Forum Discussion
CaedenV
Dec 05, 2024Copper Contributor
Intune/Defender Firewall Policies
Coming from an environment where the Windows Firewall had been disabled, and having seen the light, we finally got approval to enable the firewall, but I am hitting a learning curve with Intune behaviors;
I have a device where the firewall is enabled, and I get an admin prompt for an app that wants access.
I cancel the admin prompt and do a little digging on what app wants access, and to what etc. and then create the policy to allow traffic inside of Intune. I thought the policies were not applying, but after poking around, I found that they are applied and listed under Monitoring > Firewall instead of the normal Inbound or Outbound Rules sections.
However, because I canceled the admin prompt to allow the traffic, it automatically created a Block policy on the Inbound Rules section.
Inside of Monitoring > Firewall I can see both the Block policy from the Inbound Rules, but also the Allow policy from Intune.
Question:
Is there a way to use the cloud Intune/Defender policy to wipe out the Block on the Inbound Rules section? Or do I need to make a remediation script to clean these up? Or is there some other 'best practice' way to clean up the unintended blocks from the local policy?
fwiw, I wasn't able to find a way to remove local policies via an Intune policy.
It looks like local policies (like when a user is prompted for a firewall exception, but they cancel out) go to the typical 'firewall > Inbound Rules' section along side traditional AD entries. Cloud policies only seem to interact with the list under 'firewall > Monitoring > Firewall'.
Created a remediation script that was able to find and remove existing blocks and legacy AD entries that no longer applied (devices are no longer part of the domain), so that the cloud 'allow' policy could apply as expected. Just set the policy to run once so that it doesn't clear future in-bound connection attempts that should be blocked.
- CaedenVCopper Contributor
fwiw, I wasn't able to find a way to remove local policies via an Intune policy.
It looks like local policies (like when a user is prompted for a firewall exception, but they cancel out) go to the typical 'firewall > Inbound Rules' section along side traditional AD entries. Cloud policies only seem to interact with the list under 'firewall > Monitoring > Firewall'.
Created a remediation script that was able to find and remove existing blocks and legacy AD entries that no longer applied (devices are no longer part of the domain), so that the cloud 'allow' policy could apply as expected. Just set the policy to run once so that it doesn't clear future in-bound connection attempts that should be blocked.