For a home user, it's easy to manage the Windows Firewall. However, if you have more than 50 devices in your network, managing Windows Firewall can become cumbersome. You can manage the Windows Defender Firewall with Group Policy (GPO) or from Intune. This post focuses on configuring the Windows Firewall with Intune.
Avatar

Prerequisites

Before continuing to read the article, check out the prerequisites:

  • You must have a Microsoft Intune license. The following Microsoft 365 packages include an Intune license:
    • Microsoft 365 E5
    • Microsoft 365 E3
    • Enterprise Mobility + Security E5
    • Enterprise Mobility + Security E3
    • Microsoft 365 Business Premium
    • Microsoft 365 F1
    • Microsoft 365 F3
    • Microsoft 365 Government G5
    • Microsoft 365 Government G3
    • Intune for Education
  • Devices that you would like to manage must be joined to Azure Active Directory as Azure AD registered or Hybrid Azure AD joined.
  • Devices must be Azure Active Directory compliant.

Azure Active Directory join types

There are Azure AD join types: registered, joined, and hybrid joined.

Registered

Users sign in to Azure AD with a personal Microsoft account or another local account. These devices don't have to join domain on-prem Active Directory and are usually owned by end users. A typical example is a user working on a home PC who needs access to various company services.

Joined

Users sign in with an organization's Azure AD account on a device that is usually owned by the organization.

Hybrid joined

Users sign in with an organization's on-prem Active Directory Domain Services account, and devices are registered with Azure Active Directory. Typically, these devices are owned by the organization.

All three devices can make use of Azure services.

Ensuring that a device is Azure Active Directory compliant

If you want to manage Windows Firewall with Intune, the devices must be Azure AD compliant as well. This means that the device requires a PIN to unlock, is encrypted, uses a supported OS version, and isn't jailbroken or rooted.

To verify that the device is compliant, follow these steps:

  1. Open the Azure Active Directory Portal.
  2. Click Devices.
  3. Check the Compliant row to verify that the device is Azure AD compliant.
Verify a device is Azure AD compliant

Verify a device is Azure AD compliant

How to create the Firewall policy

Next, you have to create the Firewall policy:

Log in to the M365 Portal.

From the left menu, click Admin.

Select Endpoint Manager.

Endpoint Manager menu

Endpoint Manager menu

Endpoint Manager menu

Click Endpoint Security > Firewall > Create Policy.

Create a Firewall policy

Create a Firewall policy

From the Platform dropdown list, select Windows 10, Windows 11, and Windows Server.

From the Profile dropdown list, select the Microsoft Defender Firewall. Click Create.

Creating a profile

Creating a profile

Type a name that describes the policy.

Naming the profile

Naming the profile

In Configuration Settings, you can choose among various options. To enable Windows Defender Firewall on devices and prevent end users from turning it off, you can change the following settings:

  • Domain Profile
    • Set Domain Network Firewall to True.
    • Set Default Inbound Action for Domain Profile to Deny
    • Set Default Outbound Action to Allow
  • Private Profile
    • Set Private Network Firewall to True
    • Set Shielded to True
    • Set Default Outbound Action to Allow
  • Public Profile
    • Set Public Network Firewall to True
    • Set Shielded to True
    • Set Default Outbound Action to Allow
Profile settings

Profile settings

In Scope tags, just click Next.

Configuring the profile scope tags

Configuring the profile scope tags

Assign the policy to a computer group and click Next.

Assign the policy to the computer group

Assign the policy to the computer group

Review your settings, and click Create.

Reviewing the policy

Reviewing the policy

Verify that the Firewall policy has been assigned to the devices

You have deployed the Firewall policy to your devices, but how can you verify that the policy has been assigned to the devices?

From the Microsoft Endpoint Manager Admin Center, click Endpoint Security.

Select the Firewall, and you will see the policy.

Click the policy to identify the assignment status.

Click the new policy to see statistics

Click the new policy to see statistics

If you click Statistics, you can see the devices to which the policy has been assigned.

Policy assignment statistics

Policy assignment statistics

If you want to see the group the Firewall policy is assigned to, click Properties and find the group in Assignments > Included groups.

Subscribe to 4sysops newsletter!

Policy properties

Policy properties

Conclusion

With Intune, it is very easy to deploy different policies to devices that aren't connected to your on-prem network. This is the biggest advantage of Intune over managing Windows Defender Firewall with Group Policy.

avatar
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account