Blog Post

Intune Customer Success
3 MIN READ

Announcing enhanced control for configuring Firewall rules with Windows Defender

Intune_Support_Team's avatar
Oct 31, 2022

By: Laura Arrizza - Product Manager 2 | Microsoft Intune, Nick Welton - Senior Product Manager | Microsoft 365 Defender, and Jess Krynitsky - Product Manager 2 | Windows Enterprise & Security

 

Overview & Goals

Microsoft Intune is excited to announce enhanced Windows Defender Firewall security capabilities that allow for reusing group settings to target devices and users. Notably, the new settings now support the use of Fully Qualified Domain Name (FQDN) rules. These new capabilities simplify management and provide more advanced controls to configure Firewall rules, allowing admins to reuse setting groups across policies. Admins are able to create and manage groups that contain properties that can be reused across policies, which includes properties for:

  • Remote IP address ranges
  • Fully Qualified Domain Name (FQDN) definitions and auto-resolution

 

This capability is based on additions to the Firewall CSP, Firewall CSP – Windows Client Management. Further information on the API structure can be found in Firewall dynamic keywords - Win32 apps.

 

These settings are applicable for Windows 10, Version 20H2+, and Windows 11.

 

Known Issues for FQDN Feature

  • Performance improvements are coming to Windows 10, Version 20H2+ in early 2023.

 

Key Configuration Points for FQDN Feature

 

Walkthrough

A tour of the new settings…

 

On the Firewall pane of Endpoint security in Intune, admins will see a new tab available to manage their “Reusable settings” which displays a list of existing settings groups and the number of Firewall policies that are using that particular settings group.

 

A screenshot of Reusable setting groups on the Firewall options page in Intune.

 

A screenshot of the Configure reusable settings (preview) page.

 

To begin, the admin creates a new “reusable settings” group, giving it a name and description and then defines its properties.

 

There are options to include the remote IP address ranges, similar to configuring a manual Firewall rule, through manual definition or importing a file.

 

A screenshot of setting the remote IP address ranges in the Configure instance pane on the Configure reusable settings (preview) page in Intune.

 

The new settings introduce the option to use fully qualified domain names (FQDNs) as part of the rule definition. If the “Auto-Resolve” flag is set to true, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the IP addresses will be automatically resolved (on the target device).

 

As stated in the overview, Microsoft Defender for Endpoint Antivirus must be primary and network protection must be enabled on the target devices. If not configured, the target device(s) will not enforce the rule with FQDN keywords.

 

A screenshot of setting the Auto resolve option in the Configure instance pane on the Configure reusable settings (preview) page in Intune.

 

The tooltips link to the CSP documentation for information on supported format.

Note: Up to 100 properties can be added to the group.

 

When the reusable setting group has been saved, it will appear in the Reusable settings group list. At any point, the admin can edit the group properties.

 

Going forward, when the admin configures a new Windows 10, version 20H2+ or Windows 11 client Firewall Rules policy, they will see the option to reference any existing reusable setting group. By selecting the “Set reusable groups” link, the list of existing groups will appear. The admin may then add one or more groups and the Firewall rule will inherit their properties.

 

A screenshot of selecting reusable Firewall settings when configuring a new Windows device on the Create profile page in Intune.

 

Admins can continue to manually configure Firewall rules and their properties and reference groups. They can also mix and match other rules that reference reusable groups, have manual definition within policy, or both. This completes flexibility and ease of management when configuring many Firewall rules.

 

A screenshot of Firewall Configuration setting options during configuration of a Windows device.

 

At any point, an admin can edit a Firewall rule to remove or add reusable groups. If the properties of a reusable group get added, removed, or altered, the Firewall policies inheriting its group properties will also inherit the changes.

 

For general information on how to trace and troubleshoot Intune Firewall rule settings see additional information in How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process.

 

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

 

Post updates:

02/08/23: added additional clarification under the Key Configuration Points for FQDN Feature section.

Updated Feb 08, 2023
Version 5.0

9 Comments

  • AndyT200's avatar
    AndyT200
    Copper Contributor

    Florian_Obradovic  hmmm interesting, we didn't trust it so just pumped the remote networks into the rule itself (it wasn't showing on the client as having any remote network restrictions). Admittedly we didn't actually test getting to it from anything outside the reusable settings. Maybe it does work, but that's a horrible experience if its the case and would make trouble shooting client side difficult if the engineer wasnt aware this was being applied at a higher level that isnt visible

  • Hi AndyT200 

    nope - I dealt with it 🙂

    "t looks like its there, but I just tested it and I can access RDP from IPs that aren't listed"

    In my last tests it says any but applies the rules as configured.

    Can you trust it, meh 🙂

  • AndyT200's avatar
    AndyT200
    Copper Contributor

    Florian_Obradovic Did you get to the bottom of this? I'm seeing the same behavior. Rules are showing as Remote Address 'Any' and not reflecting the re-usable setting

  • I have problems understanding how this works.

     

    Example:

    Reusable settings "Admin IPs" containing three IP addresses.

     

    Settings_Policy:

    - don't merge local policies

    - Default Inbound Action: block

     

    Rules_Policy:

    - allow RDP: Local Port Range: 3389

    - Reusable settings selected

     

    Will it automatically pull the IPs from the reusable settings group and enable + insert to remote address range?

     

    For me it simply doesn't work and creates just an allow from any rule for port 3389:

     

    Here it looks like it's allowed from any:

    The reusable settings are in the registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\NonAutoResolve

    Get-NetFirewallRule -PolicyStore ActiveStore |where PolicyStoreSource -eq MDM|ft

    So it looks like its there, but I just tested it and I can access RDP from IPs that aren't listed 🙂 (no, there are no other rules).

     

     

     

     

     

     

  • niwzen we have identified a bug which may be impacting you. We are in the process of fixing. I will let you know when we have deployed the change.
    Thank you.

  • niwzen's avatar
    niwzen
    Copper Contributor

    Hi

    I have a problem with these new preview settings.

     

    I'm testing on a Windows 10 22H2 machine, with Defender turned on and running the version you mention as lowest, Network Protection is set to "Block" (check in regedit with the setting 1) and DoH disabled (check in regedit with setting off)

     

    The firewall policy applies fine, when the reuseable settings are not applied to the profile, but as soon as I apply the reuseable settings (I tested with only one entry *.microsoft.com) then it goes directly into "Not applicable"

     

    How do I get on from here? Don't really see anything in the event logs or in the console.

     

    The only thing from the event log is this: MDM Declared Configuration: Function (checkNewInstanceData) operation (Read isNewInstanceData) failed with. (The parameter is incorrect.)

     

    Thanks!

  • This is a game-changer! congratulations to Laura, Nick, and the rest of the team for making this happen!