore               = "user";
            CertificateThumbprint          = $IntuneCertThumbprint;
            CertificateValidityPeriodScale = "years";
            CertificateValidityPeriodValue = 2;
            CustomSubjectAlternativeNames  = @(
                MSFT_MicrosoftGraphcustomSubjectAlternativeName{
                    Name = 'dns'
                    SanType = 'domainNameService'
                }
            );
            DisplayName                    = "IntuneDeviceConfigurationScepCertificatePolicyWindows10_1";
            Ensure                         = "Present";
            ExtendedKeyUsages              = @(
                MSFT_MicrosoftGraphextendedKeyUsage{
                    ObjectIdentifier = '1.3.6.1.5.5.7.3.2'
                    Name = 'Client Authentication'
                }
            );
            HashAlgorithm                  = "sha2";
            Id                             = "0b9aef2f-1671-4260-8eb9-3ab3138e176a";
            KeySize                        = "size2048";
            KeyStorageProvider             = "useTpmKspOtherwiseUseSoftwareKsp";
            KeyUsage                       = @("digitalSignature");
            RenewalThresholdPercentage     = 25;
            ScepServerUrls                 = @("https://mydomain.com/certsrv/mscep/mscep.dll");
            SubjectAlternativeNameType     = "none";
            SubjectNameFormat              = "custom";
            SubjectNameFormatString        = "CN={{UserName}},E={{EmailAddress}}";
            RootCertificateId              = "169bf4fc-5914-40f4-ad33-48c225396183";
            RootCertificateDisplayName     = "Test: | Trusted certificate Policy | [(Test)]";
            TenantId                       = $OrganizationName;
        }
        IntuneDeviceConfigurationWiredNetworkPolicyWindows10 "IntuneDeviceConfigurationWiredNetworkPolicyWindows10-IntuneDeviceConfigurationWiredNetworkPolicyWindows10_1"
        {
            ApplicationId                                         = $IntuneApplicationId;
            Assignments                                           = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupExclude'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = '053dc89a-be83-411a-bad3-909904b7239e'
                }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'DummyGroupInclude'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
                }
            );
            AuthenticationMethod                                  = "certificate";
            AuthenticationType                                    = "user";
            CacheCredentials                                      = $True;
            CertificateThumbprint                                 = $IntuneCertThumbprint;
            DisplayName                                           = "IntuneDeviceConfigurationWiredNetworkPolicyWindows10_1";
            EapType                                               = "eapTls";
            Enforce8021X                                          = $True;
            Ensure                                                = "Present";
            Id                                                    = "bd163d14-2b91-47ed-884f-333be99ddbaf";
            IdentityCertificateForClientAuthenticationDisplayName = "IntuneDeviceConfigurationScepCertificatePolicyWindows10_1";
            IdentityCertificateForClientAuthenticationId          = "bb7f59d0-bdd0-4727-af45-19fd3a0cdcc5";
            RootCertificatesForServerValidationDisplayNames       = @("Test: | Trusted certificate Policy | [(Test)]");
            RootCertificatesForServerValidationIds                = @("4fe0aa9d-139b-4855-b60c-756e73d54a65");
            TenantId                                              = $OrganizationName;
            TrustedServerCertificateNames                         = @("contoso.com");
        }

Verbose logs showing the problem

VERBOSE: [REDACTED]: [[IntuneDeviceConfigurationScepCertificatePolicyWindows10]IntuneDeviceConfigurationScepCertificatePolicyWindows10-IntuneDeviceConfigurationScepCertificatePolicyWindows10_1] Found trusted root certificate with Id {aa203093-5d2c-471b-9861-5e0843bc90c1} and DisplayName {Test: | Trusted certificate Policy | [(Test)]}
VERBOSE: [REDACTED]: [[IntuneDeviceConfigurationScepCertificatePolicyWindows10]IntuneDeviceConfigurationScepCertificatePolicyWindows10-IntuneDeviceConfigurationScepCertificatePolicyWindows10_1] PUT https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations('667b2a64-fd2f-406b-a852-95d30c2412ca')/microsoft.graph.windows81SCEPCertificateProfile/rootCertificate/$ref with 146-byte payload
VERBOSE: [REDACTED]: [[IntuneDeviceConfigurationScepCertificatePolicyWindows10]IntuneDeviceConfigurationScepCertificatePolicyWindows10-IntuneDeviceConfigurationScepCertificatePolicyWindows10_1] received 851-byte response of content type application/json
Response status code does not indicate success: InternalServerError (Internal Server Error).
+ CategoryInfo          : InvalidOperation: (Method: PUT,Re...ication/json}:) [], CimException                                                                                                                                                                                                                              + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
+ PSComputerName        : localhost

Environment Information + PowerShell Version

Win11/PS5.1
@ricmestre
Copy link
Contributor Author

After leaving my test harness running for a few hours it looks like IntuneDeviceConfigurationWiredNetworkPolicyWindows10 also suffers from the same issue.

@ricmestre ricmestre changed the title IntuneDeviceConfigurationScepCertificatePolicyWindows10: Cannot update IntuneDeviceConfigurationScepCertificatePolicyWindows10/IntuneDeviceConfigurationWiredNetworkPolicyWindows10: Cannot update Jan 20, 2025
@FabienTschanz
Copy link
Contributor

@ricmestre Same happens if you try to do it from the portal - Also Internal Server Error:

{
  "_version": 3,
  "Message": "An internal server error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 03a80439-9b8a-4aaa-8130-8330dce1415b - Url: https://fef.msub06.manage.microsoft.com/DeviceConfiguration_2412/StatelessDeviceConfigurationFEService/deviceManagement/deviceConfigurations('8bf4dbbd-414f-444d-8766-9b7882b5837c')/microsoft.management.services.api.windowsWiredNetworkConfiguration/rootCertificatesForServerValidation/$ref?api-version=5024-10-08",
  "CustomApiErrorPhrase": "",
  "RetryAfter": null,
  "ErrorSourceService": "",
  "HttpHeaders": "{}"
}

This is highly likely a backend issue. Still, the requested changes (e.g. adding a certificate) will take place, although the operation indicates a failure.

@ricmestre
Copy link
Contributor Author

@FabienTschanz $Sarcasm = "Graph acting up? Never saw it happening before!"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FabienTschanz @ricmestre