Adding Endpoint Privilege Management Rules via PowerShell

With the exciting release of Endpoint Privilege Management, I immediately went digging around in Graph to see just what’s happening behind the scenes.

It will come of no surprise that it is based on the ever-growing Settings Catalog so why not automate it? We all know I love avoiding a GUI

Here is the result, my latest script add-epmfilerule

As usual you can grab it from GitHub here

Or PowerShell gallery

Install-Script -Name add-epmfilerule

When running, the only required input is the Filepath you wish to allow (for example “c:\windows\system32\notepad.exe”)

The script will then grab the filename and filepath, extract the filehash and create your policy.

Without any other parameters, it will assign to All Users and require the User to approve with credentials.

If you pass the groupname parameter, it will assign to the group specified

If you want to auto approve set the elevationtype parameter to “Auto”

As with all of my scripts, you can pass tenant ID and app reg details to connect that way, or you can switch a variable within the script to hard-code them if required.

Happy EPMing

8 thoughts on “Adding Endpoint Privilege Management Rules via PowerShell”

  1. Hi Andrew,

    Thank you for another excellent script. I am running it for the first time and running into some issues and wondering if you could point me the right direction.

    I am receiving the following error when running the script.

    Welcome To Microsoft Graph!
    Graph Connection Established
    Getting Filehash for C:\Program Files\Notepad++
    Filehash is
    Getting Filename for C:\Program Files\Notepad++
    Filename is Notepad++
    Getting Path for C:\Program Files\Notepad++
    Path is C:\\Program Files
    Setting JSON Values
    It is a User approve rule, setting accordingly including credential prompt
    JSON Configured, creating policy
    PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}”
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
    US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”:
    \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length,
    0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer
    support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.ms
    ua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configur
    ationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n
    \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”
    :”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
    At C:\add-epmfilerule.ps1:390 char:14
    + … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId :
    InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds
    requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url:
    https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”:
    null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
    At C:\add-epmfilerule.ps1:390 char:14
    + … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Policy created, assigning
    No group set, assigning to all users
    PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    client-request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}”
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id:
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
    US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation
    ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce –
    Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/device
    Management/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
    \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}
    \”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-
    id”:””}}}
    At C:\add-epmfilerule.ps1:436 char:1
    + Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId :
    InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
    HTTP/1.1 400 Bad Request
    Transfer-Encoding: chunked
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
    client-request-id:
    x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
    Date: Wed, 17 May 2023 21:51:42 GMT
    Content-Encoding: gzip
    Content-Type: application/json

    {“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce
    – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
    \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”:
    \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}
    At C:\add-epmfilerule.ps1:436 char:1
    + Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
    }:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
    + FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
    Policy assigned, all done
    Disconnecting from Graph
    **********************

    Reply
    • Hi Randy,
      Are you specifying the full path including the executable? For Notepad++ that would usually be:
      “C:\Program Files\Notepad++\Notepad++.exe”
      It looks like it’s missing the executable from the output

      Reply
  2. Do you know if Microsoft Graph can trigger a re-enrollment into EPM? I was getting the Allow Device Health Monitoring Error on a device and didn’t know if there was a quick way to start the enrollment again, if possible. I could be misunderstanding how the process works.

    I really appreciate any help you can provide.

    Reply
    • Hello Andrew!

      Sorry for the delay in response. I used the script below in an environment yesterday and it worked to fix an EPM enrollment issue. I used this article https://call4cloud.nl/2023/05/the-lord-of-the-epm-the-war-of-the-mmp-c-enrollment/. I haven’t found a way to use Microsoft graph to achieve the same results. Maybe there is a way to automate the script below? I am also having issues creating a proactive remediation script for this as well maybe I can share the files and you can take a look and see if you can work your magic 🙂

      Hope this helps.

      # Check if the LocalMDM module is installed
      $moduleName = “LocalMDM”
      $module = Get-Module -ListAvailable -Name $moduleName

      # If the module is not installed, install it
      if (-not $module) {
      try {
      Install-Module -Name $moduleName -Force -Scope CurrentUser
      Import-Module $moduleName
      } catch {
      Write-Error “Failed to install the LocalMDM module. Error: $_”
      exit
      }
      } else {
      # If the module is already installed, import it
      Import-Module $moduleName
      }

      # Define the SyncML request body for LinkedEnrollment
      $syncML = @”

      12

      ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/LinkedEnrollment/Enroll

      “@

      # Send the LocalMDM request with the SyncML to enroll the device
      try {
      $response = Send-LocalMDMRequest -SyncML $syncML
      Write-Output “Enrollment request sent successfully.”
      Write-Output “Response: $response”
      } catch {
      Write-Error “Failed to send enrollment request. Error: $_”
      }

      Reply
      • Hi Randy,
        As those are device level you won’t be able to use Graph on them. I would guess they are just setting a registry key which could be another option.

        Happy to have a look at the remediations if you want to email them over

        Reply

Leave a Comment