Unable to update IntuneAntivirusPolicyWindows10SettingCatalog settings on existing policy #4003
Comments
|
@William-Francillette have you came across this issue when testing? |
|
I already reported other issues on #3958, but on the topic of changing properties (except Ensure) I tested it again and it seems that the policy itself actually gets changed nevertheless in the admin portal it stays the same, not sure if it's some kind of delay or just an UI problem. |
|
The Update-IntuneDeviceConfigurationPolicy fails though if you notice the event logs. Admin portal never updates at all, not a delay, it simply doesnt update correctly |
Nope I didn't but I'll have a look as the api is not really user friendly for those setting catalog templates It's a very tedious process and thus not checked all parameters |
|
@Cyanic-Cloud Not sure how you're getting the error message, but I don't have any. |
|
See below, this is where the error message is shown.
I have implemented the same set up as per the whitepaper docs. |
|
I know where to look for errors, what I'm trying to say is that I don't have any. |
Thanks @William-Francillette, appreciate the help, I noticed the below like you mentioned :
|
|
So basically what is happening here is that some properties work and others don't, the one you're changing doesn't work and gives error, I was for example changing allowrealtimemonitoring and that one worked but it seems they also have different meanings of what 0 and 1 means since for that property 0 means "allow" and 1 "not allow" whereas the one you're changing allowarchivescanning it's the opposite. |
|
Is this really a Microsoft 365 DSC issue or is this a Microsoft Graph one. I try to understand, what needs to be done. |
Having looked at a few it seems 1 is Allowed and 0 is Not allowed Allowed Not Allowed Allowed Not Allowed |
|
@Cyanic-Cloud You're right, I seem to be having some delay at times dealing with this policy and it didn't update the changes I did on allowrealtimemonitoring through M365DSC right away in the UI, now it shows like yours as well, but allowarchivescanning cannot be changed only exporting, don't know about all others. |
|
@Cyanic-Cloud I've tested your extract and it's working on my side And start your configuration again - it should work after |
|
@William-Francillette I used his config too with your fixes, I only tested 2 properties and as mentioned here already at least updating allowarchivescanning fails and allowrealtimemonitoring works, didn't go through every single parameter. |
|
I've tried updating both parameters using 1.23.1122.1 without issue |
|
Im using 1129, but have you actually saw allowarchivescanning change in the admin portal? Exporting it is not an issue, either its value is 0 or 1 but if you change the value in the MOF and redeploy the policy it won't complain in the CLI but there will be an error in event viewer. Edit: and of course the value is actually not changed. |
|
When making tests to update resources I always use Test-DSCConfiguration on the MOF, if it gets back in non-desired state it means that either the change was not done, there's a problem in the code around Test-TargetResource or a combination of both. |
|
changed the value run dsc config twice - first time it triggers set-targetresource second time test-targetresource return true |
|
Then there's something different in your environment which doesn't impact you like it does for me and @Cyanic-Cloud, you're still using 1.23.1122.1 but it's 1.23.1129.1 that got your fixes maybe it's those fixes that are causing this issue now? |
|
Same after update running 1.23.1206.1 and it's all working on my side still 🤷♂️ |
|
Thanks @William-Francillette I am testing now, will revert back with outcome, although I do think I rebooted the host after but could be wrong haha |
|
@William-Francillette @Cyanic-Cloud I updated to 1.23.1206.1 and restarted winmgmt service and it still didn't work, BUT after deleting the policy and recreating it again now I'm able to change several of this resource's properties and the Test-TargetResource/Test-DSCConfiguration always succeeds. Still not sure what was the problem with the original policy though... |
|
oh make sure you are using the right module version in the export |
|
I always remove the module version to force it to run on the latest, in any case I didn't have other versions installed except 1129 and now 1206, what solved it for me really was deleting the policy first. |
|
I shouldn't be making these tests while I'm about to sleep, this is actually not working, it seemed like it was because I had Ensure = Absent so the tests always succeeded. I tested it creating the policy again right now, which it does without issues regardless of the values of the properties, but then trying to change any property never updates the policy and it's always in non-desired state. In fact now I tried to change allowrealtimemonitoring and that one is also not working! I don't know what's going on and won't have time to debug it further. |
|
@ricmestre I am semi glad to hear you say this as ive been trying to get it working since last night and it wasnt working so I was scratching my head trying to work out what I was doing wrong. Like as you say it deploys the policy without issue but when new values are added to the likes of allowarchivescanning it fails to update. Still getting the below error shown in the Event logs: Error updating data: { Response status code does not indicate success: BadRequest (Bad Request). } \ at Update-IntuneDeviceConfigurationPolicy, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1206.1\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 1658 |
|
I am clutching at straws here but the error above suggests an issue with line 1658 within the following file:
If I look at that line its using PUT, should this not be PATCH according to the Microsoft Documentation?
UPDATE: Back to the drawing board :( |
|
@Cyanic-Cloud I tested with PATCH and the problem still remains which means there's a problem with the body of the request. |
|
Yeah I tested also, currently running the pipeline again and running verbose log to see that its sending in the request. |
|
Some progress, if I run the following: Edit allowarchivescanning within M365TenantConfig.ps1 Then create my mof file using .\M365TenantConfig.ps1 Start-DSCConfiguration -Path "C:\Temp\DSC Config Exports\Exports\071223\M365TenantConfig" -Wait -Verbose -Force The setting changes as expected. Why its not changing during the pipeline is beyond me |
|
@Cyanic-Cloud Told you I was leaving but couldn't resist making a few tests, I also have DevOps pipelines with cert auth, but all these tests are done locally and with credentials but I can replicate the same. So I made an export with credentials, compiled it to MOF and then I was able to change several settings even at the same time and the changes were always done without issues, then if I proceed to delete the policy directly through the MOF (changing Ensure to Absent) it deletes it, next step is creating the policy again (changing Ensure back to Present) which it also does but then changing any setting doesn't work! So basically it only worked as long as the MOF was originally created via the export and the changes were done until the policy is deleted, once I recreated it with the MOF without the MOF itself being generated again by the export then none of the changes take place except deleting the policy again. This doesn't make any sense to me. |
|
Tried it today in my DevOps test harness pipeline (which creates, updates and finally deletes resources), in the first pass I had left an AV policy already created in my tenant so during create stage of the pipeline it updated that policy without issues, and the same happened during the update and deletion stages. I then tried a second pass, at this point there wasn't any AV policies left in the tenant so it created the policy again, but in the update stage it says that the policy was updated but I always run Test-DSCConfiguration at the end of each stage and this time it failed and pipeline stopped. |
|
Slight difference in how the request is made up, see below comparisons @William-Francillette
|
|
The order doesn't matter unfortunately I will try as ric mentioned using absent then recreate and update settings will revert back asap |
|
Good news gents! Found the issue and corrected it - the Identity parameter was wrong when we retrieved the policy from displayName |
|
Music to my ears! 🥳 thanks @William-Francillette! I'll keep an eye out for the update! |
|
I made the change manually for now adding $currentPolicy.Identity and it all works a treat! |
Description of the issue
When deploying a New IntuneAntivirusPolicyWindows10SettingCatalog policy the policy deploys without issue, using the below DSC configuration shown in the DSC Configuration Tab labeled "Deployed Config".
If I attempt to update a setting allowarchivescanning to "0" and re-run the deployment pipeline again using the Updated config DSC config the policy is not updated. No errors are reported in the pipeline but I get the following error when I view the Event logs on the deployment agent:
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Update-IntuneDeviceConfigurationPolicy, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1129.1\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 1658
\ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1129.1\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 898
Microsoft 365 DSC Version
1.23.1129.1
Which workloads are affected
Endpoint security | Antivirus
The DSC configuration
Verbose logs showing the problem
{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Update-IntuneDeviceConfigurationPolicy, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1129.1\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 1658 \ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.1129.1\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 898Environment Information + PowerShell Version
No response
The text was updated successfully, but these errors were encountered: