Windows Firewall is built into every managed Windows device, but in most environments it is either left at defaults or completely disabled by group policy from years ago. Deploying firewall rules via Intune means you can enforce a consistent baseline across every enrolled device without touching a single machine manually.
Intune manages Windows Firewall through two profile types: the Firewall profile (which controls the firewall state and general settings) and Firewall Rules profiles (which define specific inbound and outbound rules). You typically need both.
Create the Firewall Profile
📋 Profile Setup
intune.microsoft.com›Endpoint Security›Firewall›Create Policy
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Microsoft Defender Firewall
Configure Firewall Settings
⚙️ Configuration
Firewall (Domain profile)Applies when connected to a corporate domain network.
EnabledFirewall (Private profile)Applies when connected to a trusted private network at home or a branch office.
EnabledFirewall (Public profile)Applies on untrusted networks like coffee shops and airports. Apply the strictest rules here.
EnabledInbound connections - Public profileBlock all unsolicited inbound on public networks.
Block (default)Outbound connectionsAllow by default across all profiles. Block individual outbound with explicit rules if needed.
Allow (default)Disable stealth modeKeep stealth mode on so the device does not respond to ICMP probes on public networks.
False (stealth on)Disable firewallNever. Block local admins from disabling the firewall.
FalseApply local firewall rulesAllows apps to add their own rules via the local firewall. Set to Yes to avoid breaking applications that add their own rules on install.
Yes
Create Firewall Rules
🔥 Rules Profile
Firewall rules are managed in a separate profile type. Create a second policy:
intune.microsoft.com›Endpoint Security›Firewall›Create Policy
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Microsoft Defender Firewall Rules
Each rule has the following configurable fields:
- Name - descriptive label shown in Windows Firewall Advanced settings
- Direction - Inbound or Outbound
- Action - Allow or Block
- Protocol - TCP, UDP, Any, ICMP, etc.
- Local and remote ports
- Profile - Domain, Private, Public, or any combination
- Application - restrict the rule to a specific executable path
Common Rules to Deploy
📋 Recommended Rules
Block inbound RDP (Public profile only)Direction: Inbound, Protocol: TCP, Port: 3389, Profile: Public, Action: Block. Prevents RDP exposure on untrusted networks.
BlockBlock inbound SMB (Public profile only)Direction: Inbound, Protocol: TCP, Port: 445, Profile: Public, Action: Block. Prevents lateral movement attempts on public Wi-Fi.
BlockAllow Intune Management ExtensionDirection: Outbound, App: %ProgramFiles%\Microsoft Intune Management Extension\AgentExecutor.exe, Action: Allow. Keeps remediation scripts functioning.
AllowBlock outbound TelnetDirection: Outbound, Protocol: TCP, Port: 23, Action: Block. Telnet sends credentials in plaintext.
Block
⚠️Test inbound blocks carefully
Blocking inbound ports can break legitimate software - RMM agents, VoIP clients, and file sync tools often need inbound connections. Deploy rule changes in report-only or to a test group first. Check the Windows Firewall event log (Event ID 5152 for blocked connections) to identify anything broken before rolling out widely.
Verify on Device
✅ Verification
After policy sync, confirm the rules are applied on a device. Open an elevated PowerShell prompt and run:
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction
Get-NetFirewallRule | Where-Object {$_.DisplayGroup -like "*Intune*"}
The first command shows the state of each network profile. The second lists any firewall rules deployed by Intune. You can also open Windows Defender Firewall with Advanced Security from the Start menu and check rules manually under Inbound Rules and Outbound Rules.
✅Use Intune's built-in firewall report
Navigate to Endpoint Security › Firewall › MDM Devices running Windows 10 or later with firewall off. This report shows any managed devices where the firewall has been switched off - useful for identifying non-compliance at scale without checking devices individually.