Tech Community Live: Endpoint Manager edition
Jul 21 2022, 08:00 AM - 12:00 PM (PDT)

How to trace and troubleshoot the Intune Endpoint Security Firewall rule creation process

Published Mar 21 2022 10:00 AM 7,248 Views

In this support tip, we wanted to provide you with some tools and guidance to help you trace and troubleshoot the endpoint security Microsoft Defender Firewall rule creation process in Microsoft Endpoint Manager. Why would one need to troubleshoot this process you wonder? We have seen some customers enter invalid values for rules which lead to policy processing issues. The goal of this post is to help you understand the end-to-end process so you can figure out where things might be breaking. For a sample PowerShell script to quickly help you identify bad rules on a test system, be sure to see Test-IntuneFirewallRules PowerShell script below!

 

 

Background on MDM firewall policy structure

 

Intune firewall rules are sent through the Windows MDM client and come down in the form of SyncML with the following Atomic structure:

 

 

<atomic>
Rule1
Rule2
Rule3
</atomic>

 

 

 

In the example above, we have a single Intune policy with three rules in it. The individual rules are sent in a single policy atomic block. If a rule within the block fails to process on a Windows device, the entire policy is reported as failed in the Microsoft Endpoint Manager admin center.

 

Example device status in the Endpoint Manager admin center that shows multiple ‘Assignment Status” line items that are in error.Example device status in the Endpoint Manager admin center that shows multiple ‘Assignment Status” line items that are in error.

 

In the example above, if only rule 2 were bad, rule 1 would be created, rule 2 would fail to be created, and rule 3 would be blocked from being created until rule 2 is fixed.

 

 

Common issue examples

 

The Endpoint security firewall rule migration tool for Microsoft Intune is a powerful tool for migrating Azure Active Directory Group Policy Object (GPO) rules to Microsoft Intune Endpoint Security Firewall rules. However, we have seen customers bring over bad rules which were incorrectly configured in GPO. The following are possible issue examples to be aware of.

 

 

Bad file paths

 

An invalid file path specified on a firewall rule will lead to policy processing errors. As an example, having a typo in an environment variable, such as an extra space in %ProgramFiles(x86)% will lead to an entire policy being reported as failed. The Windows Firewall client only supports built-in Windows environment variables, which can cause other file path issues. Custom variables, even if valid, cannot be used. For example, %programfiles%\folder\executable.exe will work, but %customvariable%\folder\executable.exe will not work even if %customvariable% is a functional variable on the client. Aside from applying to MDM firewall policy, these limitations also apply to Group Policy, and even manual rule creation. This is the most common error we have seen.

 

 

Invalid port or IP range

 

Check for invalid port ranges, which can lead to errors, such as a descending range like 65535-65534. For more information, see the configuration service provider reference to learn more.

 

 

Blocked policies and rules

 

If a policy targets a bad rule, subsequent policy rules may also fail to process. In this case, you must find the first policy and bad rule to fix and unblock the following rules. Note in the example below, rule L_gEAAA is logged as failed.

 

Filtered view on Event ID 404 showing firewall rule #3 (named ‘L_gEAAA’ in the CSP URL path) logged as failed. Later we discover this is a result of the prior rule #2 being failed in the policy block.Filtered view on Event ID 404 showing firewall rule #3 (named ‘L_gEAAA’ in the CSP URL path) logged as failed. Later we discover this is a result of the prior rule #2 being failed in the policy block.

 

However, this is actually the third rule in policy d444067ff2b74006993bf3d10bd98467. From the SyncML trace below, as well as the registry and Get-NetFirewallRule cmdlet output, we will see that it is actually our second rule (LQEAAA) that is the first blocking failure that needs to be addressed.

 

 

Troubleshooting tips

 

If you suspect a parameter may not be valid, create a rule using the value so you can manually test it directly within Windows.

 

An image of an error message from Windows Defender Firewall with Advanced Security: “Error: The parameter is incorrect” and “Status: The application name could not be resolved.”An image of an error message from Windows Defender Firewall with Advanced Security: “Error: The parameter is incorrect” and “Status: The application name could not be resolved.”

 

Note that the “Error: The parameter is incorrect” message in the image above aligns with the Event Log error example earlier in this post.

 

If you want to test changes to a policy, for example to remove suspect rules, you can quickly and easily copy policies. In the Microsoft Endpoint Management admin center, under Endpoint security | Firewall, right-click a policy and select Duplicate.

 

A list of Firewall policies in the Endpoint Manager admin center, showing the ‘Duplicate’ option that is available when you right-click a policy.A list of Firewall policies in the Endpoint Manager admin center, showing the ‘Duplicate’ option that is available when you right-click a policy.

 

Finally, the EndpointSecurityPolicy_Export.ps1 sample script is a powerful tool for exporting all of your endpoint security policies (to JSON), which you can then quickly review in your favorite text editor or IDE. After you find a bad rule in a policy, this can be a quick way to review the remaining policy for additional instances of that same issue.

 

 

Test-IntuneFirewallRules PowerShell script

The Intune Customer Service and Support team’s Mark Stanfill created this sample script Test-IntuneFirewallRules to simplify identifying Windows Defender Firewall rules with errors for you (on a test system). This script allows you to run diagnostics against all of your policies in Intune, or offline selectively against policies you export to your local system. It will try to create the rules on the local system and will generate a report on related failures, including the policy and rule names along with any detected issues and instructions on how to fix the rule in the Endpoint Manager admin center.

 

A screenshot of the script result, which shows a list of ‘Firewall rules with errors’ and columns for other details, including suggested fixes.A screenshot of the script result, which shows a list of ‘Firewall rules with errors’ and columns for other details, including suggested fixes.

 

For more information, see the project in GitHub.

 

 

Advanced troubleshooting techniques and tools

 

The following section walks through additional methods for manually tracing the end-to-end process and tools which may further assist in the troubleshooting process.

 

 

Policy and rule identifiers

To identify and fix problematic rules, it is necessary to understand how policies and rules are each identified, stored, and progress end-to-end between Endpoint Manager and Windows.

 

Within Intune, the policy will have a unique deviceConfiguration id. The id component is a globally unique identifier (GUID), for example: d444067f-f2b7-4006-993b-f3d10bd98467.

 

The individual rules within the policy will each have a correlating unique ID string, which will consist of 6 characters, for example: LAEAAA. (Sometimes, you will find additional “padding” within these rules containing underscores, which will make the rule component appear to vary in length; more on this later.)

 

 

Windows client-side tracing

 

 

MDM diagnostic report

To diagnose MDM failures in Windows 10, go to Settings > Home > Accounts > Access work or school > Info > Create report. You can also run mdmdiagnosticstool.exe -out c:\temp from a command prompt to generate an MDMDiagReport.html file. Within this report, under Enrolled configuration and target resources, you can see the firewall rules targeted to the device (Control-F for FirewallRules), as show in the following example.

 

Example of a local Windows MDM failure report, showing the section ‘Enrolled configuration sourcesand target resources’  with selections 1 ,2, and 3 that are different parts of the example resource string.Example of a local Windows MDM failure report, showing the section ‘Enrolled configuration sourcesand target resources’ with selections 1 ,2, and 3 that are different parts of the example resource string.

 

  1. Shows the entire policy + rule identifier
  2. Policy ID mentioned in the prior section
  3. Rule identifier

 

The deviceConfiguration id in the above screenshot example has the hyphens which would normally be included in a GUID removed from it. We will use PowerShell later to convert this back to a “proper” GUID (e.g. d444067f-f2b7-4006-993b-f3d10bd98467) format so we can query Intune for it.

 

Important: The MDM report shows what is targeted to the device. If you are hitting an issue with policy processing, the actual rules created on the device will vary from what is displayed here. In the following tracing examples, we will look to the Event Logs, PowerShell, and Windows registry to reconcile what is targeted to the device versus displayed in the MDM diagnostic report as targeted.

 

 

Windows Event Viewer

 

The Application and Services logs\Windows\DeviceManagement-Enterprise-Diagnostics-Provider/Admin (or C:\windows\system32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx) log will contain related errors, as well as successes on individual rule creation.

 

To filter, select EventID 404 and search for the keyword FirewallRules, which brings us to the following Event Log failure entry example:

 

 

MDM ConfigurationManager: Command failure status. Configuration Source ID: (GUID), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Firewall), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Firewall/MdmStore/FirewallRules/d444067ff2b74006993bf3d10bd98467L_gEAAA /Name), Result: (The parameter is incorrect.).

 

 

 

Again, note the deviceConfiguration id and rule id combination within the error, along with the “parameter is incorrect” result. While the event log entry above will indeed show you a rule that is failing to process, we will have to dig further using the additional techniques and tools below to find the actual rule and reason for the failure.

 

 

Registry

Within the Windows registry, you can confirm which rules were created on the device under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\FirewallRules

 

Windows registry image showing a list of five firewall rules (a default rule and four rules from policy). Of the four policy firewall rules, the ones labeled 1-3 have the same policy ID. The rule labeled 4 has a different policy ID.Windows registry image showing a list of five firewall rules (a default rule and four rules from policy). Of the four policy firewall rules, the ones labeled 1-3 have the same policy ID. The rule labeled 4 has a different policy ID.

 

Important: In the example above, rule entries 1-3 are from the same policy (e96193e75beb4758a6007cbf7f6beb76). Rule 4 (LAEAAA) is the only rule entry created from a different policy (d444067ff2b74006993bf3d10bd98467), which we will call Policy B. In comparing this to what is reported in the MDMDiagReport pictured above, we can deduce that Policy B's next rule (i.e. Rule #2 in the Endpoint Security policy, since the policy’s rules are processed together sequentially) is broken and blocking subsequent rules within the same atomic block from being created. Additional details on this behavior are covered in the Known Issue Examples.

 

 

PowerShell

PowerShell can be used to identify and pipe out all firewall rules created on the local system using:

 

 

Get-NetFirewallRule -PolicyStore ActiveStore

 

 

 

To filter on rules from a particular policy, you can use the policy ID followed by a wildcard * to capture all rules with the policy ID prefix in the name, for example:

 

 

Get-NetFirewallRule -Name d444067ff2b74006993bf3d10bd98467* -PolicyStore ActiveStore| Format-List DisplayName, Name

 

 

 

Image of Windows Powershell running the example ‘Get-NetFirewallRule’ command.Image of Windows Powershell running the example ‘Get-NetFirewallRule’ command.

 

The DisplayName output above is the actual rule name configured within the policy, which is visible in the Endpoint Manager admin center.

 

 

Use Microsoft Graph API to find problem policies and rules

 

 

Graph Explorer

 

You can use Graph Explorer (or any other preferred Graph interface) to call to Intune to resolve the policy ID from the Event Log back to the Endpoint Security policy name that is failing, for example:

 

 

https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations/d444067f-f2b7-4006-993b-f3d10bd98467

 

 

 

In Graph Explorer, simply enter your deviceConfiguration id in the URL field and select Run query.

 

Image of Graph Explorer with the deviceConfiguration id in the request body and a detailed response with a ‘displayName’ value of “2P1G2B3G” highlighted.Image of Graph Explorer with the deviceConfiguration id in the request body and a detailed response with a ‘displayName’ value of “2P1G2B3G” highlighted.

 

For more information on using Graph Explorer with Intune, please see Working with Intune in Microsoft Graph. For a step-by-step learning module on connecting to and working with Microsoft Graph with Graph Explorer, please see Introduction - Learn | Microsoft Graph Fundamentals.

 

Tip: To convert the policy ID from the Event Log into a properly formatted GUID, you can use [guid] "d444067ff2b74006993bf3d10bd98467" in PowerShell:

 

Image of [guid] command in PowerShell.Image of [guid] command in PowerShell.

 

 

PowerShell script conversion of policy ID to policy name

In addition to the Graph Explorer example above, you can also use the Get-IntuneGraphAPIObject sample script to resolve the deviceConfiguration id back to its Endpoint Manager admin center friendly name. For example:

 

 

Get-IntuneGraphAPIObject.ps1 "deviceManagement/deviceConfigurations/d444067f-f2b7-4006-993b-f3d10bd98467" | fl DisplayName

 

 

 

Image of DisplayName command and results in PowerShell.Image of DisplayName command and results in PowerShell.

 

 

MDM diagnostic tracing

 

 

SyncML Viewer

 

A SyncML Viewer trace can be performed to see each individual rule created, its parameters, and the related status for a failure. Again, you can keyword search for FirewallRules to get to the related policy sync session quickly. Note the SessionID (#1 below, 14E), the <Atomic> block (#2 below) containing the rules in the policy, and the individual rules and their CmdID (#3) below:

 

Image of SyncML Viewer results with “firewallrules” entered into the upper-right search box and the results. Callout 1 shows a SessionID, callout 2 shows the start of the atomic block, and callout 3 shows the CmdID and its data.Image of SyncML Viewer results with “firewallrules” entered into the upper-right search box and the results. Callout 1 shows a SessionID, callout 2 shows the start of the atomic block, and callout 3 shows the CmdID and its data.

 

Important: Here is where we can see the first sync failure is occurring on firewall rule “d444067ff2b74006993bf3d10bd98467LQEAAA”. This is our blocking rule which causes subsequent rules to fail.

 

Within the following Status message for SessionID 14E (obtained from #1 above), we can see the first failure is for CmdID 3 in the status:

 

 

<Status>
      <CmdID>3</CmdID>
      <MsgRef>4</MsgRef>
      <CmdRef>11</CmdRef>
      <Cmd>Atomic</Cmd>
      <Data msft:originalerror="0x80070057">507</Data>
</Status>

 

 

 

Image drilling down into the status message for CmdID 3, that shows the aforementioned values/error info.Image drilling down into the status message for CmdID 3, that shows the aforementioned values/error info.

 

Error 0x80070057 resolves to:

Error Code: 0x80070057 (2147942487)
Error Name: E_INVALIDARG
Error Source: Windows
Error Message: One or more arguments are invalid

 

Referring to the prior related CmdID 3 trace details, we can see that we were failing to <Add> the following application file path value:

      <Add>
        <CmdID>3</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/Firewall/MdmStore/FirewallRules/d444067ff2b74006993bf3d10bd98467LQEAAA/App/FilePath</LocURI>
          </Target>
          <Data>%2P2B%\2P2B.exe</Data>
        </Item>
      </Add>

 

Note that the policy rule ID aligns with what we saw in the Event Log sections error example above: d444067ff2b74006993bf3d10bd98467LQEAAA. We have the additional knowledge from the <Data> value that we were failing to set the file path to %2P2B%\2P2B.exe. The file path of %2P2B% is not a valid value for the Windows Firewall client to create the rule. As a result, the rule creation process failed.

 

 

Conclusion

We hope this blog post helps you better understand how to avoid and troubleshoot Endpoint Security firewall failures, should you encounter them. There are improvements to existing features and new features on the roadmap. To stay up-to-date with new features, visit our In development and What’s New docs in Intune to learn more.

 

We will update this blog post as we make diagnostic or behavior changes related to the scenarios noted above. If you have any questions or feedback on the new template, reply to this post or reach out to @IntuneSuppTeam on Twitter.

%3CLINGO-SUB%20id%3D%22lingo-sub-3261452%22%20slang%3D%22en-US%22%3EHow%20to%20trace%20and%20troubleshoot%20the%20Intune%20Endpoint%20Security%20Firewall%20rule%20creation%20process%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3261452%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20support%20tip%2C%20we%20wanted%20to%20provide%20you%20with%20some%20tools%20and%20guidance%20to%20help%20you%20trace%20and%20troubleshoot%20the%20endpoint%20security%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fendpoint-security-firewall-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20Firewall%20rule%3C%2FA%3E%20creation%20process%20in%20Microsoft%20Endpoint%20Manager.%20Why%20would%20one%20need%20to%20troubleshoot%20this%20process%20you%20wonder%3F%20We%20have%20seen%20some%20customers%20enter%20invalid%20values%20for%20rules%20which%20lead%20to%20policy%20processing%20issues.%20The%20goal%20of%20this%20post%20is%20to%20help%20you%20understand%20the%20end-to-end%20process%20so%20you%20can%20figure%20out%20where%20things%20might%20be%20breaking.%20For%20a%20sample%20PowerShell%20script%20to%20quickly%20help%20you%20identify%20bad%20rules%20on%20a%20test%20system%2C%20be%20sure%20to%20see%20%3CA%20href%3D%22%23Test-IntuneFirewallRules_PowerShell_script%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CSTRONG%3ETest-IntuneFirewallRules%20PowerShell%20script%3C%2FSTRONG%3E%3C%2FA%3E%26nbsp%3Bbelow!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-392745047%22%20id%3D%22toc-hId-415955150%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EBackground%20on%20MDM%20firewall%20policy%20structure%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIntune%20firewall%20rules%20are%20sent%20through%20the%20Windows%20MDM%20client%20and%20come%20down%20in%20the%20form%20of%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fopenspecs%2Fwindows_protocols%2Fms-mdm%2F221ba29e-f0da-4b04-af9e-42f8631aea68%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESyncML%3C%2FA%3E%20with%20the%20following%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fopenspecs%2Fwindows_protocols%2Fms-mdm%2F5efb908f-12a7-44ae-86a9-d6ab6fd25135%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAtomic%3C%2FA%3E%20structure%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3E%3CATOMIC%3E%0ARule1%0ARule2%0ARule3%0A%3C%2FATOMIC%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20example%20above%2C%20we%20have%20a%20single%20Intune%20policy%20with%20three%20rules%20in%20it.%20The%20individual%20rules%20are%20sent%20in%20a%20single%20policy%20atomic%20block.%20If%20a%20rule%20within%20the%20block%20fails%20to%20process%20on%20a%20Windows%20device%2C%20the%20entire%20policy%20is%20reported%20as%20failed%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2109431%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Endpoint%20Manager%20admin%20center%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Example%20device%20status%20in%20the%20Endpoint%20Manager%20admin%20center%20that%20shows%20multiple%20%E2%80%98Assignment%20Status%E2%80%9D%20line%20items%20that%20are%20in%20error.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356992iDE4D5EE1A1ED6368%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_0-1647643318586.png%22%20alt%3D%22Example%20device%20status%20in%20the%20Endpoint%20Manager%20admin%20center%20that%20shows%20multiple%20%E2%80%98Assignment%20Status%E2%80%9D%20line%20items%20that%20are%20in%20error.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EExample%20device%20status%20in%20the%20Endpoint%20Manager%20admin%20center%20that%20shows%20multiple%20%E2%80%98Assignment%20Status%E2%80%9D%20line%20items%20that%20are%20in%20error.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20example%20above%2C%20if%20only%20rule%202%20were%20bad%2C%20rule%201%20would%20be%20created%2C%20rule%202%20would%20fail%20to%20be%20created%2C%20and%20rule%203%20would%20be%20blocked%20from%20being%20created%20until%20rule%202%20is%20fixed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId--1414709416%22%20id%3D%22toc-hId--1391499313%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3ECommon%20issue%20examples%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fendpoint-security-firewall-rule-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEndpoint%20security%20firewall%20rule%20migration%20tool%20for%20Microsoft%20Intune%3C%2FA%3E%20is%20a%20powerful%20tool%20for%20migrating%20Azure%20Active%20Directory%20Group%20Policy%20Object%20(GPO)%20rules%20to%20Microsoft%20Intune%20Endpoint%20Security%20Firewall%20rules.%20However%2C%20we%20have%20seen%20customers%20bring%20over%20bad%20rules%20which%20were%20incorrectly%20configured%20in%20GPO.%20The%20following%20are%20possible%20issue%20examples%20to%20be%20aware%20of.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-1072803417%22%20id%3D%22toc-hId-1096013520%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EBad%20file%20paths%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAn%20invalid%20file%20path%20specified%20on%20a%20firewall%20rule%20will%20lead%20to%20policy%20processing%20errors.%20As%20an%20example%2C%20having%20a%20typo%20in%20an%20environment%20variable%2C%20such%20as%20an%20extra%20space%20in%20%25ProgramFiles(x86)%25%20will%20lead%20to%20an%20entire%20policy%20being%20reported%20as%20failed.%20The%20Windows%20Firewall%20client%20only%20supports%20built-in%20Windows%20environment%20variables%2C%20which%20can%20cause%20other%20file%20path%20issues.%20Custom%20variables%2C%20even%20if%20valid%2C%20cannot%20be%20used.%20For%20example%2C%20%25programfiles%25%5Cfolder%5Cexecutable.exe%20will%20work%2C%20but%20%25customvariable%25%5Cfolder%5Cexecutable.exe%20will%20not%20work%20even%20if%20%25customvariable%25%20is%20a%20functional%20variable%20on%20the%20client.%20Aside%20from%20applying%20to%20MDM%20firewall%20policy%2C%20these%20limitations%20also%20apply%20to%20Group%20Policy%2C%20and%20even%20manual%20rule%20creation.%20This%20is%20the%20most%20common%20error%20we%20have%20seen.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId--734651046%22%20id%3D%22toc-hId--711440943%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EInvalid%20port%20or%20IP%20range%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20for%20invalid%20port%20ranges%2C%20which%20can%20lead%20to%20errors%2C%20such%20as%20a%20descending%20range%20like%2065535-65534.%20For%20more%20information%2C%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Ffirewall-csp%23protocol%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Econfiguration%20service%20provider%20reference%3C%2FA%3E%26nbsp%3Bto%20learn%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-1752861787%22%20id%3D%22toc-hId-1776071890%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3E%20Blocked%20policies%20and%20rules%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20a%20policy%20targets%20a%20bad%20rule%2C%20subsequent%20policy%20rules%20may%20also%20fail%20to%20process.%20In%20this%20case%2C%20you%20must%20find%20the%20first%20policy%20and%20bad%20rule%20to%20fix%20and%20unblock%20the%20following%20rules.%20Note%20in%20the%20example%20below%2C%20rule%20%3CSTRONG%3EL_gEAAA%3C%2FSTRONG%3E%20is%20logged%20as%20failed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Filtered%20view%20on%20Event%20ID%20404%20showing%20firewall%20rule%20%233%20(named%20%E2%80%98L_gEAAA%E2%80%99%20in%20the%20CSP%20URL%20path)%20logged%20as%20failed.%20Later%20we%20discover%20this%20is%20a%20result%20of%20the%20prior%20rule%20%232%20being%20failed%20in%20the%20policy%20block.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356994i65DA3AAA173D6591%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_1-1647643548511.png%22%20alt%3D%22Filtered%20view%20on%20Event%20ID%20404%20showing%20firewall%20rule%20%233%20(named%20%E2%80%98L_gEAAA%E2%80%99%20in%20the%20CSP%20URL%20path)%20logged%20as%20failed.%20Later%20we%20discover%20this%20is%20a%20result%20of%20the%20prior%20rule%20%232%20being%20failed%20in%20the%20policy%20block.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EFiltered%20view%20on%20Event%20ID%20404%20showing%20firewall%20rule%20%233%20(named%20%E2%80%98L_gEAAA%E2%80%99%20in%20the%20CSP%20URL%20path)%20logged%20as%20failed.%20Later%20we%20discover%20this%20is%20a%20result%20of%20the%20prior%20rule%20%232%20being%20failed%20in%20the%20policy%20block.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHowever%2C%20this%20is%20actually%20the%20third%20rule%20in%20policy%20d444067ff2b74006993bf3d10bd98467.%20From%20the%20SyncML%20trace%20below%2C%20as%20well%20as%20the%20registry%20and%20Get-NetFirewallRule%20cmdlet%20output%2C%20we%20will%20see%20that%20it%20is%20actually%20our%20second%20rule%20(LQEAAA)%20that%20is%20the%20first%20blocking%20failure%20that%20needs%20to%20be%20addressed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId--54592676%22%20id%3D%22toc-hId--31382573%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3ETroubleshooting%20tips%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20suspect%20a%20parameter%20may%20not%20be%20valid%2C%20create%20a%20rule%20using%20the%20value%20so%20you%20can%20manually%20test%20it%20directly%20within%20Windows.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22An%20image%20of%20an%20error%20message%20from%20Windows%20Defender%20Firewall%20with%20Advanced%20Security%3A%20%E2%80%9CError%3A%20The%20parameter%20is%20incorrect%E2%80%9D%20and%20%E2%80%9CStatus%3A%20The%20application%20name%20could%20not%20be%20resolved.%E2%80%9D%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356995iED9F96F807777F88%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_2-1647643698386.png%22%20alt%3D%22An%20image%20of%20an%20error%20message%20from%20Windows%20Defender%20Firewall%20with%20Advanced%20Security%3A%20%E2%80%9CError%3A%20The%20parameter%20is%20incorrect%E2%80%9D%20and%20%E2%80%9CStatus%3A%20The%20application%20name%20could%20not%20be%20resolved.%E2%80%9D%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAn%20image%20of%20an%20error%20message%20from%20Windows%20Defender%20Firewall%20with%20Advanced%20Security%3A%20%E2%80%9CError%3A%20The%20parameter%20is%20incorrect%E2%80%9D%20and%20%E2%80%9CStatus%3A%20The%20application%20name%20could%20not%20be%20resolved.%E2%80%9D%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20the%20%E2%80%9CError%3A%20The%20parameter%20is%20incorrect%E2%80%9D%20message%20in%20the%20image%20above%20aligns%20with%20the%20Event%20Log%20error%20example%20earlier%20in%20this%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20want%20to%20test%20changes%20to%20a%20policy%2C%20for%20example%20to%20remove%20suspect%20rules%2C%20you%20can%20quickly%20and%20easily%20copy%20policies.%20In%20the%20Microsoft%20Endpoint%20Management%20admin%20center%2C%20under%20Endpoint%20security%20%7C%20Firewall%2C%20right-click%20a%20policy%20and%20select%20%3CSTRONG%3EDuplicate%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22A%20list%20of%20Firewall%20policies%20in%20the%20Endpoint%20Manager%20admin%20center%2C%20showing%20the%20%E2%80%98Duplicate%E2%80%99%20option%20that%20is%20available%20when%20you%20right-click%20a%20policy.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F356996i68C56EFB0FA17440%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_3-1647643761843.png%22%20alt%3D%22A%20list%20of%20Firewall%20policies%20in%20the%20Endpoint%20Manager%20admin%20center%2C%20showing%20the%20%E2%80%98Duplicate%E2%80%99%20option%20that%20is%20available%20when%20you%20right-click%20a%20policy.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EA%20list%20of%20Firewall%20policies%20in%20the%20Endpoint%20Manager%20admin%20center%2C%20showing%20the%20%E2%80%98Duplicate%E2%80%99%20option%20that%20is%20available%20when%20you%20right-click%20a%20policy.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%2C%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fpowershell-intune-samples%2Fblob%2Fmaster%2FEndpointSecurity%2FEndpointSecurityPolicy_Export.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEndpointSecurityPolicy_Export.ps1%3C%2FA%3E%20sample%20script%20is%20a%20powerful%20tool%20for%20exporting%20all%20of%20your%20endpoint%20security%20policies%20(to%20JSON)%2C%20which%20you%20can%20then%20quickly%20review%20in%20your%20favorite%20text%20editor%20or%20IDE.%20After%20you%20find%20a%20bad%20rule%20in%20a%20policy%2C%20this%20can%20be%20a%20quick%20way%20to%20review%20the%20remaining%20policy%20for%20additional%20instances%20of%20that%20same%20issue.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22Test-IntuneFirewallRules_PowerShell_script%22%20id%3D%22toc-hId--1862047139%22%20id%3D%22toc-hId--1838837036%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3ETest-IntuneFirewallRules%20PowerShell%20script%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3EThe%20Intune%20Customer%20Service%20and%20Support%20team%E2%80%99s%20Mark%20Stanfill%20created%20this%20sample%20script%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmarkstan%2FTest-IntuneFirewallRules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETest-IntuneFirewallRules%3C%2FA%3E%20to%20simplify%20identifying%20Windows%20Defender%20Firewall%20rules%20with%20errors%20for%20you%20(on%20a%20test%20system).%20This%20script%20allows%20you%20to%20run%20diagnostics%20against%20all%20of%20your%20policies%20in%20Intune%2C%20or%20offline%20selectively%20against%20policies%20you%20export%20to%20your%20local%20system.%20It%20will%20try%20to%20create%20the%20rules%20on%20the%20local%20system%20and%20will%20generate%20a%20report%20on%20related%20failures%2C%20including%20the%20policy%20and%20rule%20names%20along%20with%20any%20detected%20issues%20and%20instructions%20on%20how%20to%20fix%20the%20rule%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D2109431%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EEndpoint%20Manager%20admin%20center%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22A%20screenshot%20of%20the%20script%20result%2C%20which%20shows%20a%20list%20of%20%E2%80%98Firewall%20rules%20with%20errors%E2%80%99%20and%20columns%20for%20other%20details%2C%20including%20suggested%20fixes.%22%20style%3D%22width%3A%20904px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357005iFEA1E7F94BBDE24C%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_0-1647645589280.png%22%20alt%3D%22A%20screenshot%20of%20the%20script%20result%2C%20which%20shows%20a%20list%20of%20%E2%80%98Firewall%20rules%20with%20errors%E2%80%99%20and%20columns%20for%20other%20details%2C%20including%20suggested%20fixes.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EA%20screenshot%20of%20the%20script%20result%2C%20which%20shows%20a%20list%20of%20%E2%80%98Firewall%20rules%20with%20errors%E2%80%99%20and%20columns%20for%20other%20details%2C%20including%20suggested%20fixes.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmarkstan%2FTest-IntuneFirewallRules%23readme%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20project%20in%20GitHub%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-625465694%22%20id%3D%22toc-hId-648675797%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EAdvanced%20troubleshooting%20techniques%20and%20tools%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20section%20walks%20through%20additional%20methods%20for%20manually%20tracing%20the%20end-to-end%20process%20and%20tools%20which%20may%20further%20assist%20in%20the%20troubleshooting%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1316027168%22%20id%3D%22toc-hId-1339237271%22%3EPolicy%20and%20rule%20identifiers%3C%2FH3%3E%0A%3CP%3ETo%20identify%20and%20fix%20problematic%20rules%2C%20it%20is%20necessary%20to%20understand%20how%20policies%20and%20rules%20are%20each%20identified%2C%20stored%2C%20and%20progress%20end-to-end%20between%20Endpoint%20Manager%20and%20Windows.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20Intune%2C%20the%20policy%20will%20have%20a%20unique%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fintune-deviceconfig-deviceconfiguration-get%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EdeviceConfiguration%3C%2FA%3E%20%3CSTRONG%3Eid%3C%2FSTRONG%3E.%20The%20%3CSTRONG%3Eid%3C%2FSTRONG%3E%20component%20is%20a%20globally%20unique%20identifier%20(GUID)%2C%20for%20example%3A%20%3CSTRONG%3Ed444067f-f2b7-4006-993b-f3d10bd98467%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20individual%20rules%20within%20the%20policy%20will%20each%20have%20a%20correlating%20unique%20ID%20string%2C%20which%20will%20consist%20of%206%20characters%2C%20for%20example%3A%20%3CSTRONG%3ELAEAAA%3C%2FSTRONG%3E.%20(Sometimes%2C%20you%20will%20find%20additional%20%E2%80%9Cpadding%E2%80%9D%20within%20these%20rules%20containing%20underscores%2C%20which%20will%20make%20the%20rule%20component%20appear%20to%20vary%20in%20length%3B%20more%20on%20this%20later.)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--491427295%22%20id%3D%22toc-hId--468217192%22%3EWindows%20client-side%20tracing%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMDM%20diagnostic%20report%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ETo%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmdm%2Fdiagnose-mdm-failures-in-windows-10%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ediagnose%20MDM%20failures%20in%20Windows%2010%3C%2FA%3E%3CU%3E%2C%3C%2FU%3E%20go%20to%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EHome%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAccounts%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EAccess%20work%20or%20school%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3EInfo%3C%2FSTRONG%3E%20%26gt%3B%20%3CSTRONG%3ECreate%20report.%3C%2FSTRONG%3E%20You%20can%20also%20run%20%3CSTRONG%3Emdmdiagnosticstool.exe%20-out%20c%3A%5Ctemp%20%3C%2FSTRONG%3Efrom%20a%20command%20prompt%20to%20generate%20an%20MDMDiagReport.html%20file.%20Within%20this%20report%2C%20under%20%3CSTRONG%3EEnrolled%20configuration%20and%20target%20resources%3C%2FSTRONG%3E%2C%20you%20can%20see%20the%20firewall%20rules%20targeted%20to%20the%20device%20(Control-F%20for%20%3CSTRONG%3EFirewallRules%3C%2FSTRONG%3E)%2C%20as%20show%20in%20the%20following%20example.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Example%20of%20a%20local%20Windows%20MDM%20failure%20report%2C%20showing%20the%20section%20%E2%80%98Enrolled%20configuration%20sourcesand%20target%20resources%E2%80%99%20%20with%20selections%201%20%2C2%2C%20and%203%20that%20are%20different%20parts%20of%20the%20example%20resource%20string.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357007i09801EC9544681C0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_1-1647646180332.png%22%20alt%3D%22Example%20of%20a%20local%20Windows%20MDM%20failure%20report%2C%20showing%20the%20section%20%E2%80%98Enrolled%20configuration%20sourcesand%20target%20resources%E2%80%99%20with%20selections%201%20%2C2%2C%20and%203%20that%20are%20different%20parts%20of%20the%20example%20resource%20string.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EExample%20of%20a%20local%20Windows%20MDM%20failure%20report%2C%20showing%20the%20section%20%E2%80%98Enrolled%20configuration%20sourcesand%20target%20resources%E2%80%99%20with%20selections%201%20%2C2%2C%20and%203%20that%20are%20different%20parts%20of%20the%20example%20resource%20string.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EShows%20the%20entire%20policy%20%2B%20rule%20identifier%3C%2FLI%3E%0A%3CLI%3EPolicy%20ID%20mentioned%20in%20the%20prior%20section%3C%2FLI%3E%0A%3CLI%3ERule%20identifier%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%3CSTRONG%3EdeviceConfiguration%20id%3C%2FSTRONG%3E%26nbsp%3Bin%20the%20above%20screenshot%20example%20has%20the%20hyphens%20which%20would%20normally%20be%20included%20in%20a%20GUID%20removed%20from%20it.%20We%20will%20use%20PowerShell%20later%20to%20convert%20this%20back%20to%20a%20%E2%80%9Cproper%E2%80%9D%20GUID%20(e.g.%20d444067f-f2b7-4006-993b-f3d10bd98467)%20format%20so%20we%20can%20query%20Intune%20for%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImportant%3C%2FSTRONG%3E%3A%20The%20MDM%20report%20shows%20what%20is%20targeted%20to%20the%20device.%20If%20you%20are%20hitting%20an%20issue%20with%20policy%20processing%2C%20the%20actual%20rules%20created%20on%20the%20device%20will%20vary%20from%20what%20is%20displayed%20here.%20In%20the%20following%20tracing%20examples%2C%20we%20will%20look%20to%20the%20Event%20Logs%2C%20PowerShell%2C%20and%20Windows%20registry%20to%20reconcile%20what%20is%20targeted%20to%20the%20device%20versus%20displayed%20in%20the%20MDM%20diagnostic%20report%20as%20targeted.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EWindows%20Event%20Viewer%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%3CSTRONG%3EApplication%20and%20Services%20logs%5CWindows%5CDeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin%3C%2FSTRONG%3E%20(or%20C%3A%5Cwindows%5Csystem32%5Cwinevt%5CLogs%5CMicrosoft-Windows-Windows%20Firewall%20With%20Advanced%20Security%254Firewall.evtx)%20log%20will%20contain%20related%20errors%2C%20as%20well%20as%20successes%20on%20individual%20rule%20creation.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20filter%2C%20select%20EventID%20404%20and%20search%20for%20the%20keyword%20FirewallRules%2C%20which%20brings%20us%20to%20the%20following%20Event%20Log%20failure%20entry%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3EMDM%20ConfigurationManager%3A%20Command%20failure%20status.%20Configuration%20Source%20ID%3A%20(GUID)%2C%20Enrollment%20Name%3A%20(MDMDeviceWithAAD)%2C%20Provider%20Name%3A%20(Firewall)%2C%20Command%20Type%3A%20(Add%3A%20from%20Replace%20or%20Add)%2C%20CSP%20URI%3A%20(.%2FVendor%2FMSFT%2FFirewall%2FMdmStore%2FFirewallRules%2Fd444067ff2b74006993bf3d10bd98467L_gEAAA%20%2FName)%2C%20Result%3A%20(The%20parameter%20is%20incorrect.).%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAgain%2C%20note%20the%20%3CSTRONG%3EdeviceConfiguration%20id%3C%2FSTRONG%3E%20and%20%3CSTRONG%3Erule%20id%3C%2FSTRONG%3E%20combination%20within%20the%20error%2C%20along%20with%20the%20%E2%80%9Cparameter%20is%20incorrect%E2%80%9D%20result.%20While%20the%20event%20log%20entry%20above%20will%20indeed%20show%20you%20a%20rule%20that%20is%20failing%20to%20process%2C%20we%20will%20have%20to%20dig%20further%20using%20the%20additional%20techniques%20and%20tools%20below%20to%20find%20the%20actual%20rule%20and%20reason%20for%20the%20failure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERegistry%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWithin%20the%20Windows%20registry%2C%20you%20can%20confirm%20which%20rules%20were%20created%20on%20the%20device%20under%20HKEY_LOCAL_MACHINE%5CSYSTEM%5CCurrentControlSet%5CServices%5CSharedAccess%5CParameters%5CFirewallPolicy%5CMdm%5CFirewallRules%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Windows%20registry%20image%20showing%20a%20list%20of%20five%20firewall%20rules%20(a%20default%20rule%20and%20four%20rules%20from%20policy).%20Of%20the%20four%20policy%20firewall%20rules%2C%20the%20ones%20labeled%201-3%20have%20the%20same%20policy%20ID.%20The%20rule%20labeled%204%20has%20a%20different%20policy%20ID.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357008i970BD56D259290B6%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_2-1647646369205.png%22%20alt%3D%22Windows%20registry%20image%20showing%20a%20list%20of%20five%20firewall%20rules%20(a%20default%20rule%20and%20four%20rules%20from%20policy).%20Of%20the%20four%20policy%20firewall%20rules%2C%20the%20ones%20labeled%201-3%20have%20the%20same%20policy%20ID.%20The%20rule%20labeled%204%20has%20a%20different%20policy%20ID.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EWindows%20registry%20image%20showing%20a%20list%20of%20five%20firewall%20rules%20(a%20default%20rule%20and%20four%20rules%20from%20policy).%20Of%20the%20four%20policy%20firewall%20rules%2C%20the%20ones%20labeled%201-3%20have%20the%20same%20policy%20ID.%20The%20rule%20labeled%204%20has%20a%20different%20policy%20ID.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImportant%3A%3C%2FSTRONG%3E%20In%20the%20example%20above%2C%20rule%20entries%201-3%20are%20from%20the%20same%20policy%20(%3CSTRONG%3Ee96193e75beb4758a6007cbf7f6beb76%3C%2FSTRONG%3E).%20Rule%204%20(LAEAAA)%20is%20the%20only%20rule%20entry%20created%20from%20a%20different%20policy%20(%3CSTRONG%3Ed444067ff2b74006993bf3d10bd98467%3C%2FSTRONG%3E)%2C%20which%20we%20will%20call%20Policy%20B.%20In%20comparing%20this%20to%20what%20is%20reported%20in%20the%20MDMDiagReport%20pictured%20above%2C%20we%20can%20deduce%20that%20Policy%20B's%20next%20rule%20(i.e.%20Rule%20%232%20in%20the%20Endpoint%20Security%20policy%2C%20since%20the%20policy%E2%80%99s%20rules%20are%20processed%20together%20sequentially)%20is%20broken%20and%20blocking%20subsequent%20rules%20within%20the%20same%20atomic%20block%20from%20being%20created.%20Additional%20details%20on%20this%20behavior%20are%20covered%20in%20the%20%3CA%20href%3D%22%23_Known_Issue_Examples%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EKnown%20Issue%20Examples%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPowerShell%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EPowerShell%20can%20be%20used%20to%20identify%20and%20pipe%20out%20all%20firewall%20rules%20created%20on%20the%20local%20system%20using%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-NetFirewallRule%20-PolicyStore%20ActiveStore%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20filter%20on%20rules%20from%20a%20particular%20policy%2C%20you%20can%20use%20the%20policy%20ID%20followed%20by%20a%20wildcard%20*%20to%20capture%20all%20rules%20with%20the%20policy%20ID%20prefix%20in%20the%20name%2C%20for%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-NetFirewallRule%20-Name%20d444067ff2b74006993bf3d10bd98467*%20-PolicyStore%20ActiveStore%7C%20Format-List%20DisplayName%2C%20Name%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20of%20Windows%20Powershell%20running%20the%20example%20%E2%80%98Get-NetFirewallRule%E2%80%99%20command.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357009iF4D2DD1ACCED5E2F%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_3-1647646461440.png%22%20alt%3D%22Image%20of%20Windows%20Powershell%20running%20the%20example%20%E2%80%98Get-NetFirewallRule%E2%80%99%20command.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20of%20Windows%20Powershell%20running%20the%20example%20%E2%80%98Get-NetFirewallRule%E2%80%99%20command.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20DisplayName%20output%20above%20is%20the%20actual%20rule%20name%20configured%20within%20the%20policy%2C%20which%20is%20visible%20in%20the%20Endpoint%20Manager%20admin%20center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-1171839340%22%20id%3D%22toc-hId-1195049443%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EUse%20Mic%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3Erosoft%20Graph%20API%20to%20find%20problem%20policies%20and%20rules%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--506532404%22%20id%3D%22toc-hId--483322301%22%3EGraph%20Explorer%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fgraph%2Fgraph-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGraph%20Explorer%3C%2FA%3E%20(or%20any%20other%20preferred%20Graph%20interface)%20to%20call%20to%20Intune%20to%20resolve%20the%20policy%20ID%20from%20the%20Event%20Log%20back%20to%20the%20Endpoint%20Security%20policy%20name%20that%20is%20failing%2C%20for%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2FdeviceManagement%2FdeviceConfigurations%2Fd444067f-f2b7-4006-993b-f3d10bd98467%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Graph%20Explorer%2C%20simply%20enter%20your%20deviceConfiguration%20id%20in%20the%20URL%20field%20and%20select%20%3CSTRONG%3ERun%20query%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20of%20Graph%20Explorer%20with%20the%20deviceConfiguration%20id%20in%20the%20request%20body%20and%20a%20detailed%20response%20with%20a%20%E2%80%98displayName%E2%80%99%20value%20of%20%E2%80%9C2P1G2B3G%E2%80%9D%20highlighted.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357010i7A70602E651E9F91%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_4-1647646559076.png%22%20alt%3D%22Image%20of%20Graph%20Explorer%20with%20the%20deviceConfiguration%20id%20in%20the%20request%20body%20and%20a%20detailed%20response%20with%20a%20%E2%80%98displayName%E2%80%99%20value%20of%20%E2%80%9C2P1G2B3G%E2%80%9D%20highlighted.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20of%20Graph%20Explorer%20with%20the%20deviceConfiguration%20id%20in%20the%20request%20body%20and%20a%20detailed%20response%20with%20a%20%E2%80%98displayName%E2%80%99%20value%20of%20%E2%80%9C2P1G2B3G%E2%80%9D%20highlighted.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20on%20using%20Graph%20Explorer%20with%20Intune%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fresources%2Fintune-graph-overview%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWorking%20with%20Intune%20in%20Microsoft%20Graph%3C%2FA%3E.%20For%20a%20step-by-step%20learning%20module%20on%20connecting%20to%20and%20working%20with%20Microsoft%20Graph%20with%20Graph%20Explorer%2C%20please%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Flearn%2Fmodules%2Fmsgraph-intro-overview%2F1-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIntroduction%20-%20Learn%20%7C%20Microsoft%20Graph%20Fundamentals%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETip%3C%2FSTRONG%3E%3A%20To%20convert%20the%20policy%20ID%20from%20the%20Event%20Log%20into%20a%20properly%20formatted%20GUID%2C%20you%20can%20use%20%5Bguid%5D%20%22d444067ff2b74006993bf3d10bd98467%22%20in%20PowerShell%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20of%20%5Bguid%5D%20command%20in%20PowerShell.%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357011i373FB53493B19628%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_5-1647646613292.png%22%20alt%3D%22Image%20of%20%5Bguid%5D%20command%20in%20PowerShell.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20of%20%5Bguid%5D%20command%20in%20PowerShell.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1980980429%22%20id%3D%22toc-hId-2004190532%22%3EPowerShell%20script%20conversion%20of%20policy%20ID%20to%20policy%20name%3C%2FH3%3E%0A%3CP%3EIn%20addition%20to%20the%20Graph%20Explorer%20example%20above%2C%20you%20can%20also%20use%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmarkstan%2FGet-IntuneGraphAPIObject%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EGet-IntuneGraphAPIObject%3C%2FA%3E%20sample%20script%20to%20resolve%20the%20deviceConfiguration%20id%20back%20to%20its%20Endpoint%20Manager%20admin%20center%20friendly%20name.%20For%20example%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3EGet-IntuneGraphAPIObject.ps1%20%22deviceManagement%2FdeviceConfigurations%2Fd444067f-f2b7-4006-993b-f3d10bd98467%22%20%7C%20fl%20DisplayName%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20of%20DisplayName%20command%20and%20results%20in%20PowerShell.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357012i69DAA87ED59BDC36%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_6-1647646674794.png%22%20alt%3D%22Image%20of%20DisplayName%20command%20and%20results%20in%20PowerShell.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20of%20DisplayName%20command%20and%20results%20in%20PowerShell.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-44443247%22%20id%3D%22toc-hId-67653350%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EMDM%20diagnostic%20tracing%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1633928497%22%20id%3D%22toc-hId--1610718394%22%3ESyncML%20Viewer%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fokieselbach%2FSyncMLViewer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESyncML%20Viewer%3C%2FA%3E%20trace%20can%20be%20performed%20to%20see%20each%20individual%20rule%20created%2C%20its%20parameters%2C%20and%20the%20related%20status%20for%20a%20failure.%20Again%2C%20you%20can%20keyword%20search%20for%20%3CSTRONG%3EFirewallRules%3C%2FSTRONG%3E%20to%20get%20to%20the%20related%20policy%20sync%20session%20quickly.%20Note%20the%20%3CSTRONG%3ESessionID%3C%2FSTRONG%3E%20(%231%20below%2C%20%3CSTRONG%3E14E%3C%2FSTRONG%3E)%2C%20the%20%3CSTRONG%3E%3CATOMIC%3E%3C%2FATOMIC%3E%3C%2FSTRONG%3E%20block%20(%232%20below)%20containing%20the%20rules%20in%20the%20policy%2C%20and%20the%20individual%20rules%20and%20their%20%3CSTRONG%3ECmdID%3C%2FSTRONG%3E%20(%233)%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20of%20SyncML%20Viewer%20results%20with%20%E2%80%9Cfirewallrules%E2%80%9D%20entered%20into%20the%20upper-right%20search%20box%20and%20the%20results.%20Callout%201%20shows%20a%20SessionID%2C%20callout%202%20shows%20the%20start%20of%20the%20atomic%20block%2C%20and%20callout%203%20shows%20the%20CmdID%20and%20its%20data.%22%20style%3D%22width%3A%20975px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357013iD332091B9777AE67%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_7-1647646780252.png%22%20alt%3D%22Image%20of%20SyncML%20Viewer%20results%20with%20%E2%80%9Cfirewallrules%E2%80%9D%20entered%20into%20the%20upper-right%20search%20box%20and%20the%20results.%20Callout%201%20shows%20a%20SessionID%2C%20callout%202%20shows%20the%20start%20of%20the%20atomic%20block%2C%20and%20callout%203%20shows%20the%20CmdID%20and%20its%20data.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20of%20SyncML%20Viewer%20results%20with%20%E2%80%9Cfirewallrules%E2%80%9D%20entered%20into%20the%20upper-right%20search%20box%20and%20the%20results.%20Callout%201%20shows%20a%20SessionID%2C%20callout%202%20shows%20the%20start%20of%20the%20atomic%20block%2C%20and%20callout%203%20shows%20the%20CmdID%20and%20its%20data.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImportant%3A%3C%2FSTRONG%3E%20Here%20is%20where%20we%20can%20see%20the%20first%20sync%20failure%20is%20occurring%20on%20firewall%20rule%20%E2%80%9Cd444067ff2b74006993bf3d10bd98467%3CSTRONG%3ELQEAAA%3C%2FSTRONG%3E%E2%80%9D.%20This%20is%20our%20blocking%20rule%20which%20causes%20subsequent%20rules%20to%20fail.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20the%20following%20Status%20message%20for%20SessionID%20%3CSTRONG%3E14E%3C%2FSTRONG%3E%20(obtained%20from%20%231%20above)%2C%20we%20can%20see%20the%20first%20failure%20is%20for%20CmdID%203%20in%20the%20status%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%3CSTATUS%3E%0A%20%20%20%20%20%20%3CCMDID%3E3%3C%2FCMDID%3E%0A%20%20%20%20%20%20%3CMSGREF%3E4%3C%2FMSGREF%3E%0A%20%20%20%20%20%20%3CCMDREF%3E11%3C%2FCMDREF%3E%0A%20%20%20%20%20%20%3CCMD%3EAtomic%3C%2FCMD%3E%0A%20%20%20%20%20%20%3CDATA%20originalerror%3D%220x80070057%22%3E507%3C%2FDATA%3E%0A%3C%2FSTATUS%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Image%20drilling%20down%20into%20the%20status%20message%20for%20CmdID%203%2C%20that%20shows%20the%20aforementioned%20values%2Ferror%20info.%22%20style%3D%22width%3A%20949px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357014i6DC8461FAD89DAB0%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Intune_Support_Team_8-1647646859153.png%22%20alt%3D%22Image%20drilling%20down%20into%20the%20status%20message%20for%20CmdID%203%2C%20that%20shows%20the%20aforementioned%20values%2Ferror%20info.%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%20drilling%20down%20into%20the%20status%20message%20for%20CmdID%203%2C%20that%20shows%20the%20aforementioned%20values%2Ferror%20info.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EError%200x80070057%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fwin32%2Fdebug%2Fsystem-error-code-lookup-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eresolves%3C%2FA%3E%20to%3A%3C%2FP%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3EError%20Code%3A%200x80070057%20(2147942487)%3CBR%20%2F%3EError%20Name%3A%20E_INVALIDARG%3CBR%20%2F%3EError%20Source%3A%20Windows%3CBR%20%2F%3EError%20Message%3A%20One%20or%20more%20arguments%20are%20invalid%3C%2FP%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReferring%20to%20the%20prior%20related%20%3CSTRONG%3ECmdID%3C%2FSTRONG%3E%20%3CSTRONG%3E3%3C%2FSTRONG%3E%20trace%20details%2C%20we%20can%20see%20that%20we%20were%20failing%20to%20%26lt%3B%3CSTRONG%3EAdd%26gt%3B%3C%2FSTRONG%3E%20the%20following%20application%20file%20path%20%3CSTRONG%3E%3CFONT%20color%3D%22%232356EF%22%3Evalue%3C%2FFONT%3E%3C%2FSTRONG%3E%3A%3C%2FP%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CADD%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CCMDID%3E%3CSTRONG%3E3%3C%2FSTRONG%3E%3C%2FCMDID%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CITEM%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CTARGET%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CLOCURI%3E.%2FVendor%2FMSFT%2FFirewall%2FMdmStore%2FFirewallRules%2F%3CSTRONG%3Ed444067ff2b74006993bf3d10bd98467LQEAAA%3C%2FSTRONG%3E%2FApp%2F%3CSTRONG%3EFilePath%3C%2FSTRONG%3E%3C%2FLOCURI%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FTARGET%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3CDATA%3E%3CSTRONG%3E%26gt%3B%3C%2FSTRONG%3E%3CFONT%20color%3D%22%232356EF%22%3E%3CSTRONG%3E%252P2B%25%5C2P2B.exe%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FDATA%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FITEM%3E%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FADD%3E%3C%2FP%3E%0A%3CP%20style%3D%22%20padding-left%20%3A%2030px%3B%20%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20the%20policy%20rule%20ID%20aligns%20with%20what%20we%20saw%20in%20the%20Event%20Log%20sections%20error%20example%20above%3A%20%3CSTRONG%3Ed444067ff2b74006993bf3d10bd98467LQEAAA.%20%3C%2FSTRONG%3EWe%20have%20the%20additional%20knowledge%20from%20the%20%3CDATA%3E%20value%20that%20we%20were%20failing%20to%20set%20the%20%3CSTRONG%3Efile%20path%20%3C%2FSTRONG%3Eto%20%3CSTRONG%3E%252P2B%25%5C2P2B.exe.%20%3C%2FSTRONG%3EThe%20file%20path%20of%20%252P2B%25%20is%20not%20a%20valid%20value%20for%20the%20Windows%20Firewall%20client%20to%20create%20the%20rule.%20As%20a%20result%2C%20the%20rule%20creation%20process%20failed.%3C%2FDATA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332804724%22%20id%3D%22toc-hId-724501617%22%20id%3D%22toc-hId-747711720%22%3E%3CFONT%20color%3D%22%232F5496%22%3E%3CSPAN%20class%3D%22TextRun%20Highlight%20SCXW223101644%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW223101644%20BCX8%22%20data-ccp-charstyle%3D%22normaltextrun%22%3EConclusion%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FH2%3E%0A%3CP%3EWe%20hope%20this%20blog%20post%20helps%20you%20better%20understand%20how%20to%20avoid%20and%20troubleshoot%20Endpoint%20Security%20firewall%20failures%2C%20should%20you%20encounter%20them.%20There%20are%20improvements%20to%20existing%20features%20and%20new%20features%20on%20the%20roadmap.%20To%20stay%20up-to-date%20with%20new%20features%2C%20visit%20our%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMID%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EIn%20development%3C%2FA%3E%26nbsp%3Band%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FMEMWN%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWhat%E2%80%99s%20New%3C%2FA%3E%26nbsp%3Bdocs%20in%20Intune%20to%20learn%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20update%20this%20blog%20post%20as%20we%20make%20diagnostic%20or%20behavior%20changes%20related%20to%20the%20scenarios%20noted%20above.%20If%20you%20have%20any%20questions%20or%20feedback%20on%20the%20new%20template%2C%20reply%20to%20this%20post%20or%20reach%20out%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%26nbsp%3Bon%20Twitter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3261452%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20support%20tip%2C%20we%20wanted%20to%20provide%20you%20with%20some%20troubleshooting%20tools%20to%20help%20you%20trace%20and%20troubleshoot%20the%20Intune%20Endpoint%20Security%20Windows%20Defender%20Firewall%20rule%20creation%20process.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22BlogDefault-082321.png%22%20style%3D%22width%3A%20367px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F357310i2AE77038C28379F2%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BlogDefault-082321.png%22%20alt%3D%22BlogDefault-082321.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3261452%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Endpoint%20Manager%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 22 2022 04:03 PM
Updated by: