IntuneSettingCatalogCustomPolicyWindows10 : Bug: It duplicates the existing policy instead of just updating it.

[CovidtheDog2024]

Description of the issue

Resource : IntuneSettingCatalogCustomPolicyWindows10
Error : It duplicates the existing policy instead of updating it. Based on our investigation, the query Get-MgBetaDeviceManagementConfigurationPolicy only shows the first 25 policies. If the policy you’re updating is not found in the query, the system will create it, assuming the policy does not exist.”

Microsoft 365 DSC Version

1.24.904.1

Which workloads are affected

Intune

The DSC configuration

IntuneSettingCatalogCustomPolicyWindows10 "IntuneSettingCatalogCustomPolicyWindows10-AllUSB26"
        {
            Assignments          = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    groupDisplayName = 'IntuneGroup'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '40855b83-24ad-41b5-86c2-xxxxxxxxxx'
                }       
            );
            Credential           = $Credscredential;
            Description          = "";
            Ensure               = "Present";
            Id                   = "e6bb385e-4cc4-4733-a7be-xxxxxxxxxx";
            Name                 = "AllUSB26";
            Platforms            = "windows10";
            Settings             = @(
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_defender_configuration_disablecputhrottleonidlescans_0'
                        }
                        SettingDefinitionId = 'device_vendor_msft_defender_configuration_disablecputhrottleonidlescans'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }

                }
 
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_defender_configuration_hideexclusionsfromlocaladmins_1'
                        }
                        SettingDefinitionId = 'device_vendor_msft_defender_configuration_hideexclusionsfromlocaladmins'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }
                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_policy_config_deviceguard_lsacfgflags_2'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_deviceguard_lsacfgflags'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }
                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_policy_config_deviceguard_enablevirtualizationbasedsecurity_1'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_deviceguard_enablevirtualizationbasedsecurity'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }

                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_policy_config_microsoft_edgev122~policy~microsoft_edge_enhancesecuritymodeallowuserbypass_0'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev122~policy~microsoft_edge_enhancesecuritymodeallowuserbypass'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }

                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_policy_config_microsoft_edgev121~policy~microsoft_edge~typosquattingchecker_preventtyposquattingpromptoverride_1'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev121~policy~microsoft_edge~typosquattingchecker_preventtyposquattingpromptoverride'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }
                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Value = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_rendererappcontainerenabled_1'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_rendererappcontainerenabled'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }

                }
                MSFT_MicrosoftGraphdeviceManagementConfigurationSetting{
                    SettingInstance = MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                        choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                            Children = @(
                                MSFT_MicrosoftGraphDeviceManagementConfigurationSettingInstance{
                                    choiceSettingValue = MSFT_MicrosoftGraphDeviceManagementConfigurationChoiceSettingValue{
                                        Value = 'device_vendor_msft_policy_config_microsoft_edgev98.1~policy~microsoft_edge_enhancesecuritymode_enhancesecuritymode_2'
                                    }
                                    SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev98.1~policy~microsoft_edge_enhancesecuritymode_enhancesecuritymode'
                                    odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                                }
                            )
                            Value = 'device_vendor_msft_policy_config_microsoft_edgev98.1~policy~microsoft_edge_enhancesecuritymode_1'
                        }
                        SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev98.1~policy~microsoft_edge_enhancesecuritymode'
                        odataType = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance'
                    }
                }
            );
            Technologies         = "mdm";
        }
    }
}

Verbose logs showing the problem

VERBOSE: [myVM]:                            [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26] Could not
find an Intune Setting Catalog Custom Policy for Windows10 with Name {AllUSB26}
VERBOSE: [myVM]:                            [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26]
Test-TargetResource returned False
VERBOSE: [myVM]: LCM:  [ End    Test     ]  [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26]  in 2.1630
seconds.
VERBOSE: [myVM]: LCM:  [ Start  Set      ]  [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26]
VERBOSE: [myVM]:                            [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26] Could not
find an Intune Setting Catalog Custom Policy for Windows10 with Id {c45e6e22-43cc-4040-a151-6099dc6e2c61}
VERBOSE: [myVM]:                            [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26] Could not
find an Intune Setting Catalog Custom Policy for Windows10 with Name {AllUSB26}
VERBOSE: [myVM]:                            [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26] Creating an
Intune Setting Catalog Custom Policy for Windows10 with Name {}
VERBOSE: [myVM]: LCM:  [ End    Set      ]  [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26]  in 4.9830
seconds.
VERBOSE: [myVM]: LCM:  [ End    Resource ]  [[IntuneSettingCatalogCustomPolicyWindows10]IntuneSettingCatalogCustomPolicyWindows10-[AllUSB26]
WARNING: Falling back to the previous MOF file or system defaults because the meta configuration mof does not exist or has either been corrupted or an
invalid mof property has been set.
VERBOSE: [myVM]: LCM:  [ End    Set      ]
VERBOSE: [myVM]: LCM:  [ End    Set      ]    in  111.2360 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 112.621 seconds

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Enterprise
OsOperatingSystemSKU : EnterpriseEdition
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.22621.4111
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22621.4111
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[ricmestre]

@FabienTschanz I'll be busy today to fix this so if you can beat me to it could you please ensure that the resources below call Get-MgBetaDeviceManagementConfigurationPolicy with parameter -All in their Export method?

MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy
MSFT_IntuneAccountProtectionLocalUserGroupMembershipPolicy
MSFT_IntuneAntivirusPolicyWindows10SettingCatalog
MSFT_IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager
MSFT_IntuneDiskEncryptionWindows10
MSFT_IntuneEndpointDetectionAndResponsePolicyLinux
MSFT_IntuneEndpointDetectionAndResponsePolicyMacOS
MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10
MSFT_IntuneExploitProtectionPolicyWindows10SettingCatalog
MSFT_IntuneSettingCatalogASRRulesPolicyWindows10
MSFT_IntuneSettingCatalogCustomPolicyWindows10

EDIT: Just checked MSFT_IntuneSettingCatalogCustomPolicyWindows10 which is the affected resource reported here, and at least this one already exports the policies with parameter -All, if you're then trying to change a specific policy of that list it tries to find it first by Id and if still cannot find it searches by DisplayName in this case the limit of 25 policies doesn't come into play so it must be some other problem.

[FabienTschanz]

@CovidtheDog2024 There are at least two policies in your Intune environment with the name USB26. Please check and remove either rename or delete the second instance of that policy. If you take a look at the event viewer --> Application and Services Logs --> M365DSC, there should be multiple entries that say the following: Error retrieving data: { Error: The displayName {USB26} is not unique in the tenant. Ensure the display Name is unique for this type of resource. }

@ricmestre PR open #5094. Also, the other resources you mentioned all use the -All switch parameter to export all resources 👍

[CovidtheDog2024]

Hi @FabienTschanz @NikCharlebois
Duplicate issue still persists on releases 1.24.1002.1 and 1.24.1016.1.

[FabienTschanz]

@CovidtheDog2024 Did you check for a second policy with the name USB26? There most likely is one, resulting in the creation of a new policy every time you use Microsoft365DSC.

[gavinliu0]

I'm am also seeing this issue and the problem is this line missing the -All swtich.

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSettingCatalogCustomPolicyWindows10/MSFT_IntuneSettingCatalogCustomPolicyWindows10.psm1

Line 113 in 99947f3

-Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" `

There is NO error about duplicates. DSC deploys successfully and each time creates a duplicate. This only happens when there are over 25 IntuneSettingCatalogCustomPolicyWindows10 policy settings. This can be reproduced by creating multiple IntuneSettingCatalogCustomPolicyWindows10 policy items like the following

settings-1
settings-2
settings-3
...
settings-30

Then run the line in the above mentioned code with $Name = 'settings-30'

 Get-MgBetaDeviceManagementConfigurationPolicy `
                    -Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" `
                    -ErrorAction SilentlyContinue

This will return no results due to the pagination problem which is overcome by passing the -All switch per the documentation.

Running the above line again with an added -All like

 Get-MgBetaDeviceManagementConfigurationPolicy `
                    -Filter "Name eq '$Name' and Platforms eq 'windows10' and Technologies eq 'mdm' and TemplateReference/TemplateFamily eq 'none'" `
                    -ErrorAction SilentlyContinue `
                    -All

Will return the correct results.

[FabienTschanz]

@gavinliu0 Thank you for the clarification. There was no information indicating that there are multiple policies and that the pagination was limiting the amount of results. I will open a PR to address it.

[CovidtheDog2024]

Hi @FabienTschanz,

Thank you very much! We no longer encounter the duplicate policy issue using version 1.24.1113.1.