- Manage Windows Defender Firewall with Intune - Mon, Oct 10 2022
- Enable BitLocker for Windows 10 and Windows 11 with Intune on multiple computers - Mon, Sep 12 2022
Prerequisites
Before continuing to read the article, check out the prerequisites:
- You must have a Microsoft Intune license. The following Microsoft 365 packages include an Intune license:
- Microsoft 365 E5
- Microsoft 365 E3
- Enterprise Mobility + Security E5
- Enterprise Mobility + Security E3
- Microsoft 365 Business Premium
- Microsoft 365 F1
- Microsoft 365 F3
- Microsoft 365 Government G5
- Microsoft 365 Government G3
- Intune for Education
- Devices that you would like to manage must be joined to Azure Active Directory as Azure AD registered or Hybrid Azure AD joined.
- Devices must be Azure Active Directory compliant.
Azure Active Directory join types
There are Azure AD join types: registered, joined, and hybrid joined.
Registered
Users sign in to Azure AD with a personal Microsoft account or another local account. These devices don't have to join domain on-prem Active Directory and are usually owned by end users. A typical example is a user working on a home PC who needs access to various company services.
Joined
Users sign in with an organization's Azure AD account on a device that is usually owned by the organization.
Hybrid joined
Users sign in with an organization's on-prem Active Directory Domain Services account, and devices are registered with Azure Active Directory. Typically, these devices are owned by the organization.
All three devices can make use of Azure services.
Ensuring that a device is Azure Active Directory compliant
If you want to manage Windows Firewall with Intune, the devices must be Azure AD compliant as well. This means that the device requires a PIN to unlock, is encrypted, uses a supported OS version, and isn't jailbroken or rooted.
To verify that the device is compliant, follow these steps:
- Open the Azure Active Directory Portal.
- Click Devices.
- Check the Compliant row to verify that the device is Azure AD compliant.
How to create the Firewall policy
Next, you have to create the Firewall policy:
Log in to the M365 Portal.
From the left menu, click Admin.
Select Endpoint Manager.
Endpoint Manager menu
Click Endpoint Security > Firewall > Create Policy.
From the Platform dropdown list, select Windows 10, Windows 11, and Windows Server.
From the Profile dropdown list, select the Microsoft Defender Firewall. Click Create.
Type a name that describes the policy.
In Configuration Settings, you can choose among various options. To enable Windows Defender Firewall on devices and prevent end users from turning it off, you can change the following settings:
- Domain Profile
- Set Domain Network Firewall to True.
- Set Default Inbound Action for Domain Profile to Deny
- Set Default Outbound Action to Allow
- Private Profile
- Set Private Network Firewall to True
- Set Shielded to True
- Set Default Outbound Action to Allow
- Public Profile
- Set Public Network Firewall to True
- Set Shielded to True
- Set Default Outbound Action to Allow
In Scope tags, just click Next.
Assign the policy to a computer group and click Next.
Review your settings, and click Create.
Verify that the Firewall policy has been assigned to the devices
You have deployed the Firewall policy to your devices, but how can you verify that the policy has been assigned to the devices?
From the Microsoft Endpoint Manager Admin Center, click Endpoint Security.
Select the Firewall, and you will see the policy.
Click the policy to identify the assignment status.
If you click Statistics, you can see the devices to which the policy has been assigned.
If you want to see the group the Firewall policy is assigned to, click Properties and find the group in Assignments > Included groups.
Subscribe to 4sysops newsletter!
Conclusion
With Intune, it is very easy to deploy different policies to devices that aren't connected to your on-prem network. This is the biggest advantage of Intune over managing Windows Defender Firewall with Group Policy.
Read the latest IT news and community updates!
Join our IT community and read articles without ads!
Do you want to write for 4sysops? We are looking for new authors.