Adding Endpoint Privilege Management Rules via PowerShell

With the exciting release of Endpoint Privilege Management, I immediately went digging around in Graph to see just what’s happening behind the scenes.

It will come of no surprise that it is based on the ever-growing Settings Catalog so why not automate it? We all know I love avoiding a GUI

Here is the result, my latest script add-epmfilerule

As usual you can grab it from GitHub here

Or PowerShell gallery

Install-Script -Name add-epmfilerule

When running, the only required input is the Filepath you wish to allow (for example “c:\windows\system32\notepad.exe”)

The script will then grab the filename and filepath, extract the filehash and create your policy.

Without any other parameters, it will assign to All Users and require the User to approve with credentials.

If you pass the groupname parameter, it will assign to the group specified

If you want to auto approve set the elevationtype parameter to “Auto”

As with all of my scripts, you can pass tenant ID and app reg details to connect that way, or you can switch a variable within the script to hard-code them if required.

Happy EPMing

5 thoughts on “Adding Endpoint Privilege Management Rules via PowerShell”

  1. Hi Andrew,

    Thank you for another excellent script. I am running it for the first time and running into some issues and wondering if you could point me the right direction.

    I am receiving the following error when running the script.

    Welcome To Microsoft Graph!
    Graph Connection Established
    Getting Filehash for C:\Program Files\Notepad++
    Filehash is
    Getting Filename for C:\Program Files\Notepad++
    Filename is Notepad++
    Getting Path for C:\Program Files\Notepad++
    Path is C:\\Program Files
    Setting JSON Values
    It is a User approve rule, setting accordingly including credential prompt
    JSON Configured, creating policy
    PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}”
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
    US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”:
    \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length,
    0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer
    support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.ms
    ua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configur
    ationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n
    \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”
    :”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
    At C:\add-epmfilerule.ps1:390 char:14
    + … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId :
    InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds
    requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url:
    https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”:
    null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
    At C:\add-epmfilerule.ps1:390 char:14
    + … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Policy created, assigning
    No group set, assigning to all users
    PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    client-request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}”
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
    US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation
    ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce –
    Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/device
    Management/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
    \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}
    \”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-
    id”:””}}}
    At C:\add-epmfilerule.ps1:436 char:1
    + Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId :
    InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce
    – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
    \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”:
    \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}
    At C:\add-epmfilerule.ps1:436 char:1
    + Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Policy assigned, all done
    Disconnecting from Graph
    **********************

    Reply
    • Hi Randy,
      Are you specifying the full path including the executable? For Notepad++ that would usually be:
      “C:\Program Files\Notepad++\Notepad++.exe”
      It looks like it’s missing the executable from the output

      Reply

Leave a Comment