Defender Firewall - rules configured in Intune not applying on Win10

%3CLINGO-SUB%20id%3D%22lingo-sub-1398472%22%20slang%3D%22en-US%22%3EDefender%20Firewall%20-%20rules%20configured%20in%20Intune%20not%20applying%20on%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1398472%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20configure%20some%20Firewall%20rules%20in%20a%20Microsoft%20Defender%20Firewall%20configuration%20profile%20in%20Intune.%3C%2FP%3E%3CP%3EThe%20basic%20rules%20(ie%20enabling%20Microsoft%20Defender%20Firewall%20and%20default%20action%20like%20blocking%20inbound%20connections%20on%20public%20network)%20works.%3C%2FP%3E%3CP%3EBut%20when%20I%20define%20some%20custom%20Firewall%20rules%2C%20they%20are%20not%20applied%20to%20the%20firewall%20on%20a%20Win10%20client.%3C%2FP%3E%3CP%3EIe%20I'm%20testing%20a%20firewall%20rule%20called%20%22Allow%20Ping%20(Inbound%20-%20Public)%2C%20configured%20like%20this%3A%3CBR%20%2F%3EName%3A%20Allow%20Ping%20(Inbound%20-%20Public)%3C%2FP%3E%3CP%3EDirection%3A%20Inbound%3C%2FP%3E%3CP%3ENetwork%20type%3A%20Public%3C%2FP%3E%3CP%3EApplications%3A%20All%3C%2FP%3E%3CP%3ELocal%20addresses%3A%20Any%20address%3C%2FP%3E%3CP%3ERemote%20addresses%3A%20Any%20address%3C%2FP%3E%3CP%3EProtocol%3A%20Custom%3C%2FP%3E%3CP%3EProtocol%3A%201%3C%2FP%3E%3CP%3EInterface%20type%3A%20Local%20area%20network%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAllow%20Inbound%20on%20Domain%20and%20Private%20works%3C%2FP%3E%3CP%3EBlock%20Inbound%20on%20Public%20works%3C%2FP%3E%3CP%3Ebut%20my%20Firewall%20rule%20never%20shows%20up%20in%20firewall%20rules%20on%20the%20Win10%20client.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20who%20can%20help%20or%20have%20a%20hint%20on%20what%20I'm%20doing%20wrong%20%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1398472%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401409%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20Firewall%20-%20rules%20configured%20in%20Intune%20not%20applying%20on%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401409%22%20slang%3D%22en-US%22%3E%3CP%3EI%20can%20only%20confirm%20I%20see%20the%20same%20behavior.%20The%20policy%20is%20applied%2C%20I%60m%20able%20to%20ping%20the%20device.%20The%20rule%20doesn%60t%20shuw%20op%20under%20the%20inbound%20rules.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401437%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20Firewall%20-%20rules%20configured%20in%20Intune%20not%20applying%20on%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401437%22%20slang%3D%22en-US%22%3E%3CP%3EWell%2C%20I%20have%20found%20out%20-%20through%20a%20lot%20of%20testing%20-%20that%20the%20firewall%20rules%20that%20apply%20to%20that%20profile%20(Domain%2C%20Private%2C%20Public)%20is%20shown%20in%26nbsp%3B%3CBR%20%2F%3EWindows%20Defender%20Firewall...%20-%26gt%3B%20Monitoring%20-%26gt%3B%20Firewall%3C%2FP%3E%3CP%3EThat's%20now%20the%20good%20part...%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20sometimes%20when%20the%20rules%20are%20applied%20to%20a%20Win-client%20it%20reports%20Error%20in%20Intune%2C%20but%20all%20things%20seems%20right%20at%20the%20client..%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401479%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20Firewall%20-%20rules%20configured%20in%20Intune%20not%20applying%20on%20Win10%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F458597%22%20target%3D%22_blank%22%3E%40BillB_Venzo%3C%2FA%3E%26nbsp%3BI%20spent%5Cwasted%20pretty%20much%20my%20full%20day%20today%20working%20this%20out.%20Finally%2C%20i%20got%20it%20working%20for%20us.%3C%2FP%3E%3CP%3EOur%20devices%20are%20Azure%20AD%20joined%20only.%20and%20when%20I%20was%20configuring%20the%20firewall%20rules%2C%20I%20was%20selecting%20all%20the%20network%20types%20(such%20as%20DOMAIN%2C%20PRIVATE%2C%20PUBLIC).%20Seemed%20like%20it%20didn't%20like%20the%20DOMAIN%20selection%20as%20the%20device%20is%20not%20joined%20to%20any%20DOMAIN%20(in%20a%20classic%20sense).%20When%20i%20removed%20the%20DOMAIN%20from%20the%20network%20types%2C%20it%20was%20successfully%20applied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20successful%2C%20your%20rules%20should%20appear%20in%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EControl%20Panel%5CSystem%20and%20Security%5CWindows%20Defender%20Firewall%5CAllowed%20applications%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20still%20have%20two%20issues%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Why%20are%20these%20firewall%20rules%20not%20appearing%20in%20Advance%20Settings%20--%26gt%3B%20Inbound%20rules%20(if%20it%20is%20an%20inbound%20rule)%3C%2FP%3E%3CP%3E2.%20In%20Allowed%20applications%2C%20i%20saw%20the%20rules%20appearing%20but%20the%20PUBLIC%20and%20PRIVATE%20networks%20weren't%20selected.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20when%20i%20actually%20tested%20the%20firewall%20rules%20(my%20firewall%20rule%20is%20to%20allow%20JAVA.exe)%20and%20it%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to configure some Firewall rules in a Microsoft Defender Firewall configuration profile in Intune.

The basic rules (ie enabling Microsoft Defender Firewall and default action like blocking inbound connections on public network) works.

But when I define some custom Firewall rules, they are not applied to the firewall on a Win10 client.

Ie I'm testing a firewall rule called "Allow Ping (Inbound - Public), configured like this:
Name: Allow Ping (Inbound - Public)

Direction: Inbound

Network type: Public

Applications: All

Local addresses: Any address

Remote addresses: Any address

Protocol: Custom

Protocol: 1

Interface type: Local area network

 

Allow Inbound on Domain and Private works

Block Inbound on Public works

but my Firewall rule never shows up in firewall rules on the Win10 client.

 

Anyone who can help or have a hint on what I'm doing wrong ? 

 

7 Replies

I can only confirm I see the same behavior. The policy is applied, I`m able to ping the device. The rule doesn`t shuw op under the inbound rules.

Well, I have found out - through a lot of testing - that the firewall rules that apply to that profile (Domain, Private, Public) is shown in 
Windows Defender Firewall... -> Monitoring -> Firewall

That's now the good part... 

But sometimes when the rules are applied to a Win-client it reports Error in Intune, but all things seems right at the client..

@BillB_Venzo I spent\wasted pretty much my full day today working this out. Finally, i got it working for us.

Our devices are Azure AD joined only. and when I was configuring the firewall rules, I was selecting all the network types (such as DOMAIN, PRIVATE, PUBLIC). Seemed like it didn't like the DOMAIN selection as the device is not joined to any DOMAIN (in a classic sense). When i removed the DOMAIN from the network types, it was successfully applied.

 

Once successful, your rules should appear in:

 

Control Panel\System and Security\Windows Defender Firewall\Allowed applications

 

I still have two issues:

 

1. Why are these firewall rules not appearing in Advance Settings --> Inbound rules (if it is an inbound rule)

2. In Allowed applications, i saw the rules appearing but the PUBLIC and PRIVATE networks weren't selected. 

 

But when i actually tested the firewall rules (my firewall rule is to allow JAVA.exe) and it works.

 

 

Hey @ShehzadUIT,

 

MMC does not display every Firewall rules, there are multiple stores like Local, GroupPolicy etc. use PowerShell to retrieve the Firewall rules for the "Active Store" and you will find your configured rules:

 

Get-NetFirewallRule -PolicyStore ActiveStore

 

Reference:

Get-NetFirewallRule (NetSecurity) | Microsoft Docs

 

best,

Oliver

Thanks @Oliver Kieselbach you have helped me out (again) - would also add to help others that when filtering the results of the PowerShell query use $_.DisplayName not $_.Name as MDM gives the rule a generic string of characters as the name which isn't easy to spot.

 

so Get-NetFirewallRule -PolicyStore ActiveStore | where-object { $_.DisplayName -eq "YourRuleName" } 

 

Will prove that the rule was created successfully

I created a blog about the firewall rule some time ago... and the get-netfirewallrule is indeed a good way do determine if the firewall rules were applied

https://call4cloud.nl/2020/07/the-windows-firewall-rises/#results
I like the closing gif ;)