Intune Security Baseline firewall help?

Manny Soto 0 Reputation points
2024-09-11T07:31:25.7133333+00:00

We have devices, joined to Entra ID, and Intune. I push the following Security baselines:

  • Windows 10 Security Baseline
  • Windows 365 Security Baseline
  • Defender Security Baseline

They all have a Firewall section, including settings for the three network types

  • Enable Domain Network Firewall
  • Enable Private Network Firewall
  • Enable Public Network Firewall

All of these have

  • Allow Local ipsec policy merge
  • Allow Local Policy Merge

I have set these to "False" in all locations above. In theory, this means that the firewall does not use the local store, it uses some other store. My questions:

  1. Where is this other store?
  2. Where in Intune do I set the values for the firewall for this other policy store?
  3. How can I query the device istelf to determine the acutual firewall policy that is currently being enforced? Ideally using Powershell, not the GUI.

I had a theory that maybe I could push firewall rules to the device using Intune > Devices > Configuration > New Policy > Windows 10 and later > Templates > Endpoint protection > open Firewall section, and start adding rules, and apply that to a group where the device is included. But, that does not appear to do anything, or I am using the wrong method of detection. I also pushed a remediation to the device, using "Set-NetFirewallRule", but likewise, that does not appear to work.

If I set "Allow Local ipsec policy merge" and "Allow Local Policy Merge" to true, then it appears that at least the remediation script does in fact modify the local firewall policy, and that does what I want it to do on the device.

I guess I could just leave those policy merge settings to true, and leave it at that, but it is using local policy which then leaves it up to the configuration of the local device, which is different for each and every device, with local app installs, and admin users able to change it to something non standard.

Any help in finding where I set the firewall settings that specifically work with "Allow Local ipsec policy merge" and "Allow Local Policy Merge" set to true, and then detecting the actual settings on the device would be much appreciated. If there is some well written documentation on this, I would love to read that if it explains what all of these settings mean, how to implement it for best security, and how to test that it actually is set up in the desired state< I would love to hear about that too.

Thank you

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,373 questions
Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
417 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,893 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,053 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pavel yannara Mirochnitchenko 12,576 Reputation points MVP
    2024-09-11T20:29:56.68+00:00

    You can either use the local store (local policy merge = allow), or not. If not, you should configure all inbound firewall rules needed with Intune (Endpoint Security section). Most recommend method from security perspective is to it just like that - don't allow local store.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.