BUG: IntuneDeviceCompliancePolicyWindows10: System.Collections.Generic.Dictionary

[CovidtheDog2024]

Description of the issue

Workload: Intune
Resource : IntuneDeviceCompliancePolicyWindows10
Parameter : DeviceCompliancePolicyScript

Error : Unable to Compile the Configuration because of error : System.Collections.Generic.Dictionary`2[System.String,System.O

Microsoft 365 DSC Version

1.24.1127.1

Which workloads are affected

Intune

The DSC configuration

IntuneDeviceCompliancePolicyWindows10 "IntuneDeviceCompliancePolicyWindows10-TestCompliancePolicyWindows10"
        {
            ActiveFirewallRequired                      = $False;
            AntiSpywareRequired                         = $False;
            AntivirusRequired                           = $False;
            Assignments                                 = @();
            BitLockerEnabled                            = $False;
            CodeIntegrityEnabled                        = $False;
            ConfigurationManagerComplianceRequired      = $False;
            Credential                                  = $Credscredential;
            DefenderEnabled                             = $False;
            Description                                 = "TestCompliancePolicyWindows10";
            DeviceCompliancePolicyScript                = System.Collections.Generic.Dictionary`2[System.String,System.Object];
            DeviceThreatProtectionEnabled               = $False;
            DeviceThreatProtectionRequiredSecurityLevel = "unavailable";
            DisplayName                                 = "TESTCompliancePolicyWindows10";
            EarlyLaunchAntiMalwareDriverEnabled         = $False;
            Ensure                                      = "Present";
            PasswordBlockSimple                         = $False;
            PasswordRequired                            = $False;
            PasswordRequiredToUnlockFromIdle            = $False;
            TpmRequired                                 = $False;
        }

Verbose logs showing the problem

PS C:\test> C:\test\M365TenantConfig.ps1 -Credential $Credential
At C:\test\M365TenantConfig.ps1:46 char:112
+ ...      = System.Collections.Generic.Dictionary`2[System.String,System.O ...
+                                                                 ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingArgument

Environment Information + PowerShell Version

OsName               : Microsoft Windows 11 Pro
OsOperatingSystemSKU : 48
OsArchitecture       : 64-bit
WindowsVersion       : 2009
WindowsBuildLabEx    : 22621.1.amd64fre.ni_release.220506-1250
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Key   : PSVersion
Value : 5.1.22621.4111
Name  : PSVersion

Key   : PSEdition
Value : Desktop
Name  : PSEdition

Key   : PSCompatibleVersions
Value : {1.0, 2.0, 3.0, 4.0...}
Name  : PSCompatibleVersions

Key   : BuildVersion
Value : 10.0.22621.4111
Name  : BuildVersion

Key   : CLRVersion
Value : 4.0.30319.42000
Name  : CLRVersion

Key   : WSManStackVersion
Value : 3.0
Name  : WSManStackVersion

Key   : PSRemotingProtocolVersion
Value : 2.3
Name  : PSRemotingProtocolVersion

Key   : SerializationVersion
Value : 1.1.0.1
Name  : SerializationVersion

[ricmestre]

I just replicated this issue.

DeviceCompliancePolicyScript must be converted from String to CIM instance since it's an complex object, then Graph only returns the Id of the script so we must also add DisplayName and search for it if it can't be found by Id (cloning tenant scenario) and the rules content in base64 must be decoded to JSON.

The property DeviceCompliancePolicyScript has been added 3 years ago and no one ever complained about this not working which means no one is using compliance scripts so I don't consider this a breaking change, if I have time I'll look into it this week.

[ricmestre]

@FabienTschanz Seems I won't have time for this after all, I'll be busy creating tests for resources from AAD workload. Is this something you can look at? There's also the fact that the schedule actions for rule were never properly added, there's only a default one being added in order to be able to create the policy, probably it's easier to start fresh and generate the resource again through DRG since this is an oldie?

You can use the examples for the script and json rules from the site below [0] if you don't already have them.

[0] https://jannikreinhard.com/2023/02/26/how-to-use-custom-compliance-script-example-script/

[FabienTschanz]

@ricmestre I'll take a look at it.

[FabienTschanz]

@ricmestre I have a version that is a bit rough around the edges but seems to do the job of exporting. Test and Set are currently in implementation, but I think there are some changes necessary in ReverseDSC to make it work. Especially the RulesContent property that contains the json value of the rules we specify is giving me a headache because it's removing escaped quotes in a single string instance. What a pain 😓

I'll give an update once I'm done with it.