By: Laura Arrizza - Product Manager 2 | Microsoft Intune, Nick Welton - Senior Product Manager | Microsoft 365 Defender, and Jess Krynitsky - Product Manager 2 | Windows Enterprise & Security
Overview & Goals
Microsoft Intune is excited to announce enhanced Windows Defender Firewall security capabilities that allow for reusing group settings to target devices and users. Notably, the new settings now support the use of Fully Qualified Domain Name (FQDN) rules. These new capabilities simplify management and provide more advanced controls to configure Firewall rules, allowing admins to reuse setting groups across policies. Admins are able to create and manage groups that contain properties that can be reused across policies, which includes properties for:
Remote IP address ranges
Fully Qualified Domain Name (FQDN) definitions and auto-resolution
The device’s default DNS resolution settings apply. This feature does not provide any additional DNS security or functionality changes.
A tour of the new settings…
On the Firewall pane of Endpoint security in Intune, admins will see a new tab available to manage their “Reusable settings” which displays a list of existing settings groups and the number of Firewall policies that are using that particular settings group.
A screenshot of Reusable setting groups on the Firewall options page in Intune.
A screenshot of the Configure reusable settings (preview) page.
To begin, the admin creates a new “reusable settings” group, giving it a name and description and then defines its properties.
There are options to include the remote IP address ranges, similar to configuring a manual Firewall rule, through manual definition or importing a file.
A screenshot of setting the remote IP address ranges in the Configure instance pane on the Configure reusable settings (preview) page in Intune.
The new settings introduce the option to use fully qualified domain names (FQDNs) as part of the rule definition. If the “Auto-Resolve” flag is set to true, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the IP addresses will be automatically resolved (on the target device).
As stated in the overview, Microsoft Defender for Endpoint Antivirus must be primary and network protection must be enabled on the target devices. If not configured, the target device(s) will not enforce the rule with FQDN keywords.
A screenshot of setting the Auto resolve option in the Configure instance pane on the Configure reusable settings (preview) page in Intune.
Note: Up to 100 properties can be added to the group.
When the reusable setting group has been saved, it will appear in the Reusable settings group list. At any point, the admin can edit the group properties.
Going forward, when the admin configures a new Windows 10, version 20H2+ or Windows 11 client Firewall Rules policy, they will see the option to reference any existing reusable setting group. By selecting the “Set reusable groups” link, the list of existing groups will appear. The admin may then add one or more groups and the Firewall rule will inherit their properties.
A screenshot of selecting reusable Firewall settings when configuring a new Windows device on the Create profile page in Intune.
Admins can continue to manually configure Firewall rules and their properties and reference groups. They can also mix and match other rules that reference reusable groups, have manual definition within policy, or both. This completes flexibility and ease of management when configuring many Firewall rules.
A screenshot of Firewall Configuration setting options during configuration of a Windows device.
At any point, an admin can edit a Firewall rule to remove or add reusable groups. If the properties of a reusable group get added, removed, or altered, the Firewall policies inheriting its group properties will also inherit the changes.