Updates to Beta APIs for Windows Endpoint security and Administrative templates

By: Julia Idaewor – Product Manager II | Microsoft Intune

In 2023, when we began the migration for older Endpoint security policies, we recommended customers to take action to update their automation and scripts for Endpoint security policy creation. You can learn more about the migration in the blog: Endpoint security policies migrating to the unified settings platform in Microsoft Intune.

Starting late March 2025, the Microsoft Graph Beta APIs deviceManagement/templates and deviceManagement/intents will no longer support the creation and management of Endpoint security policies for Windows devices. Additionally, the following Beta APIs will no longer work for managing Administrative templates:

• deviceManagement/groupPolicyCategories
• deviceManagement/groupPolicyConfigurations
• deviceManagement/groupPolicyDefinitions

The old APIs used in the following policies will be replaced with the newer API deviceManagement/configurationPolicies. The new APIs leverage the newer policy infrastructure to improve accuracy and consistency. See a list of affected policies below:

• Antivirus
• Identity Protection
• Disk Encryption
• AV Exclusions
• Application Control
• Web Protection
• Endpoint Detection and Response
• Attack Surface Reduction
• Device Control
• Exploit Protection
• Firewall Rules
• Firewall
• Windows Security
• App Browser
• Administrative templates

Note: Security baselines will not be affected by this API change as they can still be created using the deviceManagement/intents endpoint.

If you're impacted by this change, look for MC955748 in the Message Center. If you’re interacting with Endpoint security policies or Administrative templates via the APIs listed above or, using automation or scripts to create and retrieve policies from these APIs, switch to the new graph endpoint: 'deviceManagement/configurationPolicies' API for policy creation by making POST requests to the corresponding endpoint for each policy.

Examples

Create Policy:
Request Method:  POST
Request URL:  https://graph.microsoft.com/beta/deviceManagement/configurationPolicies

{ "name": "ASR Rules", "description": "", "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "groupSettingCollectionValue": [ { "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "choiceSettingValue": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingValue", "children": [], "settingValueTemplateReference": { "settingValueTemplateId": "8b17ebce-496f-4b58-9d89-dd1c3861de39" }, "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block" }, "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "e416083e-05e3-4237-b8ec-a6ad49c4571e" } } ] } ], "settingInstanceTemplateReference": { "settingInstanceTemplateId": "19600663-e264-4c02-8f55-f2983216d6d7" }, "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules" } } ], "roleScopeTagIds": [ "0" ], "platforms": "windows10", "technologies": "mdm,microsoftSense", "templateReference": { "templateId": "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1" } }

Get Policy:
Request Method: GET
Request URL: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('ec100030-eee3-4d13-9073-019affc599eb')

Update Policy:
Request Method:  PUT
Request URL:  https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('ec100030-eee3-4d13-9073-019affc599eb')
Body:

{ "name": "ASR Rules", "description": "", "creationSource": null, "settings": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationSetting", "settingInstance": { "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "19600663-e264-4c02-8f55-f2983216d6d7" }, "groupSettingCollectionValue": [ { "settingValueTemplateReference": null, "children": [ { "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts", "settingInstanceTemplateReference": { "settingInstanceTemplateId": "e416083e-05e3-4237-b8ec-a6ad49c4571e" }, "choiceSettingValue": { "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_warn", "settingValueTemplateReference": { "settingValueTemplateId": "8b17ebce-496f-4b58-9d89-dd1c3861de39", "useTemplateDefault": false }, "children": [] } } ] } ] } } ], "roleScopeTagIds": [ "0" ], "platforms": "windows10", "technologies": "mdm,microsoftSense", "templateReference": { "templateId": "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1" } }

If you have any questions, leave a comment below or reach out on X @IntuneSuppTeam.