From 727843e3ccdcbf8b0a238aec076586333f9455c9 Mon Sep 17 00:00:00 2001 From: Fabien Tschanz Date: Mon, 11 Nov 2024 20:09:30 +0100 Subject: [PATCH] Fix property naming and settings catalog handling --- CHANGELOG.md | 8 +++++ ...alAdministratorPasswordSolutionPolicy.psm1 | 10 +++---- ...nistratorPasswordSolutionPolicy.schema.mof | 2 +- ...T_IntuneSecurityBaselineMicrosoftEdge.psm1 | 30 +++++++++++++++++++ ...neSecurityBaselineMicrosoftEdge.schema.mof | 3 +- .../1-Create.ps1 | 2 +- .../2-Update.ps1 | 2 +- .../Modules/M365DSCDRGUtil.psm1 | 2 +- .../M365DSCIntuneSettingsCatalogUtil.psm1 | 3 +- 9 files changed, 51 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e122cdcfb..6c5c7d350b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,22 @@ # UNRELEASED +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Update property `PasswordAgeDays_AAD` to be lower-case. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (1/2) * IntuneAntivirusExclusionsPolicyMacOS * Initial release. * IntuneAntivirusPolicyWindows10SettingCatalog * Update properties to be upper-case. Fixes [#5373](https://github.com/microsoft/Microsoft365DSC/issues/5373) +* IntuneSecurityBaselineMicrosoftEdge + * Deprecate property `authschemes` and replace with `AuthSchemes_AuthSchemes` * M365DSCDRGUtil * Restrict CIM instance access to properties that appear multiple times. * Switch log type for not found Intune assignments to `Warning`. +* M365DSCIntuneSettingsCatalogUtil + * Add ADMX handling for `edge~httpauthentication_`. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (2/2) * DEPENDENCIES * Updated DSCParser to version 2.0.0.12. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 9a6140387a..b9fc29e2af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -24,7 +24,7 @@ function Get-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] @@ -118,7 +118,7 @@ function Get-TargetResource -ErrorAction Stop #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' @@ -237,7 +237,7 @@ function Set-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] @@ -324,7 +324,7 @@ function Set-TargetResource ) #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' @@ -433,7 +433,7 @@ function Test-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof index 33aeb469d7..a3eb529bec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof @@ -17,7 +17,7 @@ class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy : OMI [Write, Description("Description of the account protection local administrator password solution policy.")] String Description; [Write, Description("Assignments of the account protection local administrator password solution policy."), EmbeddedInstance("MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments")] String Assignments[]; [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; - [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; + [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 passwordagedays_aad; [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 index c3b6e71fd2..35d258852e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 @@ -80,6 +80,10 @@ function Get-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -338,6 +342,10 @@ function Set-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -441,6 +449,13 @@ function Set-TargetResource $platforms = 'windows10' $technologies = 'mdm' + if ($BoundParameters.ContainsKey('authschemes')) + { + Write-Warning -Message "The parameter 'authschemes' is deprecated. Please use 'AuthSchemes_AuthSchemes' instead." + $BoundParameters['AuthSchemes_AuthSchemes'] = $BoundParameters['authschemes'] + $BoundParameters.Remove('authschemes') | Out-Null + } + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Security Baseline Microsoft Edge with Name {$DisplayName}" @@ -589,6 +604,10 @@ function Test-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -730,6 +749,17 @@ function Test-TargetResource } } + if ($PSBoundParameters.ContainsKey('authschemes')) + { + Write-Warning -Message "The parameter 'authschemes' is deprecated. Please use 'AuthSchemes_AuthSchemes' instead." + if ($PSBoundParameters['authschemes'] -ne $CurrentValues['AuthSchemes_AuthSchemes']) + { + $testResult = $false + } + $ValuesToCheck.Remove('authschemes') | Out-Null + $ValuesToCheck.Remove('AuthSchemes_AuthSchemes') | Out-Null + } + $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof index 8a9515e3d3..d8a2607bcb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof @@ -28,7 +28,8 @@ class MSFT_IntuneSecurityBaselineMicrosoftEdge : OMI_BaseResource [Write, Description("Force WebSQL to be enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WebSQLAccess; [Write, Description("Allow Basic authentication for HTTP (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BasicAuthOverHttpEnabled; [Write, Description("Supported authentication schemes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_HTTPAuthentication_AuthSchemes; - [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("(Deprecated) - Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String AuthSchemes_AuthSchemes; [Write, Description("Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NativeMessagingUserLevelHosts; [Write, Description("Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InsecurePrivateNetworkRequestsAllowed; [Write, Description("Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerModeToolbarButtonEnabled; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 index 0e1d844cfc..6018fdbd85 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 @@ -34,7 +34,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 10; + passwordagedays_aad = 10; AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 index 08d2c88584..c67e11eee7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 @@ -34,7 +34,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 15; # Updated Property + passwordagedays_aad = 15; # Updated Property AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 1fa5f90e54..9e9392dc88 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -2480,7 +2480,7 @@ function Update-IntuneDeviceConfigurationPolicy 'settings' = $Settings } $body = $policy | ConvertTo-Json -Depth 20 - Write-Verbose -Message $body -Verbose + # Write-Verbose -Message $body -Verbose Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop } catch diff --git a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 index 2888ff7ad7..465189fd7a 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 @@ -67,7 +67,7 @@ } # When there is no parent, we can't use the parent setting name to make the setting name unique - # Instead, we traverse up the OffsetUri. + # Instead, we traverse up the OffsetUri. if ($null -eq $parentSetting) { $settingResult = Get-UniqueSettingDefinitionNameFromMultipleMatches -SettingDefinition $SettingDefinition -SettingName $settingName -SettingsWithSameName $settingsWithSameName @@ -98,6 +98,7 @@ 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + 'edge~httpauthentication*' { $settingName = $settingName.Replace('edge~httpauthentication', 'MicrosoftEdge_HTTPAuthentication') } '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') }