IntuneDeviceRemediation: Assignments are exported without display name

[ricmestre]

Description of the issue

Just like IntuneAppConfigurationDevicePolicy the assignments are not being exported with display name, so even though I'm able to apply the scripts into another target tenant they don't have the assignments due to different Ids.

@FabienTschanz Could you please also check this one? EDIT: Looks like you used the same code on the other resources you created so they all share the same problem.

Microsoft 365 DSC Version

1.24.529.1

Which workloads are affected

Intune

The DSC configuration

IntuneDeviceRemediation "IntuneDeviceRemediation-WMI Health"
        {
            Assignments              = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    deviceAndAppManagementAssignmentFilterId = '00000000-0000-0000-0000-000000000000'
                    groupId = '5817c5d6-bb3b-4c75-83d7-938173627409'
                }
            );
            Credential               = $Credscredential;
            Description              = "Checks WMI health";
            DetectionScriptContent   = "REDACTED";
            DeviceHealthScriptType   = "deviceHealthScript";
            DisplayName              = "WMI Health";
            EnforceSignatureCheck    = $False;
            Ensure                   = "Present";
            Id                       = "1140f4fd-57c0-4ca5-8e45-82dd7132ddc1";
            Publisher                = "REDACTED";
            RemediationScriptContent = "";
            RoleScopeTagIds          = @("0");
            RunAs32Bit               = $True;
            RunAsAccount             = "system";
        }

Verbose logs showing the problem

N/A

Environment Information + PowerShell Version

N/A

[FabienTschanz]

You are correct, I didn't include the groupDisplayName. I will prepare a PR in the following weeks that on one side enables the groupDisplayName to be exported with a template in the DRG and add the functionality to all Intune policies where applicable.

[UcoLak61]

[ricmestre]

@FabienTschanz I just tested to deploy this resource into another tenant and then update it and it looks good except for the assignments, so is not only not exporting groupDisplayName but the assignments cannot also be applied.

Please note that since it doesn't support groupDisplayName yet I'm using a groupId of an existing group in the tenant, I'm using exactly that same groupId in an assignment for IntuneDiskEncryptionMacOS, which also doesn't support groupDisplayName, and it's working for that one so it's not a problem with the group's Id.

[FabienTschanz]

@ricmestre Currently working on a PR that switches all Intune resources to ConvertFrom-IntuneAssignment and ConvertTo-IntuneAssignment. Will have a look at the remediations too.

[FabienTschanz]

@ricmestre Found the issue... It's unbelievable but I already goofed up again on a resource. Guess I need to add a check if the Intune assignment update was ok, otherwise I will always believe that it was done correctly. But that's another story.

[ricmestre]

That's why I've created my own integration tests pipeline which creates/updates/removes the resources, since I cannot rely on the tests being done in this repo because they're not being looked at.

That's how I caught the problem on this resource because after each action I always verify the result with Test-DscConfiguration and this one returned $false, upon checking the only thing that differed was indeed the Assignments.

EDIT: When I can, maybe later today, I'll test your 2 resources for the PlatformScripts, IntuneAppConfigurationDevicePolicy and IntuneDiskEncryptionMacOS I already tested and are working fine. If I can be a little bit picky IntuneDiskEncryptionMacOS could have the check below only applied to creation and updates since it's not required for removals, I've also noticed this in my tests because for removals I only test the very minimal set of properties required to remove the resources.

Microsoft365DSC/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDiskEncryptionMacOS/MSFT_IntuneDiskEncryptionMacOS.psm1

Line 316 in 399a7a0

if (-not $AllowDeferralUntilSignOut)

[ricmestre]

@FabienTschanz FYI, just tested your last 2 resources now, IntuneDeviceConfigurationPlatformScriptWindows works without issues for creation/update/removal but IntuneDeviceConfigurationPlatformScriptMacOS everything works ok as well except for Assignments just as for IntuneDeviceRemediation.

Sure enough by using common code on all these resources on your next PR as you mentioned then this problem will go away.

[FabienTschanz]

@ricmestre Thanks a bunch for the information, I will have a look at that one as well. Will update the IntuneDiskEncryptionMacOS as soon as I find time.