With the exciting release of Endpoint Privilege Management, I immediately went digging around in Graph to see just what’s happening behind the scenes.
It will come of no surprise that it is based on the ever-growing Settings Catalog so why not automate it? We all know I love avoiding a GUI
Here is the result, my latest script add-epmfilerule
As usual you can grab it from GitHub here
Or PowerShell gallery
Install-Script -Name add-epmfileruleWhen running, the only required input is the Filepath you wish to allow (for example “c:\windows\system32\notepad.exe”)
The script will then grab the filename and filepath, extract the filehash and create your policy.
Without any other parameters, it will assign to All Users and require the User to approve with credentials.
If you pass the groupname parameter, it will assign to the group specified
If you want to auto approve set the elevationtype parameter to “Auto”
As with all of my scripts, you can pass tenant ID and app reg details to connect that way, or you can switch a variable within the script to hard-code them if required.
Happy EPMing
Hi Andrew,
The scripts works great thank you, only thing is I cant workout where to add an AAD group for assignment rather than it setting the default of all users.
Appreciate your help.
Joe
Hi Joe,
If you run it with the -groupname “AADGroup” parameter, that should automatically assign it appropriately.
Otherwise, happy to talk you through amending the code
Do you know if Microsoft Graph can trigger a re-enrollment into EPM? I was getting the Allow Device Health Monitoring Error on a device and didn’t know if there was a quick way to start the enrollment again, if possible. I could be misunderstanding how the process works.
I really appreciate any help you can provide.
Hello Andrew!
Sorry for the delay in response. I used the script below in an environment yesterday and it worked to fix an EPM enrollment issue. I used this article https://call4cloud.nl/2023/05/the-lord-of-the-epm-the-war-of-the-mmp-c-enrollment/. I haven’t found a way to use Microsoft graph to achieve the same results. Maybe there is a way to automate the script below? I am also having issues creating a proactive remediation script for this as well maybe I can share the files and you can take a look and see if you can work your magic 🙂
Hope this helps.
# Check if the LocalMDM module is installed
$moduleName = “LocalMDM”
$module = Get-Module -ListAvailable -Name $moduleName
# If the module is not installed, install it
if (-not $module) {
try {
Install-Module -Name $moduleName -Force -Scope CurrentUser
Import-Module $moduleName
} catch {
Write-Error “Failed to install the LocalMDM module. Error: $_”
exit
}
} else {
# If the module is already installed, import it
Import-Module $moduleName
}
# Define the SyncML request body for LinkedEnrollment
$syncML = @”
12
./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment/Enroll
“@
# Send the LocalMDM request with the SyncML to enroll the device
try {
$response = Send-LocalMDMRequest -SyncML $syncML
Write-Output “Enrollment request sent successfully.”
Write-Output “Response: $response”
} catch {
Write-Error “Failed to send enrollment request. Error: $_”
}
Hi Randy,
As those are device level you won’t be able to use Graph on them. I would guess they are just setting a registry key which could be another option.
Happy to have a look at the remediations if you want to email them over
That worked! Thanks so much for the fast response!
Glad it worked 🙂
Hi Andrew,
Thank you for another excellent script. I am running it for the first time and running into some issues and wondering if you could point me the right direction.
I am receiving the following error when running the script.
Welcome To Microsoft Graph!
Graph Connection Established
Getting Filehash for C:\Program Files\Notepad++
Filehash is
Getting Filename for C:\Program Files\Notepad++
Filename is Notepad++
Getting Path for C:\Program Files\Notepad++
Path is C:\\Program Files
Setting JSON Values
It is a User approve rule, setting accordingly including credential prompt
JSON Configured, creating policy
PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}”
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”:
\”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length,
0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer
support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.ms
ua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configur
ationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n
\”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”
:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
At C:\add-epmfilerule.ps1:390 char:14
+ … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId :
InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds
requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url:
https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”:
null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
At C:\add-epmfilerule.ps1:390 char:14
+ … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Policy created, assigning
No group set, assigning to all users
PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
client-request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}”
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation
ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce –
Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/device
Management/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}
\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-
id”:””}}}
At C:\add-epmfilerule.ps1:436 char:1
+ Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId :
InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce
– Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”:
\”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}
At C:\add-epmfilerule.ps1:436 char:1
+ Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Policy assigned, all done
Disconnecting from Graph
**********************
Hi Randy,
Are you specifying the full path including the executable? For Notepad++ that would usually be:
“C:\Program Files\Notepad++\Notepad++.exe”
It looks like it’s missing the executable from the output
Thanks for the share Andrew! – this can definitely help with flexibility