Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Note: The Microsoft Graph API for Intune requires an active Intune license for the tenant.
Create a new windows10EndpointProtectionConfiguration object.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.
| Permission type | Permissions (from least to most privileged) |
|---|---|
| Delegated (work or school account) | DeviceManagementConfiguration.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. |
| Application | DeviceManagementConfiguration.ReadWrite.All |
HTTP Request
POST /deviceManagement/deviceConfigurations
Request headers
| Header | Value |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Accept | application/json |
Request body
In the request body, supply a JSON representation for the windows10EndpointProtectionConfiguration object.
The following table shows the properties that are required when you create the windows10EndpointProtectionConfiguration.
| Property | Type | Description |
|---|---|---|
| id | String | Key of the entity. Inherited from deviceConfiguration |
| lastModifiedDateTime | DateTimeOffset | DateTime the object was last modified. Inherited from deviceConfiguration |
| createdDateTime | DateTimeOffset | DateTime the object was created. Inherited from deviceConfiguration |
| description | String | Admin provided description of the Device Configuration. Inherited from deviceConfiguration |
| displayName | String | Admin provided name of the device configuration. Inherited from deviceConfiguration |
| version | Int32 | Version of the device configuration. Inherited from deviceConfiguration |
| applicationGuardEnabled | Boolean | Enable Windows Defender Application Guard |
| applicationGuardBlockFileTransfer | applicationGuardBlockFileTransferType | Block clipboard to transfer image file, text file or neither of them. The possible values are: notConfigured, blockImageAndTextFile, blockImageFile, blockNone, blockTextFile. |
| applicationGuardBlockNonEnterpriseContent | Boolean | Block enterprise sites to load non-enterprise content, such as third party plug-ins |
| applicationGuardAllowPersistence | Boolean | Allow persisting user generated data inside the App Guard Containter (favorites, cookies, web passwords, etc.) |
| applicationGuardForceAuditing | Boolean | Force auditing will persist Windows logs and events to meet security/compliance criteria (sample events are user login-logoff, use of privilege rights, software installation, system changes, etc.) |
| applicationGuardBlockClipboardSharing | applicationGuardBlockClipboardSharingType | Block clipboard to share data from Host to Container, or from Container to Host, or both ways, or neither ways. The possible values are: notConfigured, blockBoth, blockHostToContainer, blockContainerToHost, blockNone. |
| applicationGuardAllowPrintToPDF | Boolean | Allow printing to PDF from Container |
| applicationGuardAllowPrintToXPS | Boolean | Allow printing to XPS from Container |
| applicationGuardAllowPrintToLocalPrinters | Boolean | Allow printing to Local Printers from Container |
| applicationGuardAllowPrintToNetworkPrinters | Boolean | Allow printing to Network Printers from Container |
| appLockerApplicationControl | appLockerApplicationControlType | Enables the Admin to choose what types of app to allow on devices. The possible values are: notConfigured, enforceComponentsAndStoreApps, auditComponentsAndStoreApps, enforceComponentsStoreAppsAndSmartlocker, auditComponentsStoreAppsAndSmartlocker. |
| bitLockerDisableWarningForOtherDiskEncryption | Boolean | Allows the Admin to disable the warning prompt for other disk encryption on the user machines. |
| bitLockerEnableStorageCardEncryptionOnMobile | Boolean | Allows the admin to require encryption to be turned on using BitLocker. This policy is valid only for a mobile SKU. |
| bitLockerEncryptDevice | Boolean | Allows the admin to require encryption to be turned on using BitLocker. |
| bitLockerRemovableDrivePolicy | bitLockerRemovableDrivePolicy | BitLocker Removable Drive Policy. |
| defenderAttackSurfaceReductionExcludedPaths | String collection | List of exe files and folders to be excluded from attack surface reduction rules |
| defenderGuardedFoldersAllowedAppPaths | String collection | List of paths to exe that are allowed to access protected folders |
| defenderAdditionalGuardedFolders | String collection | List of folder paths to be added to the list of protected folders |
| defenderExploitProtectionXml | Binary | Xml content containing information regarding exploit protection details. |
| defenderExploitProtectionXmlFileName | String | Name of the file from which DefenderExploitProtectionXml was obtained. |
| defenderSecurityCenterBlockExploitProtectionOverride | Boolean | Indicates whether or not to block user from overriding Exploit Protection settings. |
| firewallBlockStatefulFTP | Boolean | Blocks stateful FTP connections to the device |
| firewallIdleTimeoutForSecurityAssociationInSeconds | Int32 | Configures the idle timeout for security associations, in seconds, from 300 to 3600 inclusive. This is the period after which security associations will expire and be deleted. Valid values 300 to 3600 |
| firewallPreSharedKeyEncodingMethod | firewallPreSharedKeyEncodingMethodType | Select the preshared key encoding to be used. The possible values are: deviceDefault, none, utF8. |
| firewallIPSecExemptionsAllowNeighborDiscovery | Boolean | Configures IPSec exemptions to allow neighbor discovery IPv6 ICMP type-codes |
| firewallIPSecExemptionsAllowICMP | Boolean | Configures IPSec exemptions to allow ICMP |
| firewallIPSecExemptionsAllowRouterDiscovery | Boolean | Configures IPSec exemptions to allow router discovery IPv6 ICMP type-codes |
| firewallIPSecExemptionsAllowDHCP | Boolean | Configures IPSec exemptions to allow both IPv4 and IPv6 DHCP traffic |
| firewallCertificateRevocationListCheckMethod | firewallCertificateRevocationListCheckMethodType | Specify how the certificate revocation list is to be enforced. The possible values are: deviceDefault, none, attempt, require. |
| firewallMergeKeyingModuleSettings | Boolean | If an authentication set is not fully supported by a keying module, direct the module to ignore only unsupported authentication suites rather than the entire set |
| firewallPacketQueueingMethod | firewallPacketQueueingMethodType | Configures how packet queueing should be applied in the tunnel gateway scenario. The possible values are: deviceDefault, disabled, queueInbound, queueOutbound, queueBoth. |
| firewallProfileDomain | windowsFirewallNetworkProfile | Configures the firewall profile settings for domain networks |
| firewallProfilePublic | windowsFirewallNetworkProfile | Configures the firewall profile settings for public networks |
| firewallProfilePrivate | windowsFirewallNetworkProfile | Configures the firewall profile settings for private networks |
| smartScreenEnableInShell | Boolean | Allows IT Admins to configure SmartScreen for Windows. |
| smartScreenBlockOverrideForFiles | Boolean | Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. |
Response
If successful, this method returns a 201 Created response code and a windows10EndpointProtectionConfiguration object in the response body.
Example
Request
Here is an example of the request.
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations
Content-type: application/json
Content-length: 4245
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"description": "Description value",
"displayName": "Display Name value",
"version": 7,
"applicationGuardEnabled": true,
"applicationGuardBlockFileTransfer": "blockImageAndTextFile",
"applicationGuardBlockNonEnterpriseContent": true,
"applicationGuardAllowPersistence": true,
"applicationGuardForceAuditing": true,
"applicationGuardBlockClipboardSharing": "blockBoth",
"applicationGuardAllowPrintToPDF": true,
"applicationGuardAllowPrintToXPS": true,
"applicationGuardAllowPrintToLocalPrinters": true,
"applicationGuardAllowPrintToNetworkPrinters": true,
"appLockerApplicationControl": "enforceComponentsAndStoreApps",
"bitLockerDisableWarningForOtherDiskEncryption": true,
"bitLockerEnableStorageCardEncryptionOnMobile": true,
"bitLockerEncryptDevice": true,
"bitLockerRemovableDrivePolicy": {
"@odata.type": "microsoft.graph.bitLockerRemovableDrivePolicy",
"encryptionMethod": "aesCbc256",
"requireEncryptionForWriteAccess": true,
"blockCrossOrganizationWriteAccess": true
},
"defenderAttackSurfaceReductionExcludedPaths": [
"Defender Attack Surface Reduction Excluded Paths value"
],
"defenderGuardedFoldersAllowedAppPaths": [
"Defender Guarded Folders Allowed App Paths value"
],
"defenderAdditionalGuardedFolders": [
"Defender Additional Guarded Folders value"
],
"defenderExploitProtectionXml": "ZGVmZW5kZXJFeHBsb2l0UHJvdGVjdGlvblhtbA==",
"defenderExploitProtectionXmlFileName": "Defender Exploit Protection Xml File Name value",
"defenderSecurityCenterBlockExploitProtectionOverride": true,
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": 2,
"firewallPreSharedKeyEncodingMethod": "none",
"firewallIPSecExemptionsAllowNeighborDiscovery": true,
"firewallIPSecExemptionsAllowICMP": true,
"firewallIPSecExemptionsAllowRouterDiscovery": true,
"firewallIPSecExemptionsAllowDHCP": true,
"firewallCertificateRevocationListCheckMethod": "none",
"firewallMergeKeyingModuleSettings": true,
"firewallPacketQueueingMethod": "disabled",
"firewallProfileDomain": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"firewallProfilePublic": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"firewallProfilePrivate": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"smartScreenEnableInShell": true,
"smartScreenBlockOverrideForFiles": true
}
Response
Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 4417
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"id": "09709403-9403-0970-0394-700903947009",
"lastModifiedDateTime": "2017-01-01T00:00:35.1329464-08:00",
"createdDateTime": "2017-01-01T00:02:43.5775965-08:00",
"description": "Description value",
"displayName": "Display Name value",
"version": 7,
"applicationGuardEnabled": true,
"applicationGuardBlockFileTransfer": "blockImageAndTextFile",
"applicationGuardBlockNonEnterpriseContent": true,
"applicationGuardAllowPersistence": true,
"applicationGuardForceAuditing": true,
"applicationGuardBlockClipboardSharing": "blockBoth",
"applicationGuardAllowPrintToPDF": true,
"applicationGuardAllowPrintToXPS": true,
"applicationGuardAllowPrintToLocalPrinters": true,
"applicationGuardAllowPrintToNetworkPrinters": true,
"appLockerApplicationControl": "enforceComponentsAndStoreApps",
"bitLockerDisableWarningForOtherDiskEncryption": true,
"bitLockerEnableStorageCardEncryptionOnMobile": true,
"bitLockerEncryptDevice": true,
"bitLockerRemovableDrivePolicy": {
"@odata.type": "microsoft.graph.bitLockerRemovableDrivePolicy",
"encryptionMethod": "aesCbc256",
"requireEncryptionForWriteAccess": true,
"blockCrossOrganizationWriteAccess": true
},
"defenderAttackSurfaceReductionExcludedPaths": [
"Defender Attack Surface Reduction Excluded Paths value"
],
"defenderGuardedFoldersAllowedAppPaths": [
"Defender Guarded Folders Allowed App Paths value"
],
"defenderAdditionalGuardedFolders": [
"Defender Additional Guarded Folders value"
],
"defenderExploitProtectionXml": "ZGVmZW5kZXJFeHBsb2l0UHJvdGVjdGlvblhtbA==",
"defenderExploitProtectionXmlFileName": "Defender Exploit Protection Xml File Name value",
"defenderSecurityCenterBlockExploitProtectionOverride": true,
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": 2,
"firewallPreSharedKeyEncodingMethod": "none",
"firewallIPSecExemptionsAllowNeighborDiscovery": true,
"firewallIPSecExemptionsAllowICMP": true,
"firewallIPSecExemptionsAllowRouterDiscovery": true,
"firewallIPSecExemptionsAllowDHCP": true,
"firewallCertificateRevocationListCheckMethod": "none",
"firewallMergeKeyingModuleSettings": true,
"firewallPacketQueueingMethod": "disabled",
"firewallProfileDomain": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"firewallProfilePublic": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"firewallProfilePrivate": {
"@odata.type": "microsoft.graph.windowsFirewallNetworkProfile",
"firewallEnabled": "blocked",
"stealthModeBlocked": true,
"incomingTrafficBlocked": true,
"unicastResponsesToMulticastBroadcastsBlocked": true,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"outboundConnectionsBlocked": true,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": true,
"policyRulesFromGroupPolicyMerged": true
},
"smartScreenEnableInShell": true,
"smartScreenBlockOverrideForFiles": true
}