refactor: optimize Intune object comparison

Author: JohnDuprey

Modules/CIPPCore/Public/Compare-CIPPIntuneObject.ps1

@@ -340,6 +340,11 @@ function Compare-CIPPIntuneObject {
         }
     } else {
         $intuneCollection = Get-Content .\intuneCollection.json | ConvertFrom-Json -ErrorAction SilentlyContinue
+        # Build a hashtable index for O(1) lookups instead of O(n) Where-Object scans
+        $intuneCollectionIndex = @{}
+        foreach ($item in $intuneCollection) {
+            if ($item.id) { $intuneCollectionIndex[$item.id] = $item }
+        }
 
         # Recursive function to process group setting collections at any depth
         function Process-GroupSettingChildren {
@@ -349,13 +354,13 @@ function Compare-CIPPIntuneObject {
                 [Parameter(Mandatory = $true)]
                 [string]$Source,
                 [Parameter(Mandatory = $true)]
-                $IntuneCollection
+                $IntuneCollectionIndex
             )
 
             $results = [System.Collections.Generic.List[PSCustomObject]]::new()
 
             foreach ($child in $Children) {
-                $childIntuneObj = $IntuneCollection | Where-Object { $_.id -eq $child.settingDefinitionId }
+                $childIntuneObj = $IntuneCollectionIndex[$child.settingDefinitionId]
                 $childLabel = if ($childIntuneObj?.displayName) {
                     $childIntuneObj.displayName
                 } else {
@@ -367,7 +372,7 @@ function Compare-CIPPIntuneObject {
                         if ($child.groupSettingCollectionValue) {
                             foreach ($groupValue in $child.groupSettingCollectionValue) {
                                 if ($groupValue.children) {
-                                    $nestedResults = Process-GroupSettingChildren -Children $groupValue.children -Source $Source -IntuneCollection $IntuneCollection
+                                    $nestedResults = Process-GroupSettingChildren -Children $groupValue.children -Source $Source -IntuneCollectionIndex $IntuneCollectionIndex
                                     foreach ($nr in $nestedResults) { $results.Add($nr) }
                                 }
                             }
@@ -453,7 +458,7 @@ function Compare-CIPPIntuneObject {
 
                 # Also process any children within choice setting values
                 if ($child.choiceSettingValue?.children) {
-                    $nestedResults = Process-GroupSettingChildren -Children $child.choiceSettingValue.children -Source $Source -IntuneCollection $IntuneCollection
+                    $nestedResults = Process-GroupSettingChildren -Children $child.choiceSettingValue.children -Source $Source -IntuneCollectionIndex $IntuneCollectionIndex
                     foreach ($nr in $nestedResults) { $results.Add($nr) }
                 }
             }
@@ -464,14 +469,14 @@ function Compare-CIPPIntuneObject {
         # Process reference object settings
         $referenceItems = $ReferenceObject.settings | ForEach-Object {
             $settingInstance = $_.settingInstance
-            $intuneObj = $intuneCollection | Where-Object { $_.id -eq $settingInstance.settingDefinitionId }
+            $intuneObj = $intuneCollectionIndex[$settingInstance.settingDefinitionId]
             $tempOutput = switch ($settingInstance.'@odata.type') {
                 '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' {
                     if ($null -ne $settingInstance.groupSettingCollectionValue) {
                         $groupResults = [System.Collections.Generic.List[PSCustomObject]]::new()
                         foreach ($groupValue in $settingInstance.groupSettingCollectionValue) {
                             if ($groupValue.children -is [System.Array]) {
-                                $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Reference' -IntuneCollection $intuneCollection
+                                $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Reference' -IntuneCollectionIndex $intuneCollectionIndex
                                 foreach ($cr in $childResults) { $groupResults.Add($cr) }
                             }
                         }
@@ -536,14 +541,14 @@ function Compare-CIPPIntuneObject {
         # Process difference object settings
         $differenceItems = $DifferenceObject.settings | ForEach-Object {
             $settingInstance = $_.settingInstance
-            $intuneObj = $intuneCollection | Where-Object { $_.id -eq $settingInstance.settingDefinitionId }
+            $intuneObj = $intuneCollectionIndex[$settingInstance.settingDefinitionId]
             $tempOutput = switch ($settingInstance.'@odata.type') {
                 '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' {
                     if ($null -ne $settingInstance.groupSettingCollectionValue) {
                         $groupResults = [System.Collections.Generic.List[PSCustomObject]]::new()
                         foreach ($groupValue in $settingInstance.groupSettingCollectionValue) {
                             if ($groupValue.children -is [System.Array]) {
-                                $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Difference' -IntuneCollection $intuneCollection
+                                $childResults = Process-GroupSettingChildren -Children $groupValue.children -Source 'Difference' -IntuneCollectionIndex $intuneCollectionIndex
                                 foreach ($cr in $childResults) { $groupResults.Add($cr) }
                             }
                         }
@@ -624,7 +629,7 @@ function Compare-CIPPIntuneObject {
                 $settingId = $key.Substring(8)
             }
 
-            $settingDefinition = $intuneCollection | Where-Object { $_.id -eq $settingId }
+            $settingDefinition = $intuneCollectionIndex[$settingId]
 
             $refRawValue = if ($refItem) { $refItem.Value } else { $null }
             $diffRawValue = if ($diffItem) { $diffItem.Value } else { $null }

Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Standards/Push-CIPPStandardsList.ps1

@@ -64,12 +64,16 @@ function Push-CIPPStandardsList {
             } else {
                 # License valid - check policy timestamps to filter unchanged templates
                 $TypeMap = @{
-                    Device                   = 'deviceManagement/deviceConfigurations'
-                    Catalog                  = 'deviceManagement/configurationPolicies'
-                    Admin                    = 'deviceManagement/groupPolicyConfigurations'
-                    deviceCompliancePolicies = 'deviceManagement/deviceCompliancePolicies'
-                    AppProtection_Android    = 'deviceAppManagement/androidManagedAppProtections'
-                    AppProtection_iOS        = 'deviceAppManagement/iosManagedAppProtections'
+                    Device                       = 'deviceManagement/deviceConfigurations'
+                    Catalog                      = 'deviceManagement/configurationPolicies'
+                    Admin                        = 'deviceManagement/groupPolicyConfigurations'
+                    deviceCompliancePolicies     = 'deviceManagement/deviceCompliancePolicies'
+                    AppProtection_Android        = 'deviceAppManagement/androidManagedAppProtections'
+                    AppProtection_iOS            = 'deviceAppManagement/iosManagedAppProtections'
+                    windowsDriverUpdateProfiles  = 'deviceManagement/windowsDriverUpdateProfiles'
+                    windowsFeatureUpdateProfiles = 'deviceManagement/windowsFeatureUpdateProfiles'
+                    windowsQualityUpdatePolicies = 'deviceManagement/windowsQualityUpdatePolicies'
+                    windowsQualityUpdateProfiles = 'deviceManagement/windowsQualityUpdateProfiles'
                 }
 
                 $BulkRequests = $TypeMap.GetEnumerator() | ForEach-Object {
@@ -86,8 +90,9 @@ function Push-CIPPStandardsList {
                     $PolicyTimestamps = @{}
 
                     foreach ($Result in $BulkResults) {
-                        $GraphTime = $Result.body.value[0].lastModifiedDateTime
-                        $GraphId = $Result.body.value[0].id
+                        $FirstPolicy = if ($Result.body.value) { $Result.body.value[0] } else { $null }
+                        $GraphTime = $FirstPolicy.lastModifiedDateTime
+                        $GraphId = $FirstPolicy.id
                         $GraphCount = ($Result.body.value | Measure-Object).Count
                         $Cached = Get-CIPPAzDataTableEntity @TrackingTable -Filter "PartitionKey eq '$TenantFilter' and RowKey eq '$($Result.id)'"
 
@@ -117,8 +122,24 @@ function Push-CIPPStandardsList {
                                 LatestPolicyId       = $GraphId
                                 PolicyCount          = $GraphCount
                             } -Force | Out-Null
+                        } elseif ($Cached -and $Cached.PolicyCount -ne $null) {
+                            # No timestamp available - fall back to count-based detection
+                            $Changed = $CountChanged -or $IdChanged
+                            Add-CIPPAzDataTableEntity @TrackingTable -Entity @{
+                                PartitionKey   = $TenantFilter
+                                RowKey         = $Result.id
+                                LatestPolicyId = $GraphId
+                                PolicyCount    = $GraphCount
+                            } -Force | Out-Null
                         } else {
+                            # No timestamp and no prior cache entry - treat as changed and seed the cache
                             $Changed = $true
+                            Add-CIPPAzDataTableEntity @TrackingTable -Entity @{
+                                PartitionKey   = $TenantFilter
+                                RowKey         = $Result.id
+                                LatestPolicyId = $GraphId
+                                PolicyCount    = $GraphCount
+                            } -Force | Out-Null
                         }
 
                         $PolicyTimestamps[$Result.id] = $Changed
@@ -160,7 +181,7 @@ function Push-CIPPStandardsList {
                         }
 
                         # Check StandardTemplate changes
-                        $StandardTemplate = Get-CIPPAzDataTableEntity @StandardTemplateTable -Filter "PartitionKey eq 'StandardsTemplateV2' and RowKey eq '$($Template.TemplateId)'"
+                        $StandardTemplate = Get-CIPPAzDataTableEntity @TemplateTable -Filter "PartitionKey eq 'StandardsTemplateV2' and RowKey eq '$($Template.TemplateId)'"
                         $StandardTemplateChanged = $false
 
                         if ($StandardTemplate) {
@@ -182,7 +203,7 @@ function Push-CIPPStandardsList {
                             } -Force | Out-Null
                         }
 
-                        # Remove or downgrade based on change state and compliance
+                        # Remove cosed onmpliance
                         if (-not $PolicyChanged -and -not $StandardTemplateChanged) {
                             $AlignmentKey = "standards.IntuneTemplate.$($Template.Settings.TemplateList.value)"
                             $IsDeployed = $IntuneComplianceLookup.ContainsKey($AlignmentKey)
@@ -192,15 +213,6 @@ function Push-CIPPStandardsList {
                                 # Policy unchanged and compliant - no action needed
                                 Write-Host "NO INTUNE CHANGE: Filtering out $Key for $TenantFilter (compliant)"
                                 [void]$ComputedStandards.Remove($Key)
-                            } elseif ($IsDeployed) {
-                                # Policy deployed but drifted, and nothing changed - report only, don't force remediate
-                                Write-Host "COMPLIANCE DRIFT: Downgrading $Key to Report mode for $TenantFilter (deployed, not compliant, no changes)"
-                                $ComputedStandards[$Key].Settings | Add-Member -NotePropertyName 'remediate' -NotePropertyValue $false -Force
-                                $ComputedStandards[$Key].Settings | Add-Member -NotePropertyName 'report' -NotePropertyValue $true -Force
-                            } else {
-                                # No alignment data yet - policy not yet deployed, skip (will run on next cycle with changes)
-                                Write-Host "NO INTUNE CHANGE: Filtering out $Key for $TenantFilter (not yet deployed, no changes)"
-                                [void]$ComputedStandards.Remove($Key)
                             }
                         }
                     }
@@ -237,27 +249,28 @@ function Push-CIPPStandardsList {
                     Write-Information "Updating CIPPDB cache for Conditional Access policies for $TenantFilter"
                     Set-CIPPDBCacheConditionalAccessPolicies -TenantFilter $TenantFilter
                 } catch {
-                    Write-Warning "Failed to update CA cache for $TenantFilter : $($_.Exception.Message)"
+                    Write-Warning "Failed to update CA cache for $TenantFilter : $($_.Exception.Message)'
                 }
             }
         }
 
-        Write-Host "Returning $($ComputedStandards.Count) standards for tenant $TenantFilter after filtering."
-        # Return filtered standards
-        $FilteredStandards = $ComputedStandards.Values | ForEach-Object {
-            [PSCustomObject]@{
-                Tenant       = $_.Tenant
-                Standard     = $_.Standard
-                Settings     = $_.Settings
-                TemplateId   = $_.TemplateId
-                FunctionName = 'CIPPStandard'
-            }
-        }
-        Write-Host "Sending back $($FilteredStandards.Count) standards: $($FilteredStandards | ConvertTo-Json -Depth 5 -Compress)"
-        return $FilteredStandards
+        Write-Host 'Returning $($ComputedStandards.Count) standards for tenant $TenantFilter after filtering."
+                    # Return filtered standards
+                    $FilteredStandards = $ComputedStandards.Values | ForEach-Object {
+                        [PSCustomObject]@{
+                            Tenant       = $_.Tenant
+                            Standard     = $_.Standard
+                            Settings     = $_.Settings
+                            TemplateId   = $_.TemplateId
+                            FunctionName = 'CIPPStandard'
+                        }
+                    }
+                    Write-Host "Sending back $($FilteredStandards.Count) standards: $($FilteredStandards | ConvertTo-Json -Depth 5 -Compress)"
+                    return @($FilteredStandards)
 
-    } catch {
-        Write-Warning "Error listing standards for $TenantFilter : $($_.Exception.Message)"
+                } catch {
+                    Write-Warning "Error listing standards for $TenantFilter : $($_.Exception.Message)'
         return @()
     }
 }
+'

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-RemoveStandardTemplate.ps1

@@ -16,8 +16,8 @@ function Invoke-RemoveStandardTemplate {
     $ID = $Request.Body.ID ?? $Request.Query.ID
     try {
         $Table = Get-CippTable -tablename 'templates'
-        $Filter = "PartitionKey eq 'StandardsTemplateV2' and GUID eq '$ID'"
-        $ClearRow = Get-CIPPAzDataTableEntity @Table -Filter $Filter -Property PartitionKey, RowKey, JSON
+        $Filter = "PartitionKey eq 'StandardsTemplateV2' and (GUID eq '$ID' or RowKey eq '$ID' or OriginalEntityId eq '$ID')"
+        $ClearRow = Get-CIPPAzDataTableEntity @Table -Filter $Filter -Property PartitionKey, RowKey, ETag, JSON
         if ($ClearRow.JSON) {
             $TemplateName = (ConvertFrom-Json -InputObject $ClearRow.JSON -ErrorAction SilentlyContinue).templateName
         } else {

Modules/CIPPCore/Public/Functions/Get-CIPPTenantAlignment.ps1

@@ -34,6 +34,7 @@ function Get-CIPPTenantAlignment {
             $JSON = $_.JSON
             try {
                 $RowKey = $_.RowKey
+                if ([string]::IsNullOrWhiteSpace($JSON)) { return }
                 $Data = $JSON | ConvertFrom-Json -Depth 100 -ErrorAction Stop
             } catch {
                 Write-Warning "$($RowKey) standard could not be loaded: $($_.Exception.Message)"

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardIntuneTemplate.ps1

@@ -38,10 +38,16 @@ function Invoke-CIPPStandardIntuneTemplate {
     param($Tenant, $Settings)
 
     Write-Host 'INTUNETEMPLATERUN'
+    $sw = [System.Diagnostics.Stopwatch]::StartNew()
+    $lap = $sw.Elapsed
+
     $Table = Get-CippTable -tablename 'templates'
     $Filter = "PartitionKey eq 'IntuneTemplate'"
 
     $Template = (Get-CIPPAzDataTableEntity @Table -Filter $Filter | Where-Object -Property RowKey -Like "$($Settings.TemplateList.value)*").JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+    Write-Information "[IntuneTemplate][$Tenant] TableLoad: $([int]($sw.Elapsed - $lap).TotalMilliseconds)ms"
+    $lap = $sw.Elapsed
+
     if ($null -eq $Template) {
         Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to find template $($Settings.TemplateList.value). Has this Intune Template been deleted?" -sev 'Error'
         return $true
@@ -58,6 +64,8 @@ function Invoke-CIPPStandardIntuneTemplate {
         Write-Host "IntuneTemplate: $($Settings.TemplateList.value) - Failed to sync reusable policy settings. Skipping this template."
         return $true
     }
+    Write-Information "[IntuneTemplate][$Tenant] ReusableSync: $([int]($sw.Elapsed - $lap).TotalMilliseconds)ms"
+    $lap = $sw.Elapsed
 
     $displayname = $Template.Displayname
     $description = $Template.Description
@@ -69,16 +77,19 @@ function Invoke-CIPPStandardIntuneTemplate {
     } catch {
         $ExistingPolicy = $null
     }
+    Write-Information "[IntuneTemplate][$Tenant] GetPolicy '$displayname' ($TemplateType): $([int]($sw.Elapsed - $lap).TotalMilliseconds)ms"
+    $lap = $sw.Elapsed
 
     if ($ExistingPolicy) {
         try {
             $RawJSON = Get-CIPPTextReplacement -Text $RawJSON -TenantFilter $Tenant
             $JSONExistingPolicy = $ExistingPolicy.cippconfiguration | ConvertFrom-Json
             $JSONTemplate = $RawJSON | ConvertFrom-Json
-            #This might be a slow one.
             $Compare = Compare-CIPPIntuneObject -ReferenceObject $JSONTemplate -DifferenceObject $JSONExistingPolicy -compareType $TemplateType -ErrorAction SilentlyContinue
         } catch {
         }
+        Write-Information "[IntuneTemplate][$Tenant] Compare '$displayname': $([int]($sw.Elapsed - $lap).TotalMilliseconds)ms"
+        $lap = $sw.Elapsed
     } else {
         $compare = [pscustomobject]@{
             MatchFailed = $true
@@ -128,7 +139,10 @@ function Invoke-CIPPStandardIntuneTemplate {
         } catch {
             $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
             Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to create or update Intune Template $($CompareResult.displayname), Error: $ErrorMessage" -sev 'Error'
+            Write-Information "IntuneTemplate: $($CompareResult.displayname) - Failed to remediate. Error: $ErrorMessage"
         }
+        Write-Information "[IntuneTemplate][$Tenant] Remediate '$displayname': $([int]($sw.Elapsed - $lap).TotalMilliseconds)ms"
+        $lap = $sw.Elapsed
     }
 
     if ($Settings.alert) {
@@ -162,4 +176,7 @@ function Invoke-CIPPStandardIntuneTemplate {
         Set-CIPPStandardsCompareField -FieldName "standards.IntuneTemplate.$id" -CurrentValue $CurrentValue -ExpectedValue $ExpectedValue -TenantFilter $Tenant
         #Add-CIPPBPAField -FieldName "policy-$id" -FieldValue $Compare -StoreAs bool -Tenant $tenant
     }
+
+    $sw.Stop()
+    Write-Information "[IntuneTemplate][$Tenant] TOTAL '$displayname': $([int]$sw.Elapsed.TotalMilliseconds)ms"
 }