IntuneASRRulesPolicyWindows10: Incorrect set of possible values for properties EmailContentExecutionType and UntrustedExecutableType

[ricmestre]

Details of the scenario you tried and the problem that is occurring

One of my Attack Surface Reduction policies has the property EmailContentExecutionType set to warn which gets exported into a blueprint without issues, but when trying to compile it into a MOF it fails due to incorrect possible values in both its schema and the module, even though the current possible values don't even match between them.

Verbose logs showing the problem

##[error]The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: At least one of the values 'warn' is not supported or valid for property 'EmailContentExecutionType' on class 'IntuneASRRulesPolicyWindows10'. Please specify only supported values:
notConfigured, block, auditMode, userDefined, disable.

##[error]PowerShell exited with code '1'.

Suggested solution to the issue

Change possible values of property EmailContentExecutionType in both schema and module, and make sure they both match, which are 'notConfigured', 'block', 'auditMode', 'warn', 'disable'

The DSC configuration that is used to reproduce the issue (as detailed as possible)

   IntuneASRRulesPolicyWindows10 "IntuneASRRulesPolicyWindows10-REDACTED"
        {
            AdobeReaderLaunchChildProcess                   = "notConfigured";
            AdvancedRansomewareProtectionType               = "notConfigured";
            ApplicationId                                   = $ConfigurationData.NonNodeData.ApplicationId;
            Assignments                                     = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.exclusionGroupAssignmentTarget'
                    groupId = 'REDACTED'
            }
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = 'REDACTED'
            });
            BlockPersistenceThroughWmiType                  = "auditMode";
            CertificateThumbprint                           = $ConfigurationData.NonNodeData.CertificateThumbprint;
            DisplayName                                     = "REDACTED";
            EmailContentExecutionType                       = "warn";
            Ensure                                          = "Present";
            GuardMyFoldersType                              = "auditMode";
            Identity                                        = "REDACTED";
            OfficeAppsExecutableContentCreationOrLaunchType = "auditMode";
            OfficeAppsLaunchChildProcessType                = "auditMode";
            OfficeAppsOtherProcessInjectionType             = "auditMode";
            OfficeCommunicationAppsLaunchChildProcess       = "auditMode";
            OfficeMacroCodeAllowWin32ImportsType            = "auditMode";
            PreventCredentialStealingType                   = "notConfigured";
            ProcessCreationType                             = "userDefined";
            ScriptDownloadedPayloadExecutionType            = "auditMode";
            ScriptObfuscatedMacroCodeType                   = "auditMode";
            TenantId                                        = $OrganizationName;
            UntrustedExecutableType                         = "warn";
            UntrustedUSBProcessType                         = "userDefined";
        }

The operating system the target node is running

Win10

Version of the DSC module that was used ('dev' if using current dev branch)

1.23.628.1

[ricmestre]

It seems that property UntrustedExecutableType is also affected, PR #3435 has been updated to fix that one as well.

Edit: There are more properties affected, currently checking all of them.

[andikrueger]

cc/ @William-Francillette Are those possible values created manually or within the DRG?

[William-Francillette]

Nope those were created manually - I may have missed the warn value

[andikrueger]

Thanks for the clarification. Is there any feasible option to get these values by using DRG or the Graph Metadata endpoint? They should be available somewhere :)

[William-Francillette]

yep, we can extract the values from the template definition - For the DRG, I'm working on settingCatalog right now but will be working on Intent when completed

Names of policy types are very confusion in Intune and too many types as well :D