Announcing enhanced control for configuring Firewall rules with Windows Defender

By: Laura Arrizza - Product Manager 2 | Microsoft Intune, Nick Welton - Senior Product Manager | Microsoft 365 Defender, and Jess Krynitsky - Product Manager 2 | Windows Enterprise & Security

Overview & Goals

Microsoft Intune is excited to announce enhanced Windows Defender Firewall security capabilities that allow for reusing group settings to target devices and users. Notably, the new settings now support the use of Fully Qualified Domain Name (FQDN) rules. These new capabilities simplify management and provide more advanced controls to configure Firewall rules, allowing admins to reuse setting groups across policies. Admins are able to create and manage groups that contain properties that can be reused across policies, which includes properties for:

• Remote IP address ranges
• Fully Qualified Domain Name (FQDN) definitions and auto-resolution

This capability is based on additions to the Firewall CSP, Firewall CSP – Windows Client Management. Further information on the API structure can be found in Firewall dynamic keywords - Win32 apps.

These settings are applicable for Windows 10, Version 20H2+, and Windows 11.

Known Issues for FQDN Feature

• Performance improvements are coming to Windows 10, Version 20H2+ in early 2023.

Key Configuration Points for FQDN Feature

• Microsoft Defender Antivirus must be turned on and running platform version 4.18.2209.7 or later.
• Network Protection needs to be in block or audit mode. Refer to Turn on network protection for more information.
• DNS over HTTPS (DoH) should be disabled. Verify this is disabled on browsers:
  • Edge, Control the mode of DNS-over-HTTPS
  • Chrome Enterprise Policy List & Management | (Google Documentation)
  • Firefox DNS-over-HTTPS | (Firefox Help (mozilla.org))
• The device’s default DNS resolution settings apply. This feature does not provide any additional DNS security or functionality changes.
  • For Edge version 109 and later, configure the browser to use the default system DNS through this policy: Microsoft Edge Browser Policy Documentation.
  • Here are configuration instructions: Configure Microsoft Edge for Windows with policy settings
    • You can also download the ADMX file from there, follow the directions, and configure it via gpedit.msc for local testing.

Walkthrough

A tour of the new settings…

On the Firewall pane of Endpoint security in Intune, admins will see a new tab available to manage their “Reusable settings” which displays a list of existing settings groups and the number of Firewall policies that are using that particular settings group.

A screenshot of Reusable setting groups on the Firewall options page in Intune.

A screenshot of the Configure reusable settings (preview) page.

To begin, the admin creates a new “reusable settings” group, giving it a name and description and then defines its properties.

There are options to include the remote IP address ranges, similar to configuring a manual Firewall rule, through manual definition or importing a file.

A screenshot of setting the remote IP address ranges in the Configure instance pane on the Configure reusable settings (preview) page in Intune.

The new settings introduce the option to use fully qualified domain names (FQDNs) as part of the rule definition. If the “Auto-Resolve” flag is set to true, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the IP addresses will be automatically resolved (on the target device).

As stated in the overview, Microsoft Defender for Endpoint Antivirus must be primary and network protection must be enabled on the target devices. If not configured, the target device(s) will not enforce the rule with FQDN keywords.

A screenshot of setting the Auto resolve option in the Configure instance pane on the Configure reusable settings (preview) page in Intune.

The tooltips link to the CSP documentation for information on supported format.

Note: Up to 100 properties can be added to the group.

When the reusable setting group has been saved, it will appear in the Reusable settings group list. At any point, the admin can edit the group properties.

Going forward, when the admin configures a new Windows 10, version 20H2+ or Windows 11 client Firewall Rules policy, they will see the option to reference any existing reusable setting group. By selecting the “Set reusable groups” link, the list of existing groups will appear. The admin may then add one or more groups and the Firewall rule will inherit their properties.

A screenshot of selecting reusable Firewall settings when configuring a new Windows device on the Create profile page in Intune.

Admins can continue to manually configure Firewall rules and their properties and reference groups. They can also mix and match other rules that reference reusable groups, have manual definition within policy, or both. This completes flexibility and ease of management when configuring many Firewall rules.

A screenshot of Firewall Configuration setting options during configuration of a Windows device.

At any point, an admin can edit a Firewall rule to remove or add reusable groups. If the properties of a reusable group get added, removed, or altered, the Firewall policies inheriting its group properties will also inherit the changes.

For general information on how to trace and troubleshoot Intune Firewall rule settings see additional information in How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process.

If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Post updates:

02/08/23: added additional clarification under the Key Configuration Points for FQDN Feature section.