Endpoint security firewall rule migration tool overview
Many organizations are moving their security configuration to Microsoft Endpoint Manager to make use of modern, cloud-based management. Endpoint security in Endpoint Manager offers rich management experiences of Windows Firewall configuration and granular firewall rule management.
Because it can be challenging to move large numbers of existing Group Policies for Windows Firewall rules to Endpoint security policies in Endpoint Manager, we've created the Endpoint security firewall rule migration tool, which is a PowerShell script.
When you run the Endpoint security firewall rule migration tool on a reference Windows 10/11 client that has firewall rules based on Group Policy applied, the tool can automatically create Endpoint security firewall rule policies in Endpoint Manager. After the endpoint security rules are created, administrators can target the rules to Azure AD groups to configure MDM and co-managed clients.
Download the Endpoint security firewall rule migration tool:
Tool usage
Tip
The tool's PowerShell script looks for endpoint security policies that target MDM. When there are no policies that target MDM, the script can loop and fail to exit. To work around this condition, either add a policy that targets MDM before running the script, or edit the line 46 of the script to the following: while(($profileNameExist) -and ($profiles.Count -gt 0))
Run the tool on a reference machine to migrate that machines current Windows Firewall rule configuration. When run, the tool exports all enabled firewall rules that are present on the device, and automatically creates new Intune policies with the collected rules.
Sign in to the reference machine with local administrator privileges.
Download and unzip the file
Export-FirewallRules.zip
.The zip file contains the script file
Export-FirewallRules.ps1
.Run the
Export-FirewallRules.ps1
script on the machine.The script downloads all the prerequisites it requires to run. When prompted, provide appropriate Intune administrator credentials. For more information about required permissions, see Required permissions.
Provide a policy name when prompted. The policy name must be unique for the tenant.
When more than 150 firewall rules are found, multiple policies are created.
Policies created by the tool are visible in the Microsoft Endpoint Manager in the Endpoint security > Firewall pane.
Note
By default, only enabled firewall rules are migrated and only firewall rules created by GPO are migrated. The tool supports switches you can use to modify these defaults.
The time the tool takes to run depends on the number of firewall rules found.
After the tool runs, it outputs a count of firewall rules that it couldn't automatically migrate. For more information, see Unsupported configuration.
Switches
Use the following switches (parameters) to modify the tool's default behavior.
IncludeLocalRules
- Use this switch to include all locally created/default Windows firewall rules in the export. Use of this switch can result in a large count of included rules.IncludedDisabledRules
- e this switch to include all enabled and disabled Windows firewall rules in the export. Use of this switch can result in a large count of included rules.
Unsupported configuration
The following registry-based settings aren't supported because of a lack of MDM support in Windows. While these settings are uncommon, should you require these settings consider logging this need through your standard support channels.
GPO Field | Reason |
---|---|
TYPE-VALUE =/ "Security=" IFSECURE-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "Security2_9=" IFSECURE2-9-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "Security2=" IFSECURE2-10-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "IF=" IF-VAL | Interface Identifier (LUID) is not manageable |
TYPE-VALUE =/ "Defer=" DEFER-VAL | Inbound NAT Traversal related not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "LSM=" BOOL-VAL | Loose Source Mapped not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "Platform=" PLATFORM-VAL | OS Versioning not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "RMauth=" STR-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "RUAuth=" STR-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "AuthByPassOut=" BOOL-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "LOM=" BOOL-VAL | Local Only Mapped not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL | Redundant setting not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "PCross=" BOOL-VAL | Allow profile crossing not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "LUOwn=" STR-VAL | Local User Owner SID not applicable in MDM |
TYPE-VALUE =/ "TTK=" TRUST-TUPLE-KEYWORD-VAL | Match traffic with the trust tuple keyword not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ “TTK2_22=” TRUST-TUPLE-KEYWORD-VAL2-22 | Match traffic with the trust tuple keyword not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ “TTK2_27=” TRUST-TUPLE-KEYWORD-VAL2-27 | Match traffic with the trust tuple keyword not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ “TTK2_28=” TRUST-TUPLE-KEYWORD-VAL2-28 | Match traffic with the trust tuple keyword not exposed via Group Policy or Windows MDM |
TYPE-VALUE =/ "NNm=" STR-ENC-VAL | IPSec related setting not supported by Windows MDM |
TYPE-VALUE =/ "SecurityRealmId=" STR-VAL | IPSec related setting not supported by Windows MDM |
Unsupported setting values
The following setting values aren't supported for migration:
Ports:
PlayToDiscovery
isn't supported as a local or remote port range.
Address ranges:
LocalSubnet6
isn't supported as a local or remote address range.LocalSubnet4
isn't supported as a local or remote address range.PlatToDevice
isn't supported as a local or remote address range.
After the tool completes, it generates a report with rules that weren't successfully migrated. You can view these rules by viewing RulesError.csv
found in C:\<folder>
.
Required permissions
Users assigned the Intune roles for Endpoint Security Manager, Intune Service Admin, or Global Admin can migrate Windows Firewall rules to Endpoint security policies. Alternatively, you can assign the user a custom role where Security baselines permissions are set with Delete, Read, Assign, Create, and Update grants are applied. For more information, see Grant admin permissions to Intune.
Next steps
After creating Endpoint security policies for Firewall rules, assign those policies to Azure AD groups to configure both your MDM and co-managed clients. For more information, see Add groups to organize users and devices.
Feedback
Submit and view feedback for