Microsoft Endpoint Manager: how to configure Windows Firewall policies

Questo articolo รจ disponibile anche in lingua italiana al seguente link: Microsoft Endpoint Manager: configurare il Windows Firewall | WindowServer.it

The Cloud-Only scenario is becoming stronger in the client environment, especially for SMEs where many of the services are delegated outside the corporate infrastructure. However, there remains the age-old compliance issue that, in the absence of a Domain Controller and Active Directory infrastructure, can be more complicated than expected.

Microsoft Endpoint Manager (aka Intune) is certainly the perfect tool to achieve this but its logic is very different from Active Directory and what we once did with a click can now take a little more steps.

A classic example is the management of the Windows Firewall and its exceptions. Starting from the main rule that is the firewall must always be active, even in domain environments, there are applications that by default do not configure the various exceptions until they are started or particular functions are called.

One such software is Microsoft Teams which, during your first meeting or sharing with another user, may show this window – whether you are an administrator of your computer or not.

Figure 1 – Windows Firewall Exception

Policy Configuration

The policy configuration can be centralized from MEM, in the Endpoint Security -> Firewall section – figure 2.

Figure 2 – Firewall Settings

Create a new Windows 10 profile by choosing Microsoft Defender Firewall Rules – figure 3.

Figure 3 – Endpoint Protection Template

Enter a name and description – figure 4 – and start adding the new rules – figure 5.

Figure 4 – New Profile
Figure 5 – Policy List

The configuration always includes:

  • Name
  • Direction (In / Out)
  • Action (Allow / Block)
  • Network (Domain, Private, Public)
  • Application Target (file, service, package – in the case of a UWA)
Figure 6 – Rule configuration

The example in this case is for Microsoft Teams but can also be applied to other products; here are some paths:

  • Microsoft Teams: %LocalAppData%\Microsoft\Teams\current\Teams.exe
  • Paralles RAS: %ProgramFiles%\Parallels\Client\APPServerClient.exe
  • Dike GoSign: %LocalAppData%\infocert\gosign desktop\gosigndesktop.exe

Targeting can be done by users or by device, perhaps using dynamic or assigned groups based on scopes or distributed applications – figure 7.

Figure 7 – Rule Assignment

The distribution status will be viewable in the Overview section of each individual profile – figure 8.

Figure 8 – Deployment status

Conclusions

With a few steps you can configure the firewall policies even if all the wizards that allow you to enable services such as File Share or Remote WMI – useful in domain scenarios – are still missing.

#DBS