This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I would like to know how to setup an allow rule for Windows Management Instrumentation (WMI-in), aka this:
into Endpoint Firewall:
I dont know why but the interface is complicated and i cannot just simply "transfer" the rule from client to Endpoint.
I have tried also the migration tool (https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-rule-tool) but the PS is hanging about 20min as i am writing this so that is a no go.
Thank you
@Tonito Dux Thanks for posting in our Q&A.
Please refer to the following article to create windows firewall rules:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune
Honestly, I'm not familiar with this feature. It is suggested to try to create an online support ticket to get more accurate help. Here is the support link:
https://learn.microsoft.com/en-us/mem/get-support
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 79%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
I am confused on this. This rule allows all inbound TCP traffic from any local or remote address, right? How is this locking it down to only WMI?
Hi,
to answer to myself:
In screenshot nr.1 under "Network Types" I have selected FW_PROFILE_TYPE_DOMAIN and PRIVATE.
Protocol 6 can be found in windows local firewall under "advanced settings":
Cheers!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 98%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
We're battling the same issue...
I think I'm missing something, how exactly do we get to screenshot #1? We've tried ""Network Types" I have selected FW_PROFILE_TYPE_DOMAIN and PRIVATE." but don't see the same options.
Can you please explain it as you would to a 5 year old. I'd really appreciate it.
Thank you!
Hi,
I will answer you tomorrow. think the screenshot is pretty clear but ok, willing to help just not today :)
Cheers
So Konrad, if i understood you correctly you are wondering how to get to MY 1st screenshot in my ORIGINAL question.
When this is the case then you need to create or edit an existing policy in Endpoint Manager -> Endpoint Security - > Firewall
If you are referring to my screenshot in my ANSWER then:
You click on your existing rule:
Scroll down until you see "configuration settings"->Edit:
After you click edit your are presented with the possibility to add your rules or edit the existing ones:
editing an existing rule or creating a new one - it is all the same and then you will be on the correct path to "configure instance" like in my answer:
Cheers!
Very much appreciated Sir! Thank you!
Will be implementing this on Friday. Hopefully the Nessus scan goes without a hitch after these changes.
No Problem Konrad,
if it helped - I am happy for it.
Cheers!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 72%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENN%3C/text%3E%3C/svg%3E)
Came across this while looking for an answer, and just want to note that in your screenshots you are really just creating an "any any" rule for TCP. Protocol 6 is TCP, not WMI specifically. This would be opening pretty much everything up, and not what you would likely want to do.
I ended up exporting a GPO policy with the WMI set there, and then used the group policy analytics tool to see what to set. In the end, these are the settings I have and feel comfortable its locked down in intune and seems to have worked for me.
set to enabled
interface types all
filepath: %SystemRoot%\system32\svchost.exe
then network types I just did Domain.
set the local port ranges to 135,49152-65535
Set a Description to something that made sense to me
Set the direction to inbound traffic
Enabled protocol, set the protocol to 6
Enabled service name, set to "winmgmt" (this was found by looking through the output of Get-Service in powershell on my local pc)
I set my remote address range to just the IP of the server I wanted WMI access