IntuneSettingCatalogASRRulesPolicyWindows10: Not working
ricmestre opened this issue · 1 comments
Description of the issue
@FabienTschanz The changes you've been doing to the settings catalog messed up IntuneSettingCatalogASRRulesPolicyWindows10
and I'm not able to deploy it anymore in my integration tests, the test I have for IntuneSettingCatalogCustomPolicyWindows10
succeeds but at this point I don't know if it's by chance or if it really works correctly.
Microsoft 365 DSC Version
1.24.626.1
Which workloads are affected
Intune
The DSC configuration
IntuneSettingCatalogASRRulesPolicyWindows10 "IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1"
{
Assignments = @(
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
deviceAndAppManagementAssignmentFilterType = 'none'
groupDisplayName = 'DummyGroupExclude'
groupId = '053dc89a-be83-411a-bad3-909904b7239e'
}
MSFT_DeviceManagementConfigurationPolicyAssignments{
dataType = '#microsoft.graph.groupAssignmentTarget'
deviceAndAppManagementAssignmentFilterType = 'none'
groupDisplayName = 'DummyGroupInclude'
groupId = 'b0b8fd3f-af2a-453b-be57-80182d599f02'
}
);
BlockAdobeReaderFromCreatingChildProcesses = "block";
BlockAllOfficeApplicationsFromCreatingChildProcesses = "audit";
BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem = "block";
BlockExecutableContentFromEmailClientAndWebmail = "audit";
BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion = "audit";
BlockExecutionOfPotentiallyObfuscatedScripts = "audit";
BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent = "audit";
BlockOfficeApplicationsFromCreatingExecutableContent = "audit";
BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses = "audit";
BlockOfficeCommunicationAppFromCreatingChildProcesses = "audit";
BlockPersistenceThroughWMIEventSubscription = "audit";
BlockProcessCreationsFromPSExecAndWMICommands = "audit";
BlockUntrustedUnsignedProcessesThatRunFromUSB = "block";
BlockWin32APICallsFromOfficeMacros = "audit";
Credential = $Credscredential;
Description = "Protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks.";
DisplayName = "IntuneSettingCatalogASRRulesPolicyWindows10_1";
Ensure = "Present";
Identity = "333fb616-8725-4c89-adf1-815911741012";
UseAdvancedProtectionAgainstRansomware = "block";
}
Verbose logs showing the problem
[[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] Creating new Endpoint Protection Attack Surface Reduction Rules Policy {IntuneSettingCatalogASRRulesPolicyWindows10_1} [] : The request is invalid.
+ CategoryInfo : InvalidOperation: ({ Headers = , b...urationPolicy }:) [], CimException
+ FullyQualifiedErrorId : Microsoft.Graph.Beta.PowerShell.Cmdlets.NewMgBetaDeviceManagementConfigurationPolicy_Create
+ PSComputerName : localhost
VERBOSE: [REDACTED]: LCM: [ End Set ] [[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1] in 4.0030 seconds. The PowerShell DSC resource '[IntuneSettingCatalogASRRulesPolicyWindows10]IntuneSettingCatalogASRRulesPolicyWindows10-IntuneSettingCatalogASRRulesPolicyWindows10_1' with SourceInfo 'C:\temp\dsc\IntuneSettingCatalogASRRulesPolicyWindows10.ps1::34::9::IntuneSettingCatalogASRRulesPolicyWindows10' threw one or more non-terminating errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
VERBOSE: [REDACTED]: LCM: [ End Set ]
The SendConfigurationApply function did not succeed.
+ CategoryInfo : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
+ FullyQualifiedErrorId : MI RESULT 1
+ PSComputerName : localhost
Environment Information + PowerShell Version
No response
@ricmestre Ok so that was strange. I took the latest module version and your configuration and tried to reproduce the issue. At first (for about 5 times when creating), I didn't succeed and the configuration was applied successfully without any issues. But after some time, I got the exact same error message.
The fix is more than simple: Just prevent PowerShell from mangling down a single-element array to the element itself... That's what my PR at #4845 does, simply forcing PowerShell to always return an array. No idea how that didn't cause a ruckus earlier, but well.