Microsoft365DSC icon indicating copy to clipboard operation
Microsoft365DSC copied to clipboard
verified publisher icon microsoft

IntuneSettingCatalogASRRulesPolicyWindows10: New Graph SDK version breaks deployment of Intune resources

Open ajkenah opened this issue 7 months ago • 3 comments

Description of the issue

With the move to the new Graph 2.27.0 module, my IntuneSettingCatalogASRRulesPolicyWindows10 & IntuneAntivirusPolicyWindows10SettingCatalog templates are no longer deploying. I've also tried to re-export them again using the new 1.25.423.1 version, remove the ID's and change the name to deploy a cloned template, but I'm getting the same error. I'm getting a generic "notSupported" error. This is happening using both credential and certificate based authentication. Rolling back to version 1.25.416.1 resolves the issue.

Microsoft 365 DSC Version

1.25.423.1

Which workloads are affected

Intune

The DSC configuration

Configuration Device_Configuration-ES_Attack_Surface_Reduction_D_ASR_Rules
{
  Import-DscResource -ModuleName 'Microsoft365DSC'
  
  Node localhost
  {
    AADGroup 'WIN_OIB_3.4_Security_Baseline'
    {
      ApplicationId         = $ApplicationId;
      CertificateThumbprint = $ApplicationCertThumbprint;
      TenantId              = $ConfigurationData.OrganizationName;
      Description           = "Group for devices which will be applied the Open Intune Baseline (3.4) policies.";
      DisplayName           = 'WIN_OIB_3.4_Security_Baseline';
      Ensure                = "Present";
      GroupTypes            = @();
      MailEnabled           = $False;
      MailNickname          = "False";
      MemberOf              = @();
      Members               = @();
      Owners                = @();
      SecurityEnabled       = $True;
    }

    IntuneSettingCatalogASRRulesPolicyWindows10 "WIN_OIB_3.4 - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode)"
    {
      ApplicationId                     = $ApplicationId;
      CertificateThumbprint             = $ApplicationCertThumbprint;
      TenantId                          = $ConfigurationData.OrganizationName;
      Assignments           = @(
        MSFT_DeviceManagementConfigurationPolicyAssignments {
          deviceAndAppManagementAssignmentFilterType = "none"
          groupDisplayName = "WIN_OIB_3.4_Security_Baseline"
          dataType = "#microsoft.graph.groupAssignmentTarget"
        }
      );
      BlockAbuseOfExploitedVulnerableSignedDrivers                               = "audit";
      BlockAdobeReaderFromCreatingChildProcesses                                 = "audit";
      BlockAllOfficeApplicationsFromCreatingChildProcesses                       = "audit";
      BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem          = "audit";
      BlockExecutableContentFromEmailClientAndWebmail                            = "audit";
      BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion = "audit";
      BlockExecutionOfPotentiallyObfuscatedScripts                               = "audit";
      BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent          = "audit";
      BlockOfficeApplicationsFromCreatingExecutableContent                       = "audit";
      BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses                 = "audit";
      BlockOfficeCommunicationAppFromCreatingChildProcesses                      = "audit";
      BlockPersistenceThroughWMIEventSubscription                                = "audit";
      BlockProcessCreationsFromPSExecAndWMICommands                              = "audit";
      BlockRebootingMachineInSafeMode                                            = "audit";
      BlockUntrustedUnsignedProcessesThatRunFromUSB                              = "audit";
      BlockUseOfCopiedOrImpersonatedSystemTools                                  = "audit";
      BlockWin32APICallsFromOfficeMacros                                         = "audit";
      DisplayName                                                                = "WIN_OIB_3.4 - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode)";
      EnableControlledFolderAccess                                               = "2";
      Ensure                                                                     = "Present";
      UseAdvancedProtectionAgainstRansomware                                     = "audit";    
      DependsOn                         = "[AADGroup]WIN_OIB_3.4_Security_Baseline";
    }
  }
}

Verbose logs showing the problem

Environment Information + PowerShell Version

ajkenah avatar Apr 29 '25 13:04 ajkenah

Just wanted to corroborate that this is also impacting the organization I work at, and we can not push any of our "IntuneSettingCatalogCustomPolicyWindows10" policies due to this "NotSupported" bug on 1.25.423.1/2.27.0.

S-Bryce avatar Apr 30 '25 16:04 S-Bryce

Looks like there's a bug in version "2.27.0" of the "Microsoft.Graph.Beta.DeviceManagement" module. This is for a template using the "IntuneSettingCatalogCustomPolicyWindows10" resource, but it's giving the same "Not Supported Error". When debugging, it looks like it's stripping the "platforms" & ""technologies" properties from the json body before posting it.. Image

It's a shame, because there is another bug in the previous version where it's converting the text value "1" into an integer before posting which gets fixed in the newer version. Sigh

ajkenah avatar May 01 '25 00:05 ajkenah

@ajkenah Did you already try with the latest release? We switched over to 2.28.0 to address some issues, but there are others still pending. Maybe your issue is now fixed (I hope so).

FabienTschanz avatar Jun 04 '25 20:06 FabienTschanz

This should be fixed now. Closing the issue.

FabienTschanz avatar Jun 30 '25 14:06 FabienTschanz