fix: prevent stale template list from skewing applied standards report

Author: JohnDuprey

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-ListStandardsCompare.ps1

@@ -13,6 +13,26 @@ function Invoke-ListStandardsCompare {
     $TenantFilter = $Request.Query.tenantFilter
     $TemplateFilter = $Request.Query.templateId
 
+    # Get-CIPPStandards is the authoritative source for what is currently in scope.
+    $StandardParams = @{}
+    if ($TemplateFilter) { $StandardParams.TemplateId = $TemplateFilter }
+    if ($TenantFilter) { $StandardParams.TenantFilter = $TenantFilter }
+    $StandardList = Get-CIPPStandards @StandardParams
+
+    $ScopedTemplateGuids = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
+    $ScopedQuarantineNames = [System.Collections.Generic.HashSet[string]]::new([System.StringComparer]::OrdinalIgnoreCase)
+    foreach ($Entry in $StandardList) {
+        switch ($Entry.Standard) {
+            { $_ -in @('IntuneTemplate', 'ConditionalAccessTemplate') } {
+                if ($Entry.Settings.TemplateList.value) { $null = $ScopedTemplateGuids.Add($Entry.Settings.TemplateList.value) }
+            }
+            'QuarantineTemplate' {
+                $DisplayName = $Entry.Settings.displayName.value ?? $Entry.Settings.displayName
+                if ($DisplayName) { $null = $ScopedQuarantineNames.Add($DisplayName) }
+            }
+        }
+    }
+
     $Filters = [system.collections.generic.list[string]]::new()
     if ($TenantFilter) {
         $Filters.Add("PartitionKey eq '{0}'" -f $TenantFilter)
@@ -34,6 +54,20 @@ function Invoke-ListStandardsCompare {
         $FieldValue = $Standard.Value
         $Tenant = $Standard.PartitionKey
 
+        # Skip rows for template types no longer in scope per the current standard list.
+        if ($FieldName -match '^standards\.(IntuneTemplate|ConditionalAccessTemplate)\.(.+)$') {
+            if (-not $ScopedTemplateGuids.Contains($Matches[2])) { continue }
+        } elseif ($ScopedQuarantineNames.Count -gt 0 -and $FieldName -match '^standards\.QuarantineTemplate\.(.+)$') {
+            # Decode hex-encoded display name and check if it's still in scope
+            $HexEncoded = $Matches[1]
+            $Chars = [System.Collections.Generic.List[char]]::new()
+            for ($i = 0; $i -lt $HexEncoded.Length; $i += 2) {
+                $Chars.Add([char][Convert]::ToInt32($HexEncoded.Substring($i, 2), 16))
+            }
+            $DecodedName = -join $Chars
+            if (-not $ScopedQuarantineNames.Contains($DecodedName)) { continue }
+        }
+
         # decode field names that are hex encoded (e.g. QuarantineTemplates)
         if ($FieldName -match '^(standards\.QuarantineTemplate\.)(.+)$') {
             $Prefix = $Matches[1]

Modules/CIPPHTTP/Public/Entrypoints/HTTP Functions/Tenant/Standards/Invoke-listStandardTemplates.ps1

@@ -35,6 +35,42 @@ function Invoke-listStandardTemplates {
                     $Data.excludedTenants = @()
                 }
             }
+
+            # Re-expand TemplateList-Tags live so stale addedFields snapshots don't show removed templates
+            if ($Data.standards) {
+                foreach ($StandardName in $Data.standards.PSObject.Properties.Name) {
+                    $StandardConfig = $Data.standards.$StandardName
+                    $Items = if ($StandardConfig -is [System.Collections.IEnumerable] -and $StandardConfig -isnot [string]) { $StandardConfig } else { @($StandardConfig) }
+                    foreach ($Item in $Items) {
+                        if ($Item.'TemplateList-Tags' -and $Item.'TemplateList-Tags'.value) {
+                            if (-not $IntuneTemplatesCache) {
+                                $IntuneTable = Get-CippTable -tablename 'templates'
+                                $IntuneFilter = "PartitionKey eq 'IntuneTemplate'"
+                                $IntuneTemplatesCache = Get-CIPPAzDataTableEntity @IntuneTable -Filter $IntuneFilter
+                            }
+                            $PackageName = $Item.'TemplateList-Tags'.value
+                            $LiveExpanded = @($IntuneTemplatesCache | Where-Object package -EQ $PackageName | ForEach-Object {
+                                    $TplJson = $_.JSON | ConvertFrom-Json -ErrorAction SilentlyContinue
+                                    [pscustomobject]@{
+                                        GUID        = $_.RowKey
+                                        displayName = if ($TplJson.displayName) { $TplJson.displayName } else { $_.RowKey }
+                                        name        = if ($TplJson.displayName) { $TplJson.displayName } else { $_.RowKey }
+                                    }
+                                })
+                            if ($Item.'TemplateList-Tags'.addedFields) {
+                                $Item.'TemplateList-Tags'.addedFields | Add-Member -NotePropertyName 'templates' -NotePropertyValue $LiveExpanded -Force
+                            }
+                            if ($Item.'TemplateList-Tags'.rawData) {
+                                $Item.'TemplateList-Tags'.rawData | Add-Member -NotePropertyName 'templates' -NotePropertyValue $LiveExpanded -Force
+                            }
+                            if (-not $Item.'TemplateList-Tags'.addedFields -and -not $Item.'TemplateList-Tags'.rawData) {
+                                $Item.'TemplateList-Tags' | Add-Member -NotePropertyName 'addedFields' -NotePropertyValue ([pscustomobject]@{ templates = $LiveExpanded }) -Force
+                            }
+                        }
+                    }
+                }
+            }
+
             $Data
         }
     } | Sort-Object -Property templateName