Firewall policy settings for tenant attached devices in Microsoft Intune
View the Microsoft Windows Firewall settings you can manage with the Windows Firewall (ConfigMgr) profile from Intune. The profile is available when you configure Intune Firewall policy, and the policy deploys to devices you manage with Configuration Manager when you've configured the tenant attach scenario.
Windows Firewall
Certificate revocation list verification (Device)
CSP: MdmStore/Global/CRLcheckSpecify how certificate revocation list (CRL) verification is enforced.
- Not configured (default) - Use the client default, which is to disable CRL verification.
- None
- Attempt
- Require
Disable Stateful Ftp (Device)
CSP: MdmStore/Global/DisableStatefulFtp- Not configured (default)
- True - Stateful FTP is disabled
- False - The firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections.
Enable Packet Queue (Device)
CSP: MdmStore/Global/EnablePacketQueueSelect from the following options to configure scaling for the software on the receive side for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. This ensures the packet order is preserved. By default, no options are selected.
- Disabled
- Queue Inbound
- Queue Outbound
IPsec Exceptions (Device)
CSP: MdmStore/Global/IPsecExemptSelect from the following options to configure IPsec exceptions.
- Exempt neighbor discover IPv6 ICMP type-codes from IPsec
- Exempt ICMP from IPsec
- Exempt router discover IPv6 ICMP type-codes from IPsec
- Exempt both IPv4 and IPv6 DHCP traffic from IPsec
Opportunistically Match Auth Set Per KM (Device)
CSP: OpportunisticallyMatchAuthSetPerKM- Not configured (default)
- True
- False
Preshared Key Encoding (Device)
CSP: MdmStore/Global/PresharedKeyEncoding- Not configured (default)
- None
- UTF8
Security association idle time (Device)
CSP: MdmStore/Global/SaIdleTimeSpecify a time in seconds between 300 and 3600, for how long the security associations are kept after network traffic isn't seen. If you don't specify any value, the system deletes a security association after it's been idle for 300 seconds.
Domain Profile
Enable Domain Network Firewall (Device)
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- True - The Windows Firewall for the network type of domain is turned on and enforced.
- False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall profile type:
Allow Local Ipsec Policy Merge (Device)
CSP: AllowLocalIpsecPolicyMerge- Not configured (default)
- True
- False - Connection security rules from the local store are ignored and not enforced.
Allow Local Policy Merge (Device)
CSP: AllowLocalPolicyMerge- Not configured (default)
- True
- False - Firewall rules from the local store are ignored and not enforced.
Auth Apps Allow User Pref Merge (Device)
CSP: AuthAppsAllowUserPrefMerge- Not configured (default)
- True
- False
Default Inbound Action for Domain Profile (Device)
CSP: DefaultInboundAction- Not configured (default)
- Allow
- Block
Default Outbound Action (Device)
CSP: DefaultOutboundAction- Allow
- Block
Disable Inbound Notifications (Device)
CSP: DisableInboundNotifications- Not configured (default)
- True - The firewall won't display a notification to the user when an application is blocked from listening on a port.
- False - The firewall might display a notification to the user when an application is blocked from listening on a port.
Disable Stealth Mode (Device)
CSP: DisableStealthMode- Not configured (default)
- True
- False - The server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific.
Disable Unicast Responses To Multicast Broadcast (Device)
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default)
- True - Unicast response to multicast broadcast traffic is blocked.
- False
Global Ports Allow User Pref Merge (Device)
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default)
- True
- False - Global port firewall rules in the local store are ignored and not enforced.
Shielded (Device)
CSP: Shielded- Not configured (default)
- True - The server blocks all incoming traffic regardless of other policy settings.
- False
Private Profile
Enable Private Network Firewall (Device)
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- True - The Windows Firewall for the network type of private is turned on and enforced.
- False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall profile type:
Allow Local Ipsec Policy Merge (Device)
CSP: AllowLocalIpsecPolicyMerge- Not configured (default)
- True
- False - Connection security rules from the local store are ignored and not enforced.
Allow Local Policy Merge (Device)
CSP: AllowLocalPolicyMerge- Not configured (default)
- True
- False - Firewall rules from the local store are ignored and not enforced.
Auth Apps Allow User Pref Merge (Device)
CSP: AuthAppsAllowUserPrefMerge- Not configured (default)
- True
- False
Default Inbound Action for Private Profile (Device)
CSP: DefaultInboundAction- Not configured (default)
- Allow
- Block
Default Outbound Action (Device)
CSP: DefaultOutboundAction- Allow
- Block
Disable Inbound Notifications (Device)
CSP: DisableInboundNotifications- Not configured (default)
- True - The firewall won't display a notification to the user when an application is blocked from listening on a port.
- False - The firewall might display a notification to the user when an application is blocked from listening on a port.
Disable Stealth Mode (Device)
CSP: DisableStealthMode- Not configured (default)
- True
- False - The server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific.
Disable Unicast Responses To Multicast Broadcast (Device)
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default)
- True - Unicast response to multicast broadcast traffic is blocked.
- False
Global Ports Allow User Pref Merge (Device)
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default)
- True
- False - Global port firewall rules in the local store are ignored and not enforced.
Shielded (Device)
CSP: Shielded- Not configured (default)
- True - The server blocks all incoming traffic regardless of other policy settings.
- False
Public Profile
Enable Public Network Firewall (Device)
CSP: EnableFirewall- Not configured (default) - The client returns to its default, which is to enable the firewall.
- True - The Windows Firewall for the network type of public is turned on and enforced.
- False - Disable the firewall.
When set to True, you can then configure the following settings for this firewall profile type:
Allow Local Ipsec Policy Merge (Device)
CSP: AllowLocalIpsecPolicyMerge- Not configured (default)
- True
- False - Connection security rules from the local store are ignored and not enforced.
Allow Local Policy Merge (Device)
CSP: AllowLocalPolicyMerge- Not configured (default)
- True
- False - Firewall rules from the local store are ignored and not enforced.
Auth Apps Allow User Pref Merge (Device)
CSP: AuthAppsAllowUserPrefMerge- Not configured (default)
- True
- False
Default Inbound Action for Public Profile (Device)
CSP: DefaultInboundAction- Not configured (default)
- Allow
- Block
Default Outbound Action (Device)
CSP: DefaultOutboundAction- Allow
- Block
Disable Inbound Notifications (Device)
CSP: DisableInboundNotifications- Not configured (default)
- True - The firewall won't display a notification to the user when an application is blocked from listening on a port.
- False - The firewall might display a notification to the user when an application is blocked from listening on a port.
Disable Stealth Mode (Device)
CSP: DisableStealthMode- Not configured (default)
- True
- False - The server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific.
Disable Unicast Responses To Multicast Broadcast (Device)
CSP: DisableUnicastResponsesToMulticastBroadcast- Not configured (default)
- True - Unicast response to multicast broadcast traffic is blocked.
- False
Global Ports Allow User Pref Merge (Device)
CSP: GlobalPortsAllowUserPrefMerge- Not configured (default)
- True
- False - Global port firewall rules in the local store are ignored and not enforced.
Shielded (Device)
CSP: Shielded- Not configured (default)
- True - The server blocks all incoming traffic regardless of other policy settings.
- False