Firewall policy settings for endpoint security in Intune
View the settings you can configure in profiles for Firewall policy in the endpoint security node of Intune as part of an Endpoint security policy.
Applies to:
- macOS
- Windows 10
- Windows 11
Note
Beginning on April 5, 2022, the Firewall profiles for the Windows 10 and later platform were replaced by the Windows platform and new instances of those same profiles. Profiles created after that date use a new settings format as found in the Settings Catalog. With this change you can no longer create new versions of the old profile and they are no longer being developed. Although you can no longer create new instances of the older profile, you can continue to edit and use instances of it that you previously created.
For profiles that use the new settings format, Intune no longer maintains a list of each setting by name. Instead, the name of each setting, its configuration options, and its explanatory text you see in the Microsoft Intune admin center are taken directly from the settings authoritative content. That content can provide more information about the use of the setting in its proper context. When viewing a settings information text, you can use its Learn more link to open that content.
The settings details for Windows profiles in this article apply to those deprecated profiles.
Supported platforms and profiles:
macOS:
- Profile: macOS firewall
Windows 10 and later:
- Profile: Windows Firewall
macOS firewall profile
Firewall
The following settings are configured as Endpoint Security policy for macOS Firewalls
Enable Firewall
- Not configured (default)
- Yes - Enable the firewall.
When set to Yes, you can configure the following settings.
Block all incoming connections
- Not configured (default)
- Yes - Block all incoming connections except connections that are required for basic Internet services such as DHCP, Bonjour, and IPSec. This blocks all sharing services.
Enable stealth mode
- Not configured (default)
- Yes - Prevent the computer from responding to probing requests. The computer still answers incoming requests for authorized apps.
Firewall apps Expand the dropdown and then select Add to then specify apps and rules for incoming connections for the app.
Allow incoming connections
- Not configured
- Block
- Allow
Bundle ID - The ID identifies the app. For example: com.apple.app
Windows Firewall profile
Windows Firewall
The following settings are configured as Endpoint Security policy for Windows Firewalls.
Stateful File Transfer Protocol (FTP)
CSP: MdmStore/Global/DisableStatefulFtp- Not configured (default)
- Allow - The firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections.
- Disabled - Stateful FTP is disabled.
Number of seconds a security association can be idle before it's deleted
CSP: MdmStore/Global/SaIdleTimeSpecify a time in seconds between 300 and 3600, for how long the security associations are kept after network traffic isn't seen.
If you don't specify any value, the system deletes a security association after it's been idle for 300 seconds.
Preshared key encoding
CSP: MdmStore/Global/PresharedKeyEncodingIf you don't require UTF-8, preshared keys are initially encoded using UTF-8. After that, device users can choose another encoding method.
- Not configured (default)
- None
- UTF8
No exemptions for Firewall IP sec
Not configured (default) - When not configured, you'll have access to the following IP sec exemption settings that you can configure individually.
Yes - Turn off all Firewall IP sec exemptions. The following settings aren't available to configure.
Firewall IP sec exemptions allow neighbor discovery
CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow neighbor discovery.
Firewall IP sec exemptions allow ICMP
CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow ICMP.
Firewall IP sec exemptions allow router discovery
CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IPsec exemptions allow router discovery.
Firewall IP sec exemptions allow DHCP
CSP: MdmStore/Global/IPsecExempt- Not configured (default)
- Yes - Firewall IP sec exemptions allow DHCP
Certificate revocation list (CRL) verification
CSP: MdmStore/Global/CRLcheckSpecify how certificate revocation list (CRL) verification is enforced.
- Not configured (default) - Use the client default, which is to disable CRL verification.
- None
- Attempt
- Require
Require keying modules to only ignore the authentication suites they don’t support
CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM- Not configured (default)
- Disabled
- Enabled - Keying modules ignore unsupported authentication suites.
Packet queuing
CSP: MdmStore/Global/EnablePacketQueueSpecify how to enable scaling for the software on the receive side for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures the packet order is preserved.
- Not configured (default) - Packet queuing is returned to the client default, which is disabled.
- Disabled
- Queue Inbound
- Queue Outbound
- Queue Both
Turn on Windows Firewall for domain networks
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of domain is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
Additional settings for this network, when set to Yes:
Block stealth mode
CSP: DisableStealthModeBy default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack.
- Not configured (default)
- Yes
- No
Enable shielded mode
CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
Block unicast responses to multicast broadcasts
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
Disable inbound notifications
CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
Block outbound connections
This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction
This rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
Block inbound connections
CSP: DefaultInboundActionThis rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
Ignore authorized application firewall rules
CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
Ignore global port firewall rules
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
Ignore all local firewall rules
CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
Ignore connection security rules CSP: AllowLocalIpsecPolicyMerge
- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
Turn on Windows Firewall for private networks
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of private is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
Additional settings for this network, when set to Yes:
Block stealth mode
CSP: DisableStealthModeBy default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack.
- Not configured (default)
- Yes
- No
Enable shielded mode
CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
Block unicast responses to multicast broadcasts
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
Disable inbound notifications
CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
Block outbound connections
This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction
This rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
Block inbound connections
CSP: DefaultInboundActionThis rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
Ignore authorized application firewall rules
CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
Ignore global port firewall rules
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
Ignore all local firewall rules
CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
Ignore connection security rules CSP: AllowLocalIpsecPolicyMerge
- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
Turn on Windows Firewall for public networks
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- Yes - The Windows Firewall for the network type of public is turned on and enforced. You also gain access to additional settings for this network.
- No - Disable the firewall.
Additional settings for this network, when set to Yes:
Block stealth mode
CSP: DisableStealthModeBy default, stealth mode is enabled on devices. It helps prevent malicious users from discovering information about network devices and the services they run. Disabling stealth mode can make devices vulnerable to attack.
- Not configured (default)
- Yes
- No
Enable shielded mode
CSP: Shielded- Not configured (default) - Use the client default, which is to disable shielded mode.
- Yes - The machine is put into shielded mode, which isolates it from the network. All traffic is blocked.
- No
Block unicast responses to multicast broadcasts
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default) - The setting returns to the client default, which is to allow unicast responses.
- Yes - Unicast responses to multicast broadcasts are blocked.
- No - Enforce the client default, which is to allow unicast responses.
Disable inbound notifications
CSP DisableInboundNotifications- Not configured (default) - The setting returns to the client default, which is to allow the user notification.
- Yes - User notification is suppressed when an application is blocked by an inbound rule.
- No - User notifications are allowed.
Block outbound connections
This setting applies to Windows version 1809 and later. CSP: DefaultOutboundAction
This rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to allow connections.
- Yes - All outbound connections that don't match an outbound rule are blocked.
- No - All connections that don't match an outbound rule are allowed.
Block inbound connections
CSP: DefaultInboundActionThis rule is evaluated at the very end of the rule list.
- Not configured (default) - The setting returns to the client default, which is to block connections.
- Yes - All inbound connections that don't match an inbound rule are blocked.
- No - All connections that don't match an inbound rule are allowed.
Ignore authorized application firewall rules
CSP: AuthAppsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Authorized application firewall rules in the local store are ignored.
- No - Authorized application firewall rules are honored.
Ignore global port firewall rules
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - Global port firewall rules in the local store are ignored.
- No - The global port firewall rules are honored.
Ignore all local firewall rules
CSP: IPsecExempt- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - All firewall rules in the local store are ignored.
- No - The firewall rules in the local store are honored.
Ignore connection security rules CSP: AllowLocalIpsecPolicyMerge
- Not configured (default) - The setting returns to the client default, which is to honor the local rules.
- Yes - IPsec firewall rules in the local store are ignored.
- No - IPsec firewall rules in the local store are honored.
Windows Firewall rules
This profile is in Preview.
The following settings are configured as Endpoint Security policy for Windows Firewalls.
Windows Firewall Rule
Name
Specify a friendly name for your rule. This name will appear in the list of rules to help you identify it.Description
Provide a description of the rule.Direction
- Not configured (default) - This rule defaults to outbound traffic.
- Out - This rule applies to outbound traffic.
- In - This rule applies to inbound traffic.
Action
- Not configured (default) - The rule defaults to allow traffic.
- Blocked - Traffic is blocked in the Direction you've configured.
- Allowed - Traffic is allowed in the Direction you've configured.
Network type
Specify the network type to which the rule belongs. You can choose one or more of the following. If you don't select an option, the rule applies to all network types.- Domain
- Private
- Public
- Not configured
Application settings
Applications targeted with this rule:
Package family name
Get-AppxPackagePackage family names can be retrieved by running the Get-AppxPackage command from PowerShell.
File path
CSP: FirewallRules/FirewallRuleName/App/FilePathTo specify the file path of an app, enter the apps location on the client device. For example:
C:\Windows\System\Notepad.exe
Service name
FirewallRules/FirewallRuleName/App/ServiceNameUse a Windows service short name when a service, not an application, is sending or receiving traffic. Service short names are retrieved by running the
Get-Service
command from PowerShell.
Port and protocol settings
Specify the local and remote ports to which this rule applies:
Protocol
CSP: FirewallRules/FirewallRuleName/ProtocolSpecify the protocol for this port rule.
- Transport layer protocols like TCP(6) and UDP(17) allow you to specify ports or port ranges.
- For custom protocols, enter a number between 0 and 255 that represents the IP protocol.
- When nothing is specified, the rule defaults to Any.
Interface types
Specify the interface types to which the rule belongs. You can choose one or more of the following. If you don't select an option, the rule applies to all interface types:- Remote access
- Wireless
- Local area network
- Not configured
- Mobile Broadband - This option replaces use of the previous entry for Mobile Broadband, which is deprecated and no longer supported.
- [Not Supported] Mobile Broadband - Do not use this option, which is the original Mobile Broadband option. This option no longer functions correctly. Replace use of this option with the newer version of Mobile Broadband.
Authorized users
FirewallRules/FirewallRuleName/LocalUserAuthorizationListSpecify a list of authorized local users for this rule. A list of authorized users can't be specified if Service name in this policy is set as a Windows service. If no authorized user is specified, the default is all users.
IP address settings
Specifies the local and remote addresses to which this rule applies:
Any local address
Not configured (default) - Use the following setting, Local address ranges* to configure a range of addresses to support.- Yes - Support any local address and don't configure an address range.
Local address ranges
CSP: FirewallRules/FirewallRuleName/LocalAddressRangesManage local address ranges for this rule. You can:
- Add one or more addresses as a comma-separated list of local addresses that are covered by the rule.
- Import a .csv file containing a list of local IP addresses ranges using the 'LocalAddressRanges' header.
- Export your current list of local address ranges as a .csv file.
Valid entries (tokens) include the following options:
- An asterisk - An asterisk (*) indicates any local address. If present, the asterisk must be the only token included.
- A subnet - Specify subnets by using the subnet mask or network prefix notation. If a subnet mask or network prefix isn't specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address
- An IPv4 address range - IPv4 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
- An IPv6 address range - IPv6 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
When no value is specified, this setting defaults to use Any address.
Any remote address
Not configured (default) - Use the following setting, Remote address ranges* to configure a range of addresses to support.- Yes - Support any remote address and don't configure an address range.
Remote address ranges
CSP: FirewallRules/FirewallRuleName/RemoteAddressRangesManage remote address ranges for this rule. You can:
- Add one or more addresses as a comma-separated list of remote addresses that are covered by the rule.
- Import a .csv file containing a list of remote IP addresses ranges using the 'RemoteAddressRanges' header.
- Export your current list of remote address ranges as a .csv file.
Valid entries (tokens) include the following and aren't case-sensitive:
- An asterisk - An asterisk (*) indicates any remote address. If present, the asterisk must be the only token included.
- Defaultgateway
- DHCP
- DNS
- WINS
- Intranet - Supported on devices that run Windows 1809 or later.
- RmtIntranet - Supported on devices that run Windows 1809 or later.
- Ply2Renders - Supported on devices that run Windows 1809 or later.
- LocalSubnet - Indicates any local address on the local subnet.
- A subnet - Specify subnets by using the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address
- An IPv4 address range - IPv4 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
- An IPv6 address range - IPv6 ranges must be in the format of start address - end address with no spaces included, where the start address is less than the end address.
When no value is specified, this setting defaults to use Any address.