Manage Windows Firewall rules in Windows 10 with Microsoft Intune

As for many organizations, it’s an extremely common requirement to be able to configure the local Windows Firewall on any given in terms of adding specific rules. Up until today, there’s been no built-in way to manage these configuration requirements other than resorting to custom PowerShell script deployed using the Intune Management Extension. However, this changes now. It’s been a long wait, but it’s finally here. Microsoft Intune does now have the capability to add custom firewall rules to a Windows 10 device using Endpoint Protection profiles. As of writing this blog post, this new feature is currently in preview and there’s some smaller known limitations, more about those later in this post.

Even though this new feature is finally available through the native portal experience, the Firewall CSP in Windows 10 has been around since version 1709 supporting this type of configuration. Read more about the settings and the Firewall CSP from the below documentation:

https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp

Recently, there’s been a some chatter about a known vulnerability exploiting the Remote Desktop Services for older versions of Windows, however not affecting Windows 10 specifically. Let’s paint a scenario here for demonstration purposes though. Say that you want to take preventive measurements for potential future vulnerabilities and block incoming Remote Desktop requests on your Windows 10 devices, resulting in blocking port 3389. This would prevent your end users to remotely access their devices, so let’s go with this as an example throughout the blog post in order to configure this on your Windows 10 devices with the new Windows Firewall rules configuration feature available in Microsoft Intune. I’ll also cover what’s required to be configured in case that you don’t want to perform a blocking operation in the firewall rule, and instead perform an allow operation.

Create an Endpoint Protection profile

As mentioned already, the new Windows Firewall rule configuration feature exists under the Windows Defender Firewall configuration blade in an Endpoint Protection profile.

• In the Intune portal, navigate to the Device Configuration blade.

  

• Under Manage, navigate to Profiles.

  

• Click on Create Profile.

  

• Configure the following for the new profile and select the Windows Defender Firewall blade afterwards:
  • Name: <corp-name>-Win10-EndpointProtection-FirewallRules-Block (or follow your current naming standard)
  • Platform: Windows 10 or later
  • Profile type: Endpoint Protection

    

• Scroll down to the bottom and click the Add button under Firewall rules.

  

At this point, continue with the section that best describes the desired action of the firewall rule configuration, either to block or allow. Both of the actions are quite similar, however it’s important that the correct configuration is applied.

Add a blocking firewall configuration rule

This section of the post describes the continued configuration from the previous section and outlined for the scenario regarding blocking Remote Desktop to devices.

• Configure the following for the new rule:
  • Name: Block-Incoming-TCP-3389
  • Direction: Inbound
  • Action: Block
  • Network type: <select at least Domain>

    

• Continue to configure the new rule by scrolling down to Ports and protocol settings, using the following configuration and click OK when completed:
  • Protocol: TCP
  • Local ports: Specified ports
  • Ports: 3389

    

•  Click OK in the Windows Defender Firewall blade and the Endpoint Protection blade. Finally click Create in the Create profile blade to create the new firewall rule configuration profile.

Add an allowing firewall configuration rule

Despite the configuration requirements between a blocking and allowing rule being almost identical for, below are the same steps described for allowing Remote Desktop on devices.

• Configure the following for the new rule:
  • Name: Allow-Incoming-TCP-3389
  • Direction: Inbound
  • Action: Allow
  • Network type: <select at least Domain>

    

• Continue to configure the new rule by scrolling down to Ports and protocol settings, using the following configuration and click OK when completed:
  • Protocol: TCP
  • Local ports: Specified ports
  • Ports: 3389

    

•  Click OK in the Windows Defender Firewall blade and the Endpoint Protection blade. Finally click Create in the Create profile blade to create the new firewall rule configuration profile.

Assign the Endpoint Protection profile

Assign the newly created Endpoint Protection profile to either all devices or a group of devices of your choice.

End-user experience and result

Experience administrators generally verify the correct firewall configuration for either inbound or outbound rules using the Windows Defender Firewall and Advanced Security snap-in, as shown in the picture below.

However, it has been reported that the firewall configuration that’s assigned to devices using Microsoft Intune only shows up under the Monitoring – Firewall section of the same snap-in, as shown in the picture below.

I’ll not speculate whether this is a known bug or not, but I’m assuming that it will be addressed once the feature comes out of preview. With this information at hand, our configuration scenario to block incoming Remote Desktop requests can be verified by navigating to Monitoring – Firewall as shown below. Here we can see the firewall rule that we created with our given name and that it’s indeed blocking any incoming Remote Desktop requests.