diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c0efa9044..f8f002ad55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,9 +13,13 @@ * IntuneAppAndBrowserIsolationPolicyWindows10 * Initial release. FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Migrate to new Settings Catalog cmdlets. * M365DSCDRGUtil * Fixes an issue for the handling of skipped one-property elements in the Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) + * Add Set support for secret Settings Catalog values + * Removed unused functions # 1.24.1002.1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index 047fb4e9e6..a7a6ad3a6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -12,6 +12,10 @@ function Get-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -96,106 +100,74 @@ function Get-TargetResource if ($null -eq $policy) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with Id {$Identity} was found" - $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue - if ($null -eq $policy) + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with displayName {$DisplayName} was found" - return $nullResult + $policy = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue } } - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty 'settings' -ErrorAction SilentlyContinue - + if ($null -eq $policy) + { + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } $Identity = $policy.Id + Write-Verbose -Message "An Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName} was found" - Write-Verbose -Message "Found Endpoint Detection And Response Policy with Id {$($policy.id)} and displayName {$($policy.Name)}" - - #Retrieve policy specific settings - $settings = @() - $settings += $policy.settings + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Identity ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop - $returnHashtable = @{} - $returnHashtable.Add('Identity', $Identity) - $returnHashtable.Add('DisplayName', $policy.name) - $returnHashtable.Add('Description', $policy.description) - - foreach ($setting in $settings.settingInstance) + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + if ($policySettings.ClientConfigurationPackageType -eq 'onboarding_fromconnector') { - $addToParameters = $true - $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 - - switch ($setting.AdditionalProperties.'@odata.type') - { - - '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - { - $settingValue = $setting.AdditionalProperties.simpleSettingValue.value - } - '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - { - $settingValue = $setting.AdditionalProperties.choiceSettingValue.value.split('_') | Select-Object -Last 1 - } - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.groupSettingCollectionValue.children) - { - $settingName = $value.settingDefinitionId.split('_') | Select-Object -Last 1 - $settingValue = $value.choiceSettingValue.value.split('_') | Select-Object -Last 1 - $returnHashtable.Add($settingName, $settingValue) - $addToParameters = $false - } - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.simpleSettingCollectionValue.value) - { - $values += $value - } - $settingValue = $values - } - Default - { - $settingValue = $setting.value - } - } - - if ($addToParameters) - { - $returnHashtable.Add($settingName, $settingValue) - } - + $policySettings.Add('ConfigurationType', 'AutoFromConnector') } - - #Removing telemetryreportingfrequency as deprecated and doen't need to be evaluated adn enforced - $returnHashtable.Remove('telemetryreportingfrequency') - - $returnAssignments = @() - $currentAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity -All - - if ($null -ne $currentAssignments -and $currentAssignments.count -gt 0 ) + else { - $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments ($currentAssignments) + $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) } + $policySettings.Remove('ClientConfigurationPackageType') + $policySettings.Remove('onboarding') + $policySettings.Remove('offboarding') + $policySettings.Remove('onboarding_fromconnector') + + # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced + $policySettings.Remove('telemetryreportingfrequency') + + $results = @{ + #region resource generator code + Description = $policy.Description + DisplayName = $policy.Name + RoleScopeTagIds = $policy.RoleScopeTagIds + Identity = $policy.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings - $returnHashtable.Add('Assignments', $returnAssignments) - - Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" - - $returnHashtable.Add('Ensure', 'Present') - $returnHashtable.Add('Credential', $Credential) - $returnHashtable.Add('ApplicationId', $ApplicationId) - $returnHashtable.Add('TenantId', $TenantId) - $returnHashtable.Add('ApplicationSecret', $ApplicationSecret) - $returnHashtable.Add('CertificateThumbprint', $CertificateThumbprint) - $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) - $returnHashtable.Add("AccessTokens", $AccessTokens) + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) - return $returnHashtable + return $results } catch { @@ -222,6 +194,10 @@ function Set-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -291,14 +267,35 @@ function Set-TargetResource #endregion $currentPolicy = Get-TargetResource @PSBoundParameters - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + switch ($ConfigurationType) + { + 'AutoFromConnector' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboarding_fromconnector') + $BoundParameters.Add('onboarding_fromconnector', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Onboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboard') + $BoundParameters.Add('onboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Offboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'offboard') + $BoundParameters.Add('offboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + } + + if ([System.String]::IsNullOrEmpty($ConfigurationBlob)) + { + throw "ConfigurationBlob is required for configurationType '$($DSCParams.ConfigurationType)'" + } + $BoundParameters.Remove('ConfigurationType') | Out-Null $templateReferenceId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' $platforms = 'windows10' @@ -306,82 +303,64 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new Endpoint Protection Policy {$DisplayName}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Creating an Intune Endpoint Protection And Response Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - $createParameters = @{ - name = $DisplayName - description = $Description - templateReference = @{templateId = $templateReferenceId } - platforms = $platforms - technologies = $technologies - settings = $settings + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings } - write-verbose ($createParameters|convertto-json -depth 100) + #region resource generator code $policy = New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) + if ($policy.Id) { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' } - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash - + #endregion } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Updating existing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Updating the Intune Endpoint Protection And Response Policy for Windows10 {$($currentPolicy.DisplayName)}" + $BoundParameters.Remove('Assignments') | Out-Null - #format settings from PSBoundParameters for update - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings - #region update policy assignments - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) - { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments - } - + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` - -Targets $assignmentsHash + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" + Write-Verbose -Message "Removing the Intune Endpoint Protection And Response Policy for Windows 10 with Id {$($currentPolicy.Identity)}" Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity } } @@ -400,6 +379,10 @@ function Test-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -467,34 +450,69 @@ function Test-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Endpoint Protection Policy {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Endpoint Protection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } - $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('ConfigurationBlob') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck - $source = $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $ValuesToCheck.Remove('Assignments') | Out-Null - - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" if ($testResult) { - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -558,9 +576,12 @@ function Export-TargetResource { $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' [array]$policies = Get-MgBetaDeviceManagementConfigurationPolicy ` - -All:$true ` + -All ` -Filter $Filter ` - -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateReference.TemplateId -eq $policyTemplateID } ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } if ($policies.Length -eq 0) { @@ -593,48 +614,38 @@ function Export-TargetResource } $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results - if ($Results.Ensure -eq 'Present') + if ($Results.Assignments) { - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - if ($Results.Assignments) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments - if ($complexTypeStringResult) - { - $Results.Assignments = $complexTypeStringResult - } - else - { - $Results.Remove('Assignments') | Out-Null - } + $Results.Assignments = $complexTypeStringResult } - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - - if ($Results.Assignments) + else { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $Results.Remove('Assignments') | Out-Null } + } - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential - Write-Host $Global:M365DSCEmojiGreenCheckMark - $i++ + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } @@ -661,278 +672,4 @@ function Export-TargetResource } } -function Get-IntuneSettingCatalogPolicySetting -{ - [CmdletBinding()] - [OutputType([System.Array])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - [Parameter(Mandatory = 'true')] - [System.String] - $TemplateId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - #Prepare setting definitions mapping - $settingDefinitions = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $TemplateId - $settingInstances = @() - foreach ($settingDefinition in $settingDefinitions.SettingInstanceTemplate) - { - - $settingInstance = @{} - $settingName = $settingDefinition.SettingDefinitionId.split('_') | Select-Object -Last 1 - $settingType = $settingDefinition.AdditionalProperties.'@odata.type'.replace('InstanceTemplate', 'Instance') - $settingInstance.Add('settingDefinitionId', $settingDefinition.settingDefinitionId) - $settingInstance.Add('@odata.type', $settingType) - if (-Not [string]::IsNullOrEmpty($settingDefinition.settingInstanceTemplateId)) - { - $settingInstance.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $settingDefinition.settingInstanceTemplateId }) - } - $settingValueName = $settingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $settingValueName = $settingValueName.Substring(0, 1).ToLower() + $settingValueName.Substring(1, $settingValueName.length - 1 ) - $settingValueType = $settingDefinition.AdditionalProperties."$($settingValueName)Template".'@odata.type' - if ($null -ne $settingValueType) - { - $settingValueType = $settingValueType.replace('ValueTemplate', 'Value') - } - $settingValueTemplateId = $settingDefinition.AdditionalProperties."$($settingValueName)Template".settingValueTemplateId - $settingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $settingDefinition ` - -SettingName $settingName ` - -SettingType $settingType ` - -SettingValueName $settingValueName ` - -SettingValueType $settingValueType ` - -SettingValueTemplateId $settingValueTemplateId - - if ($null -ne $settingValue) { - $childSettingType = "" - switch ($DSCParams['ConfigurationType']) - { - 'AutoFromConnector' - { - $childSettingType = 'onboarding_fromconnector' - } - 'Onboard' - { - $childSettingType = 'onboarding' - } - 'Offboard' - { - $childSettingType = 'offboarding' - } - } - - if ($settingName -eq 'configurationType') - { - if ([System.String]::IsNullOrEmpty($DSCParams['ConfigurationBlob'])) - { - throw "ConfigurationBlob is required for configurationType '$($DSCParams['ConfigurationType'])'" - } - - $children = @() - $children += @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_$($childSettingType)" - simpleSettingValue = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" - value = $DSCParams['ConfigurationBlob'] - valueState = "NotEncrypted" - } - } - $settingValue.choiceSettingValue.Add("children", $children) - } - $settingInstance += ($settingValue) - $settingInstances += @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - 'settingInstance' = $settingInstance - } - } else { - Continue - } - } - - return $settingInstances -} - -function Get-IntuneSettingCatalogPolicySettingInstanceValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter()] - $SettingDefinition, - - [Parameter()] - [System.String] - $SettingType, - - [Parameter()] - [System.String] - $SettingName, - - [Parameter()] - [System.String] - $SettingValueName, - - [Parameter()] - [System.String] - $SettingValueType, - - [Parameter()] - [System.String] - $SettingValueTemplateId - ) - - $settingValueReturn = @{} - switch ($settingType) - { - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $groupSettingCollectionValue = @{} - $groupSettingCollectionValueChildren = @() - - $groupSettingCollectionDefinitionChildren = $SettingDefinition.AdditionalProperties.groupSettingCollectionValueTemplate.children - foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) - { - $childSettingName = $childDefinition.settingDefinitionId.split('_') | Select-Object -Last 1 - $childSettingType = $childDefinition.'@odata.type'.replace('InstanceTemplate', 'Instance') - $childSettingValueName = $childSettingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - $childSettingValueTemplateId = $childDefinition.$childSettingValueName.settingValueTemplateId - $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $childDefinition ` - -SettingName $childSettingName ` - -SettingType $childDefinition.'@odata.type' ` - -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` - -SettingValueTemplateId $childSettingValueTemplateId - - if ($null -ne $childSettingValue) - { - $childSettingValue.add('settingDefinitionId', $childDefinition.settingDefinitionId) - $childSettingValue.add('@odata.type', $childSettingType ) - $groupSettingCollectionValueChildren += $childSettingValue - } - } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) - $settingValueReturn.Add('groupSettingCollectionValue', @($groupSettingCollectionValue)) - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $values = $DSCParams[$key] - break - } - } - $settingValueCollection = @() - foreach ($v in $values) - { - $settingValueCollection += @{ - value = $v - '@odata.type' = $settingValueType - } - } - $settingValueReturn.Add($settingValueName, $settingValueCollection) - } - Default - { - $value = $null - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $value = "$($SettingDefinition.settingDefinitionId)_$($DSCParams[$key])" - break - } - } - $settingValue = @{} - - if (-Not [string]::IsNullOrEmpty($settingValueType)) - { - $settingValue.add('@odata.type', $settingValueType) - } - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $settingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $settingValueTemplateId }) - } - $settingValue.add('value', $value) - if ($null -eq $value) - { - return $null - } - $settingValueReturn.Add($settingValueName, $settingValue) - } - } - return $settingValueReturn -} - -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - #write-verbose (($policy|ConvertTo-Json -Depth 20)) - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof index 6b2b758d61..f4dc9d7295 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof @@ -14,6 +14,7 @@ class MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 : OMI_BaseResource { [Write, Description("Identity of the endpoint detection and response policy for Windows 10.")] String Identity; [Key, Description("Display name of the endpoint detection and response policy for Windows 10.")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; [Write, Description("Description of the endpoint detection and response policy for Windows 10.")] String Description; [Write, Description("Assignments of the endpoint detection and response policy for Windows 10."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All"), ValueMap{"0", "1"}, Values{"0", "1"}] String SampleSharing; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 index 2cf142bdf2..85a7af0f70 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 index 21679df4b0..e68894c238 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 962544bf28..8d1e1f69d7 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -501,7 +501,6 @@ function Get-M365DSCDRGSimpleObjectTypeToString [Parameter()] [System.String] $Space = ' ' - ) $returnValue = '' @@ -837,250 +836,6 @@ function Convert-M365DSCDRGComplexTypeToHashtable return [hashtable]$results } -function Get-SettingCatalogSettingValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable],[System.Collections.Hashtable[]])] - param ( - [Parameter()] - $SettingValue, - [Parameter()] - $SettingValueType - - ) - - switch -Wildcard ($SettingValueType) - { - '*ChoiceSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $complexValue.Add('Value',$SettingValue.value) - $children = @() - foreach($child in $SettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - } - '*ChoiceSettingCollectionInstance' - { - $complexCollection = @() - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('Value',$item.value) - $children = @() - foreach($child in $item.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - '*SimpleSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $valueName = 'IntValue' - $value = $SettingValue.value - if($SettingValue.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($SettingValue.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$SettingValue.valueState) - } - } - '*SimpleSettingCollectionInstance' - { - $complexCollection = @() - - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('odataType',$item.'@odata.type') - $valueName = 'IntValue' - $value = $item.value - if($item.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($item.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$item.valueState) - } - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - '*GroupSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $SettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - } - '*GroupSettingCollectionInstance' - { - $complexCollection = @() - foreach($groupSettingValue in $SettingValue) - { - $complexValue = @{} - #$complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $groupSettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - } - return $complexValue -} - -function Get-SettingCatalogPolicySettingsFromTemplate -{ - [CmdletBinding()] - [OutputType([System.Array])] - param - ( - [Parameter(Mandatory = $true)] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter(Mandatory = $true)] - [System.String] - $templateReferenceId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - $settings = @() - - $templateSettings = Get-MgDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $templateReferenceId - - $simpleSettings = @() - $simpleSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - foreach ($templateSetting in $simpleSettings) - { - $setting = @{} - $settingKey = $DSCParams.keys | Where-Object -FilterScript { $templateSetting.settingDefinitionId -like "*$($_)" } - if ((-not [String]::IsNullOrEmpty($settingKey)) -and $DSCParams."$settingKey") - { - $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $myFormattedSetting = Format-M365DSCParamsToSettingInstance -DSCParams @{$settingKey = $DSCParams."$settingKey" } ` - -TemplateSetting $templateSetting - - $setting.Add('settingInstance', $myFormattedSetting) - $settings += $setting - $DSCParams.Remove($settingKey) | Out-Null - } - } - - #Prepare attacksurfacereductionrules groupCollectionTemplateSettings - $groupCollectionTemplateSettings = @() - $groupCollectionTemplateSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - - foreach ($groupCollectionTemplateSetting in $groupCollectionTemplateSettings) - { - $setting = @{} - $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $settingInstance = [ordered]@{} - $settingInstance.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance') - $settingInstance.Add('settingDefinitionId', $groupCollectionTemplateSetting.settingDefinitionId) - $settingInstance.Add('settingInstanceTemplateReference', @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingInstanceTemplateReference' - 'settingInstanceTemplateId' = $groupCollectionTemplateSetting.settingInstanceTemplateId - }) - $groupSettingCollectionValues = @() - $groupSettingCollectionValueChildren = @() - $groupSettingCollectionValue = @{} - $groupSettingCollectionValue.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingValue') - - $settingValueTemplateId = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.settingValueTemplateId - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $groupSettingCollectionValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) - } - - foreach ($key in $DSCParams.keys) - { - $templateValue = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.children | Where-Object ` - -FilterScript { $_.settingDefinitionId -like "*$key" } - if ($templateValue) - { - $groupSettingCollectionValueChild = Format-M365DSCParamsToSettingInstance ` - -DSCParams @{$key = $DSCParams."$key" } ` - -TemplateSetting $templateValue ` - -IncludeSettingValueTemplateId $false ` - -IncludeSettingInstanceTemplateId $false - - $groupSettingCollectionValueChildren += $groupSettingCollectionValueChild - } - } - $groupSettingCollectionValue.Add('children', $groupSettingCollectionValueChildren) - $groupSettingCollectionValues += $groupSettingCollectionValue - $settingInstance.Add('groupSettingCollectionValue', $groupSettingCollectionValues) - $setting.Add('settingInstance', $settingInstance) - - if ($setting.settingInstance.groupSettingCollectionValue.children.count -gt 0) - { - $settings += $setting - } - } - - return $settings -} - function ConvertFrom-IntunePolicyAssignment { [CmdletBinding()] @@ -1965,6 +1720,11 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $settingValue = @{} if (-not [string]::IsNullOrEmpty($SettingValueType)) { + if ($SettingDefinition.AdditionalProperties.valueDefinition.isSecret) + { + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" + $settingValue.Add('valueState', 'NotEncrypted') + } $settingValue.Add('@odata.type', $SettingValueType) } if (-not [string]::IsNullOrEmpty($settingValueTemplateId)) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index fc863b5c09..e9801b6c53 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -44,12 +44,101 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplate -MockWith { + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { return @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Platforms = "windows10" + Technologies = "mdm,microsoftSense" + TemplateReference = @{ + TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + } } } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + Name = 'Onboarding' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + valueDefinition = @{ + isSecret = $true + } + } + } + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + Name = 'ClientConfigurationPackageType' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '23ab0ea3-1b12-429a-8ed0-7390cf699160' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSecretSettingValue' + value = '84db67dd-caf8-4f86-bf00-b8897972d51f' + valueState = 'encryptedValueToken' + } + } + ) + value = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard' + } + value = "TEST" + } + } + } + @{ + Id = 1 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + Name = 'SampleSharing' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" + } + } + } + } + ) + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ Id = '12345-12345-12345-12345-12345' @@ -69,18 +158,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - SettingInstanceTemplate = @{ - settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - settingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - } - } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { @@ -105,6 +182,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" sampleSharing = "0" } @@ -141,39 +220,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - sampleSharing = "0" - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_1" - } - } - - } - AdditionalProperties = $null - } - } - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" # Drift } } @@ -187,7 +236,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -206,32 +255,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "0" } } @@ -254,35 +280,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" } } @@ -307,38 +307,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' {