With the exciting release of Endpoint Privilege Management, I immediately went digging around in Graph to see just what’s happening behind the scenes.
It will come of no surprise that it is based on the ever-growing Settings Catalog so why not automate it? We all know I love avoiding a GUI
Here is the result, my latest script add-epmfilerule
As usual you can grab it from GitHub here
Or PowerShell gallery
Install-Script -Name add-epmfileruleWhen running, the only required input is the Filepath you wish to allow (for example “c:\windows\system32\notepad.exe”)
The script will then grab the filename and filepath, extract the filehash and create your policy.
Without any other parameters, it will assign to All Users and require the User to approve with credentials.
If you pass the groupname parameter, it will assign to the group specified
If you want to auto approve set the elevationtype parameter to “Auto”
As with all of my scripts, you can pass tenant ID and app reg details to connect that way, or you can switch a variable within the script to hard-code them if required.
Happy EPMing
Thanks for the share Andrew! – this can definitely help with flexibility
Hi Andrew,
Thank you for another excellent script. I am running it for the first time and running into some issues and wondering if you could point me the right direction.
I am receiving the following error when running the script.
Welcome To Microsoft Graph!
Graph Connection Established
Getting Filehash for C:\Program Files\Notepad++
Filehash is
Getting Filename for C:\Program Files\Notepad++
Filename is Notepad++
Getting Path for C:\Program Files\Notepad++
Path is C:\\Program Files
Setting JSON Values
It is a User approve rule, setting accordingly including credential prompt
JSON Configured, creating policy
PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}”
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”:
\”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length,
0, does not meet bounds requirements. Expected a string length between 64 and 64. – Operation ID (for customer
support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url: https://fef.ms
ua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configur
ationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n
\”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”
:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
At C:\add-epmfilerule.ps1:390 char:14
+ … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId :
InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF000025FC”}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”device_vendor_msft_policy_privilegemanagement_elevationrules_{elevationrulename}_filehash: String value with length, 0, does not meet bounds
requirements. Expected a string length between 64 and 64. – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: 3fcc1259-6484-415b-8814-7422d9efe465 – Url:
https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7693-0308-051516572448/deviceManagement/configurationPolicies?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”:
null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″,”client-request-id”:”3fcc1259-6484-415b-8814-7422d9efe465″}}}
At C:\add-epmfilerule.ps1:390 char:14
+ … addpolicy = Invoke-MgGraphRequest -method POST -Uri $addurl -Body $fi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Policy created, assigning
No group set, assigning to all users
PS>TerminatingError(Invoke-MgGraphRequest): “POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
client-request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce – Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n \”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}”
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id:
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East
US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation
ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce –
Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/device
Management/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”: \”{}
\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-
id”:””}}}
At C:\add-epmfilerule.ps1:436 char:1
+ Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId :
InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Invoke-MgGraphRequest : POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies(”)/assign
HTTP/1.1 400 Bad Request
Transfer-Encoding: chunked
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000
request-id: a2500fbe-8688-4543-8c16-0dcc505420ce
client-request-id:
x-ms-ags-diagnostic: {“ServerInfo”:{“DataCenter”:”East US”,”Slice”:”E”,”Ring”:”5″,”ScaleUnit”:”002″,”RoleInstance”:”BL02EPF00003B10″}}
Date: Wed, 17 May 2023 21:51:42 GMT
Content-Encoding: gzip
Content-Type: application/json
{“error”:{“code”:”BadRequest”,”message”:”{\r\n \”_version\”: 3,\r\n \”Message\”: \”An error has occurred – Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 – Activity ID: a2500fbe-8688-4543-8c16-0dcc505420ce
– Url: https://fef.msua01.manage.microsoft.com/DeviceConfigV2/DCV2GraphService/de147310-ffff-7889-0308-051516321448/deviceManagement/configurationPolicies(”)/microsoft.management.services.api.assign?api-version=5023-03-13\”,\r\n
\”CustomApiErrorPhrase\”: \”\”,\r\n \”RetryAfter\”: null,\r\n \”ErrorSourceService\”: \”\”,\r\n \”HttpHeaders\”:
\”{}\”\r\n}”,”innerError”:{“date”:”2023-05-17T21:51:43″,”request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”,”client-request-id”:”a2500fbe-8688-4543-8c16-0dcc505420ce”}}}
At C:\add-epmfilerule.ps1:436 char:1
+ Invoke-MgGraphRequest -method POST -Uri $assignurl -Body $jsonassign …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Method: POST, R…ication/json
}:HttpRequestMessage) [Invoke-MgGraphRequest], HttpResponseException
+ FullyQualifiedErrorId : InvokeGraphHttpResponseException,Microsoft.Graph.PowerShell.Authentication.Cmdlets.InvokeMgGraphRequest
Policy assigned, all done
Disconnecting from Graph
**********************
Hi Randy,
Are you specifying the full path including the executable? For Notepad++ that would usually be:
“C:\Program Files\Notepad++\Notepad++.exe”
It looks like it’s missing the executable from the output
That worked! Thanks so much for the fast response!
Glad it worked 🙂