diff --git a/CHANGELOG.md b/CHANGELOG.md
index eaeaa4674b..116d97723f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,11 @@
     FIXES [#4963](https://github.com/microsoft/Microsoft365DSC/issues/4963)
 * IntuneDeviceCompliancePolicyWindows10
   * Fix extraction of property `TpmRequired`
+* IntuneDeviceConfigurationCustomPolicyWindows10
+  * Change app and delegated permissions for reading to
+    DeviceManagementConfiguration.ReadWrite.All to cope with
+    getOmaSettingPlainTextValue which is only working if RW is granted
+    FIXES [#4412](https://github.com/microsoft/Microsoft365DSC/issues/4412)
 * M365DSCUtil
   * Fix `Compare-PSCustomObjectArrays` by allowing empty arrays as input
     FIXES [#4952](https://github.com/microsoft/Microsoft365DSC/issues/4952)
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json
index 4f57251847..59369d197b 100644
--- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json
+++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/settings.json
@@ -9,7 +9,7 @@
                                                     "name": "Group.Read.All"
                                                 },
                                                 {
-                                                     "name":  "DeviceManagementConfiguration.Read.All"
+                                                     "name":  "DeviceManagementConfiguration.ReadWrite.All"
                                                  }
                                              ],
                                     "update":  [
@@ -24,7 +24,7 @@
                                                         "name": "Group.Read.All"
                                                     },
                                                     {
-                                                       "name":  "DeviceManagementConfiguration.Read.All"
+                                                       "name":  "DeviceManagementConfiguration.ReadWrite.All"
                                                    }
                                                ],
                                       "update":  [
diff --git a/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1 b/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1
index 06b77a0418..461fa5bddd 100644
--- a/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1
+++ b/Tests/QA/Microsoft365DSC.SettingsJson.Tests.ps1
@@ -80,6 +80,13 @@ Describe -Name 'Successfully validate all used permissions in Settings.json file
             )
         }
 
+        if ($settings.ResourceName -eq 'IntuneDeviceConfigurationCustomPolicyWindows10')
+        {
+            $allowedPermissions = @(
+                'DeviceManagementConfiguration.ReadWrite.All'
+            )
+        }
+
         foreach ($permission in $settings.permissions.graph.application.read)
         {
             $ObjectGuid = [System.Guid]::empty
diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md
index 1cab65c261..37558493b4 100644
--- a/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md
+++ b/docs/docs/resources/intune/IntuneDeviceConfigurationCustomPolicyWindows10.md
@@ -63,7 +63,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi
 
 - **Read**
 
-    - Group.Read.All, DeviceManagementConfiguration.Read.All
+    - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All
 
 - **Update**
 
@@ -73,7 +73,7 @@ To authenticate with the Microsoft Graph API, this resource required the followi
 
 - **Read**
 
-    - Group.Read.All, DeviceManagementConfiguration.Read.All
+    - Group.Read.All, DeviceManagementConfiguration.ReadWrite.All
 
 - **Update**