search

microsoft / Intune-ACSC-Windows-Hardening-Guidelines

Collection of Intune policies that could assist with implementing ACSC's Windows hardening guidance.
MIT License
271 stars 53 forks source link

Attack Surface Reduction Policy application does not work #14

Open EpicPilgrim opened 4 months ago

EpicPilgrim commented 4 months ago

As a Global Administrator, attempting to follow the instructions to POST the relevant JSON to the beta deviceManagement endpoint results in the following error:

{
    "error": {
        "code": "Forbidden",
        "message": "{\r\n  \"_version\": 3,\r\n  \"Message\": \"Application is not authorized to perform this operation. Application must have one of the following scopes: DeviceManagementConfiguration.ReadWrite.All - Operation ID (for customer support): 00000000-0000-0000-0000-000000000000 - Activity ID: d8d4fea4-bac5-3a83-88fd-0e43cd5b0505 - Url: https://fef.msud01.manage.microsoft.com/DeviceManagementIntent/DeviceManagementIntentService/83661860-ffff-7001-0507-062012292948/deviceManagement/templates('0e237410-1367-4844-bd7f-15fb0f08943b')/microsoft.management.services.api.createInstance?api-version=5020-08-21\",\r\n  \"CustomApiErrorPhrase\": \"\",\r\n  \"RetryAfter\": null,\r\n  \"ErrorSourceService\": \"\",\r\n  \"HttpHeaders\": \"{}\"\r\n}",
        "innerError": {
            "date": "2024-07-07T21:59:24",
            "request-id": "05daac7e-495a-4050-b377-3c20ddfc7849",
            "client-request-id": "d8d4fea4-bac5-3a83-88fd-0e43cd5b0505"
        }
    }
}

I have created an application with the relevant permissions, but I don't see where in Graph Explorer to specify that application.

brendon-stephens commented 4 months ago

Graph Explorer is the application. You need to grant permission to it. On the graph explorer page you will see the Modify Permissions tab - this is where you need to permit access to DeviceManagementConfiguration.ReadWrite.All scope.

EpicPilgrim commented 4 months ago

Thanks. I was trying that as well. When I go to the "Modify Permissions" tab, I get "Permissions for the query are missing on this tab. Open the permissions panel to see the full list of Microsoft Graph permissions and select the permission(s) you want and consent to them from there.". When I click "Open the permissions panel", I get the Permissions panel with the four column headers, then "Retry again" as the only row in the body. Looking in Entra ID App Registrations, there is no "Graph Explorer" app registered.

EpicPilgrim commented 4 months ago

As an aside, I note that in Intune, under Endpoint Security... Manage... Attack surface reduction is the "Default Attack Surface Reduction" policy which has a number of Warn/Block settings enabled already. Does this mean this part of the ACSC hardening is not actually required nowadays assuming the defaults are left in-place?

brendon-stephens commented 4 months ago

Thanks. I was trying that as well. When I go to the "Modify Permissions" tab, I get "Permissions for the query are missing on this tab. Open the permissions panel to see the full list of Microsoft Graph permissions and select the permission(s) you want and consent to them from there.". When I click "Open the permissions panel", I get the Permissions panel with the four column headers, then "Retry again" as the only row in the body. Looking in Entra ID App Registrations, there is no "Graph Explorer" app registered.

Try looking under "Enterprise Applications" - not "Apps"