Unable to deploy IntuneAntivirusPolicyWindows10SettingCatalog polices #3818
Comments
|
@jeffreycloudlife feel free to add anything I may have missed haha |
andikrueger
added
Bug
Did you try to do the POST request yourself, to rule out if the problem lies in the module rather than the API endpoint? I have a feeling myself it's related to the Graph API, as (if I remember correctly) the POST request is exactly the same with the PUT request (with the exception that with the PUT request, it points to a DeviceConfigurationPolicyID). Otherwise, it could be a logic problem in the module, where the POST request does not return the DeviceConfigurationPolicyID. In the mean time, I am not sure how big your deployments are, but you could try out the workarounds I mentioned in the previous issue. |
|
Yea I was able to POST to the API without issue, |
|
Is this somehow related to an issue with provisioning the updated Defender Antivirus Policy template via the Graph API? Template ID "804339ad-1553-4478-a742-138fb5807418_1" does not exist in the list of templates and cannot be created via the API. Existing policies with this template also cannot be updated.
|
|
Hey guys, @andikrueger @William-Francillette |
|
Just to understand it a bit better. The policy can not modified nor created by using graph? If so, we should reach out to the graph team to bring this to their attention. |
|
I'll have a look next, working on another issue atm related to assignment as well, there was some modification in the api that broke some of the resource, will revert asap @andikrueger feel free to assign me the issue 👍🏽 |
|
Thanks for picking up @William-Francillette, please let me know if I can help with the troubleshooting 😅 |
|
@Cyanic-Cloud , thanks for reported the issue - |
|
@William-Francillette Need to test this tomorrow, but please take a look at #3540, if Identity is not correct/found in the tenant it keeps creating new policies. |
|
@ricmestre, tested retrieving policy via displayname and worked fine |
|
Thanks @William-Francillette much appreciated, please can you confirm what version of DSC I should use? |
|
Next release hopefully |
|
@William-Francillette You're correct, that issue seems to be solved now, unfortunately there's another problem with making a change on one of the settings and then run Test-DscConfiguration will report that the resource is not in the desired state. Changing Ensure to Absent also won't delete the resource, I get an API error. VERBOSE: [G02PTXN03538]: [[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-MDE - Microsoft Defender AUDIT ONLY] Removing Endpoint Protection
Policy {System.Collections.Hashtable.DisplayName} # <----------- This is suspicious
[ResourceNotFound] : {
"_version": 3,
"Message": "An error has occurred - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: 87b6389d-6f3e-4629-9425-1e1b67487a9f - Url: https://fef.msub07.manage.microsoft.com
/DeviceConfigV2/DCV2GraphService/de147310-ffff-2433-1134-112301355103/deviceManagement/configurationPolicies('23988ef4-3c36-4b55-a697-3d8ce9e6405c')?api-version=5023-08-14",
"CustomApiErrorPhrase": "",
"RetryAfter": null,
"ErrorSourceService": "",
"HttpHeaders": "{}"
}
+ CategoryInfo : InvalidOperation: ({ DeviceManagem...c, IfMatch = }:) [], CimException
+ FullyQualifiedErrorId : ResourceNotFound,Microsoft.Graph.Beta.PowerShell.Cmdlets.RemoveMgBetaDeviceManagementConfigurationPolicy_Delete
+ PSComputerName : localhostI'll raise a new issue for this once your PR is merged. |
|
@ricmestre, thanks - sorted |
|
Thanks @William-Francillette |
Description of the issue
I am trying to deploy new IntuneAntivirusPolicyWindows10SettingCatalog policies, previously in my issue 3722 the Get commands were not pulling back all settings from the template but now with -all added it is returning all values.
I was hoping the fix applied in the following would resolve my issue but it seems it has caused another: #3722.
When trying to deploy two previously exported policies one is deploying fine the other is failing. Please see pipeline error:
Microsoft 365 DSC Version
1.23.1018.1
Which workloads are affected
Security & Compliance Center
The DSC configuration
The following DSC configuration applied without issue: IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-MDE - Microsoft Defender Antivirus Policy - SERVER (windows)" { allowarchivescanning = "1"; allowbehaviormonitoring = "1"; allowcloudprotection = "1"; allowfullscanonmappednetworkdrives = "1"; allowfullscanremovabledrivescanning = "1"; allowintrusionpreventionsystem = "1"; allowioavprotection = "1"; allowrealtimemonitoring = "1"; allowscanningnetworkfiles = "1"; allowscriptscanning = "1"; allowuseruiaccess = "0"; ApplicationId = $ConfigurationData.NonNodeData.ApplicationId; Assignments = @(); avgcpuloadfactor = 30; CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint; checkforsignaturesbeforerunningscan = "1"; cloudblocklevel = "0"; Description = "Cloned policy from Default Microsoft Defender Antivirus Policy - Windows"; disablecatchupfullscan = "1"; disablecatchupquickscan = "1"; DisplayName = "MDE - Microsoft Defender Antivirus Policy - SERVER (windows)"; enablelowcpupriority = "1"; enablenetworkprotection = "2"; Ensure = "Present"; excludedextensions = @("EVT","EVTX","LOG","OST","PST"); excludedprocesses = @("Pagefile.sys"); Identity = "042088dd-a84e-48a1-bce5-5b275bc6a69a"; puaprotection = "1"; realtimescandirection = "1"; scanparameter = "2"; schedulequickscantime = 120; schedulescanday = "6"; templateId = "804339ad-1553-4478-a742-138fb5807418_1"; TenantId = $OrganizationName; } The policy below fails to deploy, I may add I have tested creating the below policy via the Intune GUI and all is ok: IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-MDE - Microsoft Defender AUDIT ONLY" { allowarchivescanning = "1"; allowbehaviormonitoring = "1"; allowcloudprotection = "1"; allowemailscanning = "1"; allowfullscanonmappednetworkdrives = "1"; allowfullscanremovabledrivescanning = "1"; allowintrusionpreventionsystem = "1"; allowioavprotection = "1"; allowonaccessprotection = "1"; allowrealtimemonitoring = "1"; allowscanningnetworkfiles = "1"; allowscriptscanning = "1"; allowuseruiaccess = "0"; ApplicationId = $ConfigurationData.NonNodeData.ApplicationId; Assignments = @(); avgcpuloadfactor = 30; CertificateThumbprint = $ConfigurationData.NonNodeData.CertificateThumbprint; checkforsignaturesbeforerunningscan = "1"; cloudblocklevel = "0"; Description = "No blocks being applied. Useful for new deployments or migrations."; disablecatchupfullscan = "1"; disablecatchupquickscan = "1"; DisplayName = "MDE - Microsoft Defender AUDIT ONLY"; enablelowcpupriority = "1"; enablenetworkprotection = "2"; Ensure = "Present"; highseveritythreats = "allow"; Identity = "23988ef4-3c36-4b55-a697-3d8ce9e6405c"; lowseveritythreats = "allow"; moderateseveritythreats = "allow"; puaprotection = "2"; realtimescandirection = "0"; scanparameter = "2"; severethreats = "allow"; submitsamplesconsent = "1"; templateId = "804339ad-1553-4478-a742-138fb5807418_1"; TenantId = $OrganizationName; } When I create the policy using the Intune GUI and inspect the POST request the below is found: "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction", "groupSettingCollectionValue": [ { "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_severethreats", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_severethreats_allow", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_moderateseveritythreats", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_moderateseveritythreats_allow", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_lowseveritythreats", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_lowseveritythreats_allow", "children": [] } }, { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_highseveritythreats", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_highseveritythreats_allow", "children": [] } } ] } ], "settingInstanceTemplateReference": { "settingInstanceTemplateId": "f6394bc5-6486-4728-b510-555f5c161f2b" } } When I inspect the ADO logs I see that the following JSON object is sent: "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction", "settingInstanceTemplateReference": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSettingInstanceTemplateReference", "settingInstanceTemplateId": "f6394bc5-6486-4728-b510-555f5c161f2b" }, "groupSettingCollectionValue": [ { "children": [ { "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_moderateseveritythreats", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "ce46a55d-b894-4aff-b930-4ff87e9d7018" }, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "children": [], "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_moderateseveritythreats_allow" } }, { "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_lowseveritythreats", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "84efce9d-c287-48b2-bcd0-57f7c344c055" }, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "children": [], "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_lowseveritythreats_allow" } }, { "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_severethreats", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "dfa69081-2b32-4c6c-9370-fa380679a0be" }, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "children": [], "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_severethreats_allow" } }, { "settingDefinitionId": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_highseveritythreats", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "f55b8c9c-d831-460e-a041-e47e29f2aa17" }, "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "children": [], "value": "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_highseveritythreats_allow" } } ], "settingValueTemplateReference": { "settingValueTemplateId": "04decd11-83d5-4a56-9cc1-7cd60b1f1329" }, "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingValue" } ] }Verbose logs showing the problem
Environment Information + PowerShell Version
No response
The text was updated successfully, but these errors were encountered: