How To Create Windows Defender Firewall Rules Using Intune

Windows Defender Firewall is a critical security feature built into Microsoft Windows operating systems, designed to safeguard computers and networks from unauthorized access and potential threats. As a crucial component of Windows Defender, the built-in firewall acts as a protective barrier, monitoring incoming and outgoing network traffic to prevent malicious entities from infiltrating or compromising your system.

This robust firewall operates by analyzing data packets, scrutinizing their source, destination, and characteristics, and then making decisions based on predefined rules and policies. By default, Windows Defender Firewall is enabled on Windows machines and works silently in the background, shielding your device from potential cybersecurity risks.

As an Intune Administrator, you want to make sure that Windows defender firewall is switched on and end users will not be able to turn it off. You can easily manage Windows defender firewall using Intune.

There are a lot of pre-defined Inbound and outbound firewall rules already created on Windows 10 or Windows 11 computer. However, there may be a case when you would need to create a custom Inbound or Outbound firewall rule.

For example: You want to allow Remote Desktop Protocol (RDP) Port from a source 10.1.1.2 to destination subnet 10.2.3.0/24. This will allow users logging on to 10.1.1.2 computer to take RDP control of computers which are in the subnet range 10.2.3.0./24.

Create a Windows defender firewall rule on Intune Admin center

Let’s check the steps to create a windows defender firewall rule from Intune admin center. Please make sure the devices are being enrolled and managed by Intune. I would be targeting Windows 10 and Windows 11 devices using this policy.

Login on Microsoft Intune admin center.
Click on Endpoint Secrurity > Firewall.
Click on + Create Policy to create a new Firewall Policy.
Platform: Windows 10, Windows 11, and Windows Server.
Profile: Windows Defender Firewall Rules.
Click on Create to create this policy.

Basics Tab

Provide a Name and Description of the Policy. Click on Next to proceed further.

Name: Cloudinfra RDP Allow Rule
Description: This Firewall Rule will allow Remote Desktop Protocol (RDP) Port from a source 10.1.1.2 to destination subnet 10.2.3.0/24.

Configuration Settings

On the configuration settings tab, you can create a custom windows defender firewall rule. When you reach configuration settings tab, there will already be a default Allow rule ready for you to customize according to your requirement. Click on + Edit rule to customize the rule.

A Configure Instance pane will open on the right hand side where you can configure the firewall rule settings. I will configure only below minimum settings to be able to complete the requirements of allowing RDP port from a source 10.1.1.2 to destination subnet 10.2.3.0/24.

Enabled: Enabled
Name: Allow RDP from 10.1.1.2
Interface Types: All
Direction: The rule applies to Inbound traffic
Action: Allow
Local Port Ranges: 3389
Remote Port Ranges: 10.1.1.2
Protocol: 6
Local Address ranges: 10.2.3.0/24

Firewall rule definition Creation Intune — Allow RDP from 10.1.1.2 Firewall Rule definition created

All Firewall Settings
Enabled: Indicates whether the rule is enabled or disabled. If not specified – a new rule is disabled by default. Name: Specifies the friendly name of the firewall rule. Interface Types: Multiple interface types can be included in the string by separating each value with a “,”. Acceptable values are “RemoteAccess”, “Wireless”, “Lan”, and “All”. If more than one interface type is specified, the strings must be separated by a comma. File Path: The file path of an app is simply its location on the client device. For example, C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service. Remote Port Ranges: List of remote port ranges. Valid values include:A valid port number between 0 and 65535. For example, 200 A port range in the format of “start port – end port” with no spaces included, where the start port is less than the end port. For example, 300-320 If not specified, the default is “All ports.” When defining multiple local and remote port ranges, the Firewall rule will be evaluated as OR operations within an individual field, and AND operations across rule fields. i.e. (local port A OR local port B) AND (remote port A OR remote port B). When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). Edge Traversal: Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. Local User Authorized List: Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. If not specified, the default is all users. Network Types: Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. Direction: Comma separated list. The rule is enabled based on the traffic direction as following. IN – the rule applies to inbound traffic. OUT – the rule applies to outbound traffic. If not specified the detault is OUT. Service Name: Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. Service short names can be retrieved by running the Get-Service command from PowerShell. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service. Local Port Ranges: List of local port ranges. Valid values include:A valid port number between 0 and 65535. For example, 200 A port range in the format of “start port – end port” with no spaces included, where the start port is less than the end port. For example, 300-320 If not specified, the default is “All ports.” When defining multiple local and remote port ranges, the Firewall rule will be evaluated as OR operations within an individual field, and AND operations across rule fields. i.e. (local port A OR local port B) AND (remote port A OR remote port B). When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). Remote Address Ranges: List of remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:”” indicates any remote address. If present, this must be the only token included. “Defaultgateway” “DHCP” “DNS” “WINS” “Intranet” (supported on Windows versions 1809+) “RmtIntranet” (supported on Windows versions 1809+) “Internet” (supported on Windows versions 1809+) “Ply2Renders” (supported on Windows versions 1809+) “LocalSubnet” indicates any local address on the local subnet. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address. An IPv6 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address.If not specified, the default is “Any address.” Action: Specifies the action the rule enforces to block or allow network traffic. Description: Specifies the description of the rule. Policy App Id: Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters “:”, “/”, “.”, and “_”. A PolicyAppId and ServiceName cannot be specified in the same rule. Package Family Name: Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service. Protocol: Select the protocol for this port rule. Transport layer protocols, TCP(6) and UDP(17), allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. If not specified, the default is “Any.”* ICMP Types And Codes: Select the protocol for this port rule. Transport layer protocols, TCP(6) and UDP(17), allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. If not specified, the default is “Any.” Local Address Ranges: List of local addresses covered by the rule. Valid tokens include:”” indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.A valid IPv6 address.An IPv4 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address.An IPv6 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address. If not specified, the default is “Any address.”*

All Firewall Settings

Enabled: Indicates whether the rule is enabled or disabled. If not specified – a new rule is disabled by default.

Name: Specifies the friendly name of the firewall rule.

Interface Types: Multiple interface types can be included in the string by separating each value with a “,”. Acceptable values are “RemoteAccess”, “Wireless”, “Lan”, and “All”. If more than one interface type is specified, the strings must be separated by a comma.

File Path: The file path of an app is simply its location on the client device. For example, C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service.

Remote Port Ranges: List of remote port ranges. Valid values include:A valid port number between 0 and 65535. For example, 200 A port range in the format of “start port – end port” with no spaces included, where the start port is less than the end port. For example, 300-320 If not specified, the default is “All ports.” When defining multiple local and remote port ranges, the Firewall rule will be evaluated as OR operations within an individual field, and AND operations across rule fields. i.e. (local port A OR local port B) AND (remote port A OR remote port B). When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).

Edge Traversal: Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default.

Local User Authorized List: Specifies the list of authorized local users for this rule. A list of authorized users cannot be specified if the rule being authored is targeting a Windows service. If not specified, the default is all users.

Network Types: Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.

Direction: Comma separated list. The rule is enabled based on the traffic direction as following. IN – the rule applies to inbound traffic. OUT – the rule applies to outbound traffic. If not specified the detault is OUT.

Service Name: Windows service short names are used in cases when a service, not an application, is sending or receiving traffic. Service short names can be retrieved by running the Get-Service command from PowerShell. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service.

Local Port Ranges: List of local port ranges. Valid values include:A valid port number between 0 and 65535. For example, 200 A port range in the format of “start port – end port” with no spaces included, where the start port is less than the end port. For example, 300-320 If not specified, the default is “All ports.” When defining multiple local and remote port ranges, the Firewall rule will be evaluated as OR operations within an individual field, and AND operations across rule fields. i.e. (local port A OR local port B) AND (remote port A OR remote port B). When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).

Remote Address Ranges: List of remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:”*” indicates any remote address. If present, this must be the only token included. “Defaultgateway” “DHCP” “DNS” “WINS” “Intranet” (supported on Windows versions 1809+) “RmtIntranet” (supported on Windows versions 1809+) “Internet” (supported on Windows versions 1809+) “Ply2Renders” (supported on Windows versions 1809+) “LocalSubnet” indicates any local address on the local subnet. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address. An IPv6 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address.If not specified, the default is “Any address.”

Action: Specifies the action the rule enforces to block or allow network traffic.

Description: Specifies the description of the rule.

Policy App Id: Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters “:”, “/”, “.”, and “_”. A PolicyAppId and ServiceName cannot be specified in the same rule.

Package Family Name: Package family names can be retrieved by running the Get-AppxPackage command from PowerShell. You can define one application to be used in each Firewall rule. If you specify multiple conditions in a single rule, these will be treated as an AND operation. i.e program=svchost.exe AND service=mpssvc, etc. All of the app related conditions in a single rule work to scope the traffic even further, so they must all correspond to the specific app/service.

Protocol: Select the protocol for this port rule. Transport layer protocols, TCP(6) and UDP(17), allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. If not specified, the default is “Any.”

ICMP Types And Codes: Select the protocol for this port rule. Transport layer protocols, TCP(6) and UDP(17), allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol. If not specified, the default is “Any.”

Local Address Ranges: List of local addresses covered by the rule. Valid tokens include:”*” indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.A valid IPv6 address.An IPv4 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address.An IPv6 address range in the format of “start address – end address” with no spaces included, where the start address is less than the end address. If not specified, the default is “Any address.”

Assignments tab

Create an Azure AD Security group which contains devices on which Windows defender Firewall rule will be deployed. If you want to make sure this setting applies to all the devices in your organization, then you can Simply click on + Add all devices option in Assignments tab and click on Next to proceed.

Review + Create

On Review + Create tab, review the Firewall rule policy details and click on Create. You can always go back to this Policy and edit its configuration settings which will enforce the updated settings on the targeted Intune managed devices. In below screenshot, you can see that the CloudInfra RDP Allow Rule has been created.

Windows defender Firewall rule has been created. — Windows defender Firewall rule has been created named: Cloudinfra RDP Allow Rule.

Intune Policy Refresh Cycle

The Device will Sync / Check in to start Windows defender Firewall rule policy deployment. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the rule creation process. You can also use Powershell to force initiate Intune refresh cycle.

Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing this setting on a test device then this can speed up your testing and can save some time.

End User Experience

Let’s check if the firewall rule has been created on the targetted devices. To check it on Windows 10 or Windows 11 devices:

Press Windows key + R to open Run dialog box.
Type wf.msc to open Windows Defender Firewall with Advanced Security console.

Shortcut to open Windows defender Firewall Advanced settings — wf.msc

After waiting for couple of minutes, I could see the rule created under Monitoring > Firewall.

Intune Windows Firewal rule creation — Windows Defender Firewall rule verification

I have double-clicked on the rule to find more details about the rule settings. As you can see the rule is created exactly as per the configuration settings from Intune admin center. [Click on below Image to Enlarge].

Intune Windows Firewall rule verification — Windows defender Firewall rule details

How to manage Windows defender Firewall using CSP (OMA-URI)

You can also manage Windows defender firewall using configuration service provider (CSP) settings. CSPs allow Intune to configure Windows defender Firewall global settings, per profile settings, custom firewall rules etc. To know more about Firewall CSP Settings, you can click on the link Firewall CSP.

Conclusion

In this blog post, we have seen how to create a custom windows defender firewall rule. I have only shown Inbound Allow rule but you could also create a Block rule to block certain traffic or protocol coming from a particular source.

How to create Windows defender firewall rules using Intune