Event banner
Event details
We deployed Firewall and other security policies according to M365 security center recommendations. However, these policies block certain apps that require a _direct_ connection to other devices. Examples: Miracast and German government eID app, which connects to your smartphone for use as an NFC reader.
Obviously, the network policies are designed for max security, but in certain cases they block user from doing stuff they need to.
How can we determine which policies are disrupting these connections and open them selectively?
We have a ticket open with M365 support, but beyond standard advice to allow services through the firewall, we have made no progress.
Which, btw, indicates that blockage is happening at a different level than Firewall.
Thanks!
- SteveThomas
Microsoft
The security policies over in the Security Center were not meant to be a one-size-fits all approach as there are always app exceptions. It’s also essential to strike a balance between security and usability. First, I would need to know the apps involved and the protocols they use to communicate with the devices (i.e. bluetooth, NFC, web, etc.) If it is web-based you should be able to create an application exception. If you run the app as an admin, it may even prompt you fro adding firewall exceptions. This link explains the process - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/rules#applications-rules and you can script it out at scale - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell But - if disabling the firewall does not resolve the issue, than you could be hitting up against a number of things like disabled protocols.- Let's stick with Miracast for now - a fully standardized protocol with known behavior. Firewall IS open for it (verified with support), but it still is blocked on managed devices. It's frustrating for us and our clients, since we don't even know where to start looking (Firewall doesn't seem to be it).
- SteveThomasIf the firewall has been eliminated, then it's not a protocol restriction, but likely one by policy - https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-wirelessdisplay - if cloud-based or a GPO if on-prem. WiFi Direct is what is disabled if this is the case. It could also be the app. You can put together a test app for Wifi Direct (What Windows Miracast is based on) using the samples here: https://github.com/Microsoft/Windows-universal-samples/tree/main/Samples/WiFiDirect
