IntuneAntivirusPolicyWindows10SettingCatalog not applying all config, policy is being created but missing settings

[Cyanic-Cloud]

Description of the issue

I am deploying the following code within an Azure DevOps pipeline, I ran an export of Intune Settings and used this as my baseline but noticed after running compliancy checks that they were failing as the bottom 4 settings are not deployed.

IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-Baseline - Default Microsoft Defender Antivirus Policy - Windows"
{
allowarchivescanning = "1";
allowbehaviormonitoring = "1";
allowcloudprotection = "1";
allowfullscanonmappednetworkdrives = "1";
allowfullscanremovabledrivescanning = "1";
allowintrusionpreventionsystem = "1";
allowioavprotection = "1";
allowrealtimemonitoring = "1";
allowscanningnetworkfiles = "1";
allowscriptscanning = "1";
allowuseruiaccess = "0";
ApplicationId = $ApplicationId
Assignments = @();
avgcpuloadfactor = 30;
CertificateThumbprint = $Thumbprint
checkforsignaturesbeforerunningscan = "1";
cloudblocklevel = "0";
Description = "";
disablecatchupfullscan = "1";
disablecatchupquickscan = "1";
DisplayName = "Baseline - Default Microsoft Defender Antivirus Policy - Windows";
enablelowcpupriority = "1";
enablenetworkprotection = "2";
Ensure = "Present";
excludedextensions = @("EVT","EVTX","LOG","OST","PST");
excludedprocesses = @("Pagefile.sys");
Identity = "de641d66-bf4b-4298-b2b5-0585a76b7295";
puaprotection = "1";
realtimescandirection = "1";
scanparameter = "2";
schedulequickscantime = 120;
schedulescanday = "6";
templateId = "804339ad-1553-4478-a742-138fb5807418_1";
TenantId = $TenantId
}

All settings seem to apply ok apart from the following:

     realtimescandirection              = "1";
    scanparameter                         = "2";
    schedulequickscantime            = 120;
    schedulescanday                     = "6";
    
    I  should note no errors are found within the logs in the Azure DevOps pipeline, the code simply doesnt apply to the tenant.

######################################################################################

I noticed this error within event logs:

Error updating data:

{ Response status code does not indicate success: BadRequest (Bad Request). } \ at Update-IntuneDeviceConfigurationPolicy, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.920.2\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 1656
\ at Set-TargetResource, C:\Program Files\WindowsPowerShell\Modules\Microsoft365DSC\1.23.920.2\DscResources\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog\MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1: line 898

Within the following function MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 it contains another function named Update-IntuneDeviceConfigurationPolicy, within this function it has its method set to PUT instead of PATCH.

Please can you confirm if this is expected. According to the Microsoft Docs it should be PATCH.

https://learn.microsoft.com/en-us/graph/api/intune-deviceconfigv2-devicemanagementconfigurationpolicy-update?view=graph-rest-beta

Microsoft 365 DSC Version

1.23.920.2

Which workloads are affected

other

The DSC configuration

No response

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

[offprem-cloud]

Hi there,

We seem to be having the same problem here.
using same version 1.23.920.2 and on latest

[Cyanic-Cloud]

I also tempted to upgrade to the most recent version on the off chance it would resolve the issue but unfortunately not, any help with this issue would be great, thanks in advance.

Regards
Stephen

[jeffreycloudlife]

I found the root cause of this bug. MSFT_IntuneAntivirusPolicyWindows10SettingCatalog gets settings from the Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate cmdlet. The output from this, only contains 25 results. When adding the "-All" parameter, it will output all parameters, which for the MDE Anti-virus policy, was much needed.

These parameters were missing from the current method:

List of missing parameters (unformatted)

False device_vendor_msft_policy_config_defender_realtimescandirection f5ff00a4-e5c7-44cf-a650-9c7619ff1561
False device_vendor_msft_policy_config_defender_scanparameter 27ca2652-46f3-4cc7-83f2-bf85ff722d84
False device_vendor_msft_policy_config_defender_schedulequickscantime 784a4af1-33fa-45f2-b945-138b7ff3bcb6
False device_vendor_msft_policy_config_defender_schedulescanday 087d3362-7e78-4983-96bc-1f4ea183f0e4
False device_vendor_msft_policy_config_defender_schedulescantime 66d36baa-74ee-498d-958a-af477008c850
False device_vendor_msft_policy_config_defender_signatureupdatefallbackorder cce4b3e7-b1a5-42a0-ab91-3bb8c68cc670
False device_vendor_msft_policy_config_defender_signatureupdatefilesharessources f8f4d6fc-dcb4-4bf8-b1fb-88942d05bdc8
False device_vendor_msft_policy_config_defender_signatureupdateinterval 89879f27-6b7d-44d4-a08e-0a0de3e9663d
False device_vendor_msft_policy_config_defender_submitsamplesconsent bc47ce7d-a251-4cae-a8a2-6e8384904ab7
False device_vendor_msft_defender_configuration_disablelocaladminmerge 5f9a9c65-dea7-4987-a5f5-b28cfd9762ba
False device_vendor_msft_policy_config_defender_allowonaccessprotection afbc322b-083c-4281-8242-ebbb91398b41
False device_vendor_msft_policy_config_defender_threatseveritydefaultaction f6394bc5-6486-4728-b510-555f5c161f2b
False device_vendor_msft_defender_configuration_allownetworkprotectiondownlevel d7342aaf-833d-4afc-92d6-e9621256a3cc
False device_vendor_msft_defender_configuration_allowdatagramprocessingonwinserver 69fa7ce4-6cd8-4699-aff7-024a889c25ce
False device_vendor_msft_defender_configuration_disablednsovertcpparsing 522811d2-c99e-4e6d-9cf5-36779498aec6
False device_vendor_msft_defender_configuration_disablehttpparsing 662abd23-4077-4b4b-a305-7f104ef28beb
False device_vendor_msft_defender_configuration_disablesshparsing f092fb32-a546-4111-a4d0-cd9f57787fd7
False device_vendor_msft_defender_configuration_disabletlsparsing b806c934-b19f-40b5-8d87-36117976c161
False device_vendor_msft_defender_configuration_enablednssinkhole c2d4039a-b57e-41df-9e2a-23ace9b51972
False device_vendor_msft_defender_configuration_engineupdateschannel 0d762a6b-9301-457c-b47b-47466280e681
False device_vendor_msft_defender_configuration_meteredconnectionupdates 7e3aaffb-309f-46de-8cd7-25c1a3b19e5b
False device_vendor_msft_defender_configuration_platformupdateschannel 737b828d-17ee-4c6a-ac43-206faea94220
False device_vendor_msft_defender_configuration_securityintelligenceupdateschannel 368be8ef-11aa-4c0d-919f-d6ed16bc6950

This specific line is the culprit:

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1

Line 1798 in 6243d91

$templateSettings = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $templateReferenceId

Going to throw in a pull request to fix this.

[Cyanic-Cloud]

Thanks @jeffreycloudlife , much appreciated, I wonder when this change will be pushed?

[Cyanic-Cloud]

I made the suggested change manually within the module and it worked for the example above that was previously not applying correctly but then failed when attempting to create policies that previously created without issue, please see example policy if you'd like to test on your end @jeffreycloudlife ?

IntuneAntivirusPolicyWindows10SettingCatalog "IntuneAntivirusPolicyWindows10SettingCatalog-Baseline - MDE - Microsoft Defender AUDIT ONLY (SERVER)"
{
    allowarchivescanning                = "1";
    allowbehaviormonitoring             = "1";
    allowcloudprotection                = "1";
    allowemailscanning                  = "1";
    allowfullscanonmappednetworkdrives  = "1";
    allowfullscanremovabledrivescanning = "1";
    allowintrusionpreventionsystem      = "1";
    allowioavprotection                 = "1";
    allowonaccessprotection             = "1";
    allowrealtimemonitoring             = "1";
    allowscanningnetworkfiles           = "1";
    allowscriptscanning                 = "1";
    allowuseruiaccess                   = "0";
    ApplicationId                       = $ApplicationId
    Assignments                         = @();
    avgcpuloadfactor                    = 30;
    CertificateThumbprint               = $Thumbprint
    checkforsignaturesbeforerunningscan = "1";
    cloudblocklevel                     = "0";
    Description                         = "Cloned policy from MDE - Microsoft Defender AUDIT ONLY";
    disablecatchupfullscan              = "1";
    disablecatchupquickscan             = "1";
    DisplayName                         = "Baseline - MDE - Microsoft Defender AUDIT ONLY (SERVER)";
    enablelowcpupriority                = "1";
    enablenetworkprotection             = "2";
    Ensure                              = "Present";
    highseveritythreats                 = "allow";
    Identity                            = "6e00f3f4-6d64-485c-931b-4e7ac62eb4a4";
    lowseveritythreats                  = "allow";
    moderateseveritythreats             = "allow";
    puaprotection                       = "2";
    realtimescandirection               = "0";
    scanparameter                       = "2";
    severethreats                       = "allow";
    submitsamplesconsent                = "1";
    templateId                          = "804339ad-1553-4478-a742-138fb5807418_1";
    TenantId                            = $TenantId
}

ERROR message below:

2023-10-16T21:00:09.3402069Z "settingInstanceTemplateId": "f55b8c9c-d831-460e-a041-e47e29f2aa17"
2023-10-16T21:00:09.4008960Z ##[error]Cannot bind argument to parameter 'DeviceConfigurationPolicyId' because it is an empty string.
+ CategoryInfo : InvalidData: (:) [], CimException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,Update-DeviceConfigurationPolicyAs
signment
+ PSComputerName : localhost
2023-10-16T21:00:09.4021734Z
2023-10-16T21:00:09.4022165Z
2023-10-16T21:00:09.4022474Z },
2023-10-16T21:00:09.4022613Z
2023-10-16T21:00:09.4022892Z
2023-10-16T21:00:09.4026150Z "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
2023-10-16T21:00:09.4032800Z
2023-10-16T21:00:09.4042271Z
2023-10-16T21:00:09.4050729Z "choiceSettingValue": {
2023-10-16T21:00:09.4105199Z
2023-10-16T21:00:09.4113619Z
2023-10-16T21:00:09.4123063Z "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue",
2023-10-16T21:00:09.4129436Z
2023-10-16T21:00:09.4180045Z ##[error]The PowerShell DSC resource
'[IntuneAntivirusPolicyWindows10SettingCatalog]IntuneAntivirusPolicyWindows10SettingCatalog-Baseline - MDE - Microsoft
Defender AUDIT ONLY::[Intune]Intune_Configuration' with SourceInfo 'C:\Agent_work\1\s\M365Config\0.0.1\DSCResources\In
tune\Intune.schema.psm1::131::5::IntuneAntivirusPolicyWindows10SettingCatalog' threw one or more non-terminating
errors while running the Set-TargetResource functionality. These errors are logged to the ETW channel called
2023-10-16T21:00:09.4195326Z
2023-10-16T21:00:09.4211142Z "children": [
2023-10-16T21:00:09.4211923Z
2023-10-16T21:00:09.4219093Z
2023-10-16T21:00:09.4234348Z
2023-10-16T21:00:09.4272442Z ##[error]Microsoft-Windows-DSC/Operational. Refer to this channel for more details.
+ CategoryInfo : InvalidOperation: (:) [], CimException
+ FullyQualifiedErrorId : NonTerminatingErrorFromProvider
+ PSComputerName : localhost
2023-10-16T21:00:09.4289136Z
2023-10-16T21:00:09.4297528Z ],
2023-10-16T21:00:09.4305361Z
2023-10-16T21:00:09.4316930Z
2023-10-16T21:00:09.4329981Z "value":
2023-10-16T21:00:09.4338027Z "device_vendor_msft_policy_config_defender_threatseveritydefaultaction_highseveritythreats_allow"
2023-10-16T21:00:09.4346996Z
2023-10-16T21:00:09.4359160Z
2023-10-16T21:00:09.4375691Z }

[jeffreycloudlife]

Hi @Cyanic-Cloud

Thanks @jeffreycloudlife , much appreciated, I wonder when this change will be pushed?

Nik already looked at it, so I assume in the next release or the one after that.

I made the suggested change manually within the module and it worked for the example above that was previously not applying correctly but then failed when attempting to create policies that previously created without issue, please see example policy if you'd like to test on your end @jeffreycloudlife ?

I can reproduce your problem, but I can't find what's causing it. I tried several changes, but could not find the value that caused this. I also did an export and deploy of a fresh policy, which also worked. We do have different parameters set, so I would have to troubleshoot which parameter is giving errors. I will also tell Nik to also check and maybe keep the PR on pause for now.

[jeffreycloudlife]

To be complete - it might be an issue with the new parameters that are available. It does not seem to do a successful API request for the Policy creation (and update? did not test that), then it fails on processing the assignments, as it does not get a DeviceConfigurationPolicyID back from the earlier API request.

[Cyanic-Cloud]

Thanks for checking Jeffrey, in the meantime if there any changes or tests you'd like me to try please let me know, keen to help in getting this sorted.

Regards
Stephen