You can either use the local store (local policy merge = allow), or not. If not, you should configure all inbound firewall rules needed with Intune (Endpoint Security section). Most recommend method from security perspective is to it just like that - don't allow local store.
Intune Security Baseline firewall help?
We have devices, joined to Entra ID, and Intune. I push the following Security baselines:
- Windows 10 Security Baseline
- Windows 365 Security Baseline
- Defender Security Baseline
They all have a Firewall section, including settings for the three network types
- Enable Domain Network Firewall
- Enable Private Network Firewall
- Enable Public Network Firewall
All of these have
- Allow Local ipsec policy merge
- Allow Local Policy Merge
I have set these to "False" in all locations above. In theory, this means that the firewall does not use the local store, it uses some other store. My questions:
- Where is this other store?
- Where in Intune do I set the values for the firewall for this other policy store?
- How can I query the device istelf to determine the acutual firewall policy that is currently being enforced? Ideally using Powershell, not the GUI.
I had a theory that maybe I could push firewall rules to the device using Intune > Devices > Configuration > New Policy > Windows 10 and later > Templates > Endpoint protection > open Firewall section, and start adding rules, and apply that to a group where the device is included. But, that does not appear to do anything, or I am using the wrong method of detection. I also pushed a remediation to the device, using "Set-NetFirewallRule", but likewise, that does not appear to work.
If I set "Allow Local ipsec policy merge" and "Allow Local Policy Merge" to true, then it appears that at least the remediation script does in fact modify the local firewall policy, and that does what I want it to do on the device.
I guess I could just leave those policy merge settings to true, and leave it at that, but it is using local policy which then leaves it up to the configuration of the local device, which is different for each and every device, with local app installs, and admin users able to change it to something non standard.
Any help in finding where I set the firewall settings that specifically work with "Allow Local ipsec policy merge" and "Allow Local Policy Merge" set to true, and then detecting the actual settings on the device would be much appreciated. If there is some well written documentation on this, I would love to read that if it explains what all of these settings mean, how to implement it for best security, and how to test that it actually is set up in the desired state< I would love to hear about that too.
Thank you
1 answer
Sort by: Most helpful
-
Pavel yannara Mirochnitchenko 12,601 Reputation points MVP
2024-09-11T20:29:56.68+00:00