Export/import all EndPoint Manager configurations

Brass Contributor



I´m working for a streamlined process to configure the basics in EndPoint Manager and thought to use Microsoft Graph API to import configurationprofiles when we get new customers for the basics. 


I´ve started to have a basic and then I want to export all the configurations to JSON-files, however, not everything within EndPoint Security are exported. 

Configurations that are missing:

- Attack Surface Reduction Rules

- Defender Antivirus

- Defender Firewall


EDR, application control and account protection are exported though. 


I´m using the following string for EndPoint Security in my script:


#Endpoint Security policies
$endpointSecurityPoliciesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/intents" -Method Get)
$endpointSecurityPolicies = $endpointSecurityPoliciesRequest.value

$endpointSecurityTemplatesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/templates?`$filter=(isof(%27microsoft.graph.securityBaselineTemplate%27))" -Method Get)
$endpointSecurityTemplates = $endpointSecurityTemplatesRequest.value

#Endpoint Security policies
  foreach($policy in $endpointSecurityPolicies){
    $filePath = "$($location)\EndPoint Security - $($policy.displayName).json"
    # Creating object for JSON output
    $JSON = New-Object -TypeName PSObject

    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'displayName' -Value $policy.displayName
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'description' -Value $policy.description
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'roleScopeTagIds' -Value $policy.roleScopeTagIds
    $ES_Template = $endpointSecurityTemplates | ?  { $_.id -eq $policy.templateId }
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'TemplateDisplayName' -Value $ES_Template.displayName
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'TemplateId' -Value $ES_Template.id
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'versionInfo' -Value $ES_Template.versionInfo

    # Getting all categories in specified Endpoint Security Template
    $categoriesRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$($ES_Template.id)/categories" -Method Get)
    $categories = $categoriesRequest.value

    $settings = @()
    foreach($category in $Categories){
      $policyId = $policy.id
      $categoryId = $category.id
      $categorySettingsRequest = (Invoke-RestMethod -Headers $HeaderParams -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$policyId/categories/$categoryId/settings?`$expand=Microsoft.Graph.DeviceManagementComplexSettingInstance/Value" -Method Get)
      $Settings += $categorySettingsRequest.value

    # Adding All settings to settingsDelta ready for JSON export
    Add-Member -InputObject $JSON -MemberType 'NoteProperty' -Name 'settingsDelta' -Value @($Settings)

    $JSON | convertto-json -depth 5 | out-file $filePath
    write-host "Exported policy: $($policy.displayName)" -ForegroundColor green
  write-host "Error: $($_.Exception.Message)" -ForegroundColor red



Anyone has tried with the same and succeeded and can share the script for it?


Import part should be solved as soon as I can export all the configurations.





4 Replies
We have scripted the whole import when configuring a new tenant and a bit of dsc... but as always mick has a nice source for everything you need
Why would you try to reinvent the wheel ?
Haven´t seen this one! Gonna take a look on it. Thanks!



It´s the same with this one, antivirus, firewall and ASR rules are not visible and not able to manage:



So it wont work for me.

@Martin Front The "Settings Catalog" has all of these you are looking for.