#oauth token
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceURI = "https://graph.microsoft.com/"
$authority = "https://login.microsoftonline.com/common"
$AadModule = Import-Module -Name AzureAD -ErrorAction Stop -PassThru
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Always"
$authResult = $authContext.AcquireTokenAsync($resourceURI, $ClientID, $RedirectUri, $platformParameters)
$accessToken = $authResult.result.AccessToken

$apiUrl = 'https://graph.microsoft.com/beta/deviceManagement/templates'
$Data = Invoke-RestMethod -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -Uri $apiUrl -Method get
$data.value

#get firewall rules template from graph
$firewall= Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/beta/deviceManagement/templates?`$filter=startswith(displayName,'Microsoft Defender Firewall rules (Preview)')" -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"}
$firewall.value


#Create new template instance
$request = @{
    displayName = "Windows10_firewall_rules"
    description = "Windows 10 firewall rules"
    templateId = $firewall.value.id
}
$json = convertto-json $request
$instance = Invoke-RestMethod -Method Post -Uri "https://graph.microsoft.com/beta/deviceManagement/templates/$($firewall.value.id)/createInstance" -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"} -ContentType 'Application/Json' -body $json
$instance

$body = @'
        {
        "displayName": "Windows10_firewall",
        "description": "",
        "settings": 
        [
    {
        "@odata.type":  "#microsoft.graph.deviceManagementCollectionSettingInstance",
        "definitionId":  "deviceConfiguration--windows10EndpointProtectionConfiguration_firewallRules",
        "valueJson":"[{\"displayName\":\"block_outbound_cmd\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\Windows\\\\System32\\\\cmd.exe\\t\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_calc_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Syswow64\\\\calc.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_calc_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\System32\\\\calc.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_cscript_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\cscript.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_cscript_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\syswow64\\\\cscript.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_wscript_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\syswow64\\\\wscript.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_wscript_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\wscript.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_rundll32_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"C:\\\\windows\\\\system32\\\\rundll32.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_regsvr32_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\regsvr32.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_regsvr32_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"C:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_mshta_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\mshta.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_mstha_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\System32\\\\mshta.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_odbconf_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\odbcconf.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_odbconf_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\syswow64\\\\odbcconf.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_csrss_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\System32\\\\csrss.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_esentutl_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"C:\\\\Windows\\\\System32\\\\esentutl.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_esentutl_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"C:\\\\Windows\\\\SysWOW64\\\\esentutl.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_cmstp_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\System32\\\\cmstp.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_certutil_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\syswow64\\\\certutil.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_certutil_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\certutil.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_instaulutil_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\InstallUtil.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_instaullutil_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\InstallUtil.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_wsmprovhost_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Syswow64\\\\wsmprovhost.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_wsmprovhost_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\System32\\\\wsmprovhost.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_presentationhost_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"c:\\\\windows\\\\system32\\\\PresentationHost.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_presentationhost_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\SysWOW64\\\\PresentationHost.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_msbuild_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_msbuild_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework64\\\\v2.0.50727\\\\MSBuild.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_regasm_x64\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"C:\\\\Windows\\\\Microsoft.NET\\\\Framework64\\\\v4.0.30319\\\\regasm.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_csc_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\csc.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]},{\"displayName\":\"block_outbound_ieeexec_x86\",\"description\":\"\",\"trafficDirection\":\"out\",\"action\":\"blocked\",\"profileTypes\":[],\"packageFamilyName\":\"\",\"filePath\":\"%SystemRoot%\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\IEExec.exe\",\"serviceName\":\"\",\"protocol\":0,\"localPortRanges\":[],\"remotePortRanges\":[],\"interfaceTypes\":[],\"localUserAuthorizations\":\"\",\"useAnyLocalAddressRange\":true,\"actualLocalAddressRanges\":[],\"useAnyRemoteAddressRange\":true,\"actualRemoteAddressRanges\":[]}]"}],"roleScopeTagIds":["0"]}
'@


Invoke-RestMethod -Method Post -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$($instance.id)/updateSettings" -ContentType 'Application/JSON' -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"}  -Body $body


#assign to all devices

$body = @'
{"assignments":[{"target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}}]}
'@
Invoke-RestMethod -Method Post -Uri "https://graph.microsoft.com/beta/deviceManagement/intents/$($instance.id)/assign" -ContentType 'Application/JSON' -Headers @{Authorization = "Bearer $($authResult.result.AccessToken)"}  -Body $body