IntuneEndpointDetectionAndResponsePolicyWindows10: Throws exception if blob is empty

[ricmestre]

Description of the issue

@FabienTschanz Your commit b48abe0 is now causing an exception if blob is empty, we have a policy in our tenant where the configuration type is not set and therefore the blob is empty as well, so if I try to export and then apply that to another tenant it causes the exception [0] to be thrown.

It's arguable if you should be allowed to have a policy without configuration type, the thing is that is still possible through Intune admin portal, but even if you don't agree that should be possible, see [1] where this is not mentioned anywhere so I kind of agree, BUT you must not throw an exception if you set the type to auto from connector which never has a blob assigned so the condition must be changed to factor this in.

Additionally you need to change $($DSCParams.ConfigurationType) in the exception line since $DSCParams is empty.

[0] https://github.com/microsoft/Microsoft365DSC/blame/76cbfa8d2be39fbe6cef5cd5e69f75d84b077a17/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1#L296
[1] https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-edr-policy

Microsoft 365 DSC Version

1.24.1016.1

Which workloads are affected

Intune

The DSC configuration

    IntuneEndpointDetectionAndResponsePolicyWindows10 "IntuneEndpointDetectionAndResponsePolicyWindows10-IntuneEndpointDetectionAndResponsePolicyWindows10_1"
    {
        Assignments          = @();
        ConfigurationType    = "autofromconnector";
        Credential           = $Credscredential;
        Description          = "";
        DisplayName          = "IntuneEndpointDetectionAndResponsePolicyWindows10_1";
        Ensure               = "Present";
        Identity             = "83e155d5-f1f3-4ef9-9027-16cc24b22ae8";
        RoleScopeTagIds      = @("0");
        SampleSharing        = "1";
    }

Verbose logs showing the problem

PowerShell DSC resource MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 failed to execute Set-TargetResource functionality with error message: ConfigurationBlob is required for configurationType ''

• CategoryInfo : InvalidOperation: (:) [], CimException
• FullyQualifiedErrorId : ProviderOperationExecutionFailure
• PSComputerName : localhost

Environment Information + PowerShell Version

Win11/PS5.1

[ricmestre]

@FabienTschanz See below, I've created a new policy with type set to auto from connector, there's no blob so this must not throw an exception.

PS C:\temp\dsc\IntuneEndpointDetectionAndResponsePolicyWindows10> $policySettings

Name Value

---

SampleSharing 1
ClientConfigurationPackageType autofromconnector
onboarding_fromconnector 15e4a02b-78c1-4af4-9b36-91ef0d71b834

[ricmestre]

Additionally changing the condition for the exception is not enough, this would never have worked. I've added a debug message to show me the contents of $BoundParameters, see below, which then gets me the Graph error message:

"device_vendor_msft_windowsadvancedthreatprotection_configurationtype: Selected Option device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboarding_fromconnector does not match with the list of expected options: device_vendor_msft_windowsadvancedthreatprotection_configurationtype_autofromconnector,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard,device_vendor_msft_windowsadvancedthreatprotection_configurationtype_offboard."

Assignments=()
ClientConfigurationPackageType=onboarding_fromconnector
Description= DisplayName=IntuneEndpointDetectionAndResponsePolicyWindows10_1
Identity=83e155d5-f1f3-4ef9-9027-16cc24b22ae8
onboarding_fromconnector=
RoleScopeTagIds=(0)
SampleSharing=1

[FabienTschanz]

@ricmestre I created #5254 which aims to address the issue. I currently don't have the infrastructure and capacity to test, but I think that's what should be changed here. Do you have the possibility to verify?