Instead, the name of each setting, its configuration options, and its explanatory text you see in the Microsoft Intune admin center are taken directly from the settings authoritative content. Complete SCCM Installation Guide and Configuration, Complete SCCM Windows 10 Deployment Guide, Create SCCM Collections based on Active Directory OU, Create SCCM collections based on Boundary groups, Delete devices collections with no members and no deployments, managing your device using Microsoft Intune, Create Adobe Photoshop Intune package for mass deployment, This ensures that the device has the Firewall enabled, Repeat the steps if you need to add more firewall rules, You can remove it by clicking on the 3 dots at the right if needed, Select Include and in the Assign to box, select the group you want to assign your Windows Firewall profile you just created (2-3), Youll see a confirmation at the top right. Default: Not configured This article got me pointed in the right direction. Be required to turn off BitLocker Drive Encryption, and then turn BitLocker back on. Specify how certificate revocation list (CRL) verification is enforced. This option is ignored if Stealth mode is set to Block. CSP: EnableFirewall. Default: LM and NTLM If you enable this setting, the SMB client will reject insecure guest logons. Default: Not configured The user needs to either sign out and sign in or reboot the computer for this setting to take effect. Default: Not configured To manage device security, you can also use endpoint security policies, which focus directly on subsets of device security. Kostas has worked in IT since 2004 and has gained experience in areas such as Windows Servers, security monitoring of critical systems, and disaster recovery. Tamper Protection Ransomware protection CSP: MdmStore/Global/PresharedKeyEncoding. CSP: EnableFirewall, Default Inbound Action for Private Profile (Device) Select up to three types of network types to which this rule belongs. Default: Not configured Application Guard CSP: Settings/ClipboardSettings. Default: Not configured Firewall CSP: FirewallRules/FirewallRuleName/Direction. This is the biggest advantage of Intune over managing Windows Defender Firewall with Group Policy. Not configured (default) - Use the following setting, Local address ranges* to configure a range of addresses to support. This name will appear in the list of rules to help you identify it. LocalPoliciesSecurityOptions CSP: NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients. In Configuration Settings, you can choose among various options. After being enabled on a device, Application Control can only be disabled by changing the mode from Enforce to Audit only. Default: Not configured Default: Not configured CSP: MdmStore/Global/IPsecExempt. LocalPoliciesSecurityOptions CSP: Accounts_RenameAdministratorAccount. BitLocker CSP: SystemDrivesMinimumPINLength. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Click the policy to identify the assignment status. Application Guard is only available for 64-bit Windows devices. SmartScreen CSP: SmartScreen/EnableSmartScreenInShell, Unverified files execution If not configured, user display name, domain, and username are shown. document.getElementById( "ak_js_1" ).setAttribute( "value", ( new Date() ).getTime() ); Please ask IT administration questions in the forums. One of the documented differences is that the new template enables a new Windows Defender FIrewall - Connection security rules from group policy not merged policy. Default: Not configured Rule: Block Adobe Reader from creating child processes. You can choose one or more of the following. Default: Not configured Default: Not configured Default: Not configured Default: Not configured When configured to display, you can configure the following settings: IT organization name Specify a time in seconds between 300 and 3600, for how long the security associations are kept after network traffic isn't seen. A typical example is a user working on a home PC who needs access to various company services. Use a Windows service short name when a service, not an application, is sending or receiving traffic. Hiding this section will also block all notifications related to Virus and threat protection. User editing of the exploit protection interface Defender CSP: EnableControlledFolderAccess. Configure if end users can view the Account protection area in the Microsoft Defender Security Center. Turn on Microsoft Defender Firewall for domain networks Options include: Opportunistically match authentication set per keying module Click Create. This setting determines the Accessory Management Service's start type. Valid tokens include: Remote addresses Default: Not configured Expand the dropdown and then select Add to then specify apps and rules for incoming connections for the app. Specify a time in seconds between 300 and 3600, for how long the security associations are kept after network traffic isn't seen. Remote address ranges File Transfer Protocol Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Default: Not configured Default: Not configured LocalPoliciesSecurityOptions CSP: InteractiveLogon_MachineInactivityLimit, Enter the maximum minutes of inactivity until the screensaver activates. Enable Private Network Firewall (Device) CSP: EnableFirewall Not configured ( default) - The client returns to its default, which is to enable the firewall. Default: Not configured When set to Yes, you can configure the following settings. LocalPoliciesSecurityOptions CSP: NetworkSecurity_LANManagerAuthenticationLevel, Insecure Guest Logons BitLocker CSP: AllowStandardUserEncryption. Application Guard CSP: Settings/PrintingSettings. A little background, I originally deployed the October Preview template and recently updated to the May 2019 template. Trusted sites are defined by a network boundary, which are configured in Device Configuration. Specify a list of authorized local users for this rule. More info about Internet Explorer and Microsoft Edge, Create an endpoint protection device configuration profile, Create a network boundary on Windows devices, Settings/AllowWindowsDefenderApplicationGuard, MdmStore/Global/OpportunisticallyMatchAuthSetPerKM, DisableStealthModeIpsecSecuredPacketExemption, DisableUnicastResponsesToMulticastBroadcast, Add custom firewall rules for Windows devices, SmartScreen/PreventOverrideForFilesInShell, Block credential stealing from the Windows local security authority subsystem (lsass.exe), Block Adobe Reader from creating child processes, Block Office applications from injecting code into other processes, Block Office applications from creating executable content, Block all Office applications from creating child processes, Block Office communication application from creating child processes, Block execution of potentially obfuscated scripts, Block JavaScript or VBScript from launching downloaded executable content, Block process creations originating from PSExec and WMI commands, Block untrusted and unsigned processes that run from USB, Block executable files from running unless they meet a prevalence, age, or trusted list criterion, Block executable content from email client and webmail, Use advanced protection against ransomware, Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows, ControlledFolderAccessAllowedApplications, integrate Microsoft Defender for Endpoint with Intune, Enterprise Mobility + Security E5 Licenses, Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly, Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters, Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly, Devices_AllowedToFormatAndEjectRemovableMedia, InteractiveLogon_SmartCardRemovalBehavior, InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked, InteractiveLogon_DoNotDisplayLastSignedIn, InteractiveLogon_DoNotDisplayUsernameAtSignIn, InteractiveLogon_MessageTitleForUsersAttemptingToLogOn, InteractiveLogon_MessageTextForUsersAttemptingToLogOn, NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares, NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts, NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares, NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange, NetworkSecurity_AllowPKU2UAuthenticationRequests, NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM, NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients, NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers, NetworkSecurity_LANManagerAuthenticationLevel, Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn, UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations, UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations, UserAccountControl_BehaviorOfTheElevationPromptForAdministrators, UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers, UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation, UserAccountControl_DetectApplicationInstallationsAndPromptForElevation, UserAccountControl_AllowUIAccessApplicationsToPromptForElevation, UserAccountControl_RunAllAdministratorsInAdminApprovalMode, MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees, MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers, MicrosoftNetworkClient_DigitallySignCommunicationsAlways, MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees, MicrosoftNetworkServer_DigitallySignCommunicationsAlways, SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode, SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode, SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode, SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode. Required fields are marked *. LocalPoliciesSecurityOptions CSP: UserAccountControl_UseAdminApprovalMode, Run all admins in Admin Approval Mode Default: Not configured Default: Not configured If you use this setting, AppLocker CSP behaviour currently prompts end user to reboot their machine when a policy is deployed. Default: Not configured CSP: SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode. Default: Not configured Determine if the hash value for passwords is stored the next time the password is changed. Control connections for an app or program. CSP: DefaultInboundAction, More info about Internet Explorer and Microsoft Edge, DisableUnicastResponsesToMulticastBroadcast. Intune may support more settings than the settings listed in this article. Firewall CSP: MdmStore/Global/DisableStatefulFtp, Security association idle time before deletion Block end-user access to the various areas of the Microsoft Defender Security Center app. Require keying modules to only ignore the authentication suites they dont support CSP: MdmStore/Global/OpportunisticallyMatchAuthSetPerKM, Packet queuing Define the behavior of the elevation prompt for admins in Admin Approval Mode. Service short names are retrieved by running the Get-Service command from PowerShell. Choose apps to be audited by or that are trusted to be run by Microsoft Defender Application Control. Add new Microsoft accounts Windows Defender Blocking FTP. For more information, see Firewall CSP. CSP: SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode. Default: Not Configured That content can provide more information about the use of the setting in its proper context. Enforce - Choose the application control code integrity policies for your users' devices. Default: Not configured Default: Not configured Tamper protection Microsoft Defender Antivirus (MDAV) is our. Default: AES-CBC 128-bit. Create an endpoint protection device configuration profile. Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password. Enabling a startup PIN requires interaction from the end user. 8. LocalPoliciesSecurityOptions CSP: InteractiveLogon_DoNotDisplayLastSignedIn, Hide username at sign-in Users sign in to Azure AD with a personal Microsoft account or another local account. CSP: EnableFirewall, Turn on Microsoft Defender Firewall for public networks Configure the user information that is displayed when the session is locked. All three devices can make use of Azure services. CSP: Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly, Format and eject removable media An IPv6 address range in the format of "start address-end address" with no spaces included. Default: Not configured CSP: GlobalPortsAllowUserPrefMerge, Ignore all local firewall rules Define the behavior of the elevation prompt for standard users. CSP: AuthAppsAllowUserPrefMerge, Ignore global port firewall rules Network protection BitLocker CSP: SystemDrivesRequireStartupAuthentication. We are looking for new authors. Beginning on April 5, 2022, the Firewall profiles for the Windows 10 and later platform were replaced by the Windows 10, Windows 11, and Windows Server platform and new instances of those same profiles. When these rules merge on a device, that is the result of Intune sending down each rule without comparing each rule entry with the others from other rules profiles. How to Enable or Disable the Windows Firewall In order to enable or disable the Windows Firewall, you must first open it, then look on the left column and click or tap the link that says "Turn Windows Firewall on or off." The "Customize Settings" window is now opened. Configure endpoint protections settings on macOS devices. This setting can only be configured via Intune Graph at this time. LocalPoliciesSecurityOptions CSP: UserAccountControl_DetectApplicationInstallationsAndPromptForElevation, UIA elevation prompt without secure desktop BitLocker CSP: RemovableDrivesRequireEncryption, Write access to devices configured in another organization When the user is at home or logging in outside our domain those policies wont apply. For Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. CSP: EnableFirewall. Default: Not configured Select from the following options to configure scaling for the software on the receive side for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. Select from the following options to configure IPsec exceptions. Default: Not configured Enter the number of characters required for the startup PIN from 4-20. Options include: The following settings are each listed in this article a single time, but all apply to the three specific network types: Microsoft Defender Firewall Benoit LecoursFebruary 28, 2020SCCMLeave a Comment. BitLocker CSP: SystemDrivesMinimumPINLength. A screenshot of the Interface Types available when configuring the Microsoft Defender Firewall Rule. For profiles that use the new settings format, Intune no longer maintains a list of each setting by name. Default: Not configured CSP: FirewallRules/FirewallRuleName/RemoteAddressRanges. So our first step is to make sure that all machines have it enabled. CSP: DisableUnicastResponsesToMulticastBroadcast, Disable inbound notifications Enabling startup key and PIN requires interaction from the end user. Choose the encryption method for operating system drives. Once deployed, disabling Windows Firewall will be automated as the configuration enforces it via policy on all computers that are in scope. To install BitLocker automatically and silently on a device that's Azure AD joined and runs Windows 1809 or later, this setting must not be set to Require startup key and PIN with TPM. Hiding this section will also block all notifications related to Firewall and network protection. Hiding this section will also block all notifications related to App and browser control. 4sysops - The online community for SysAdmins and DevOps. This setting determines the Live Game Save Service's start type. Inside of the GUI "Windows Defender Firewall with Advanced Security" i already found the rule but i don't know how to depict the "local port = RPC Dynamic Ports" in intune. Default: Not configured All other notifications are considered critical. To open Windows Firewall, go to the Start menu, select Run , type WF.msc, and then select OK. See also Open Windows Firewall. Hiding this section will also block all notifications-related to Family options. When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy. CSP: OpportunisticallyMatchAuthSetPerKM, Preshared Key Encoding (Device) Click Windows Defender Firewall. Device users can't change this setting. Protect files and folders from unauthorized changes by unfriendly apps. This triggers the issue noted in the above article. WindowsDefenderSecurityCenter CSP: URL. Default: Not configured To get started, Open the Microsoft Intune admin center, and then go to Devices > Windows > Configuration profiles > Create profile > Choose Windows 10 and later as the platform, Choose Templates, then Endpoint protection as the profile type. Private (discoverable) network Public (non-discoverable) network General settings Microsoft Defender Firewall Default: Not configured Firewall CSP: EnableFirewall Enable - Turn on the firewall, and advanced security. Best way is to set a policy for firewall to allow that port by default. Rule: Block process creations originating from PSExec and WMI commands, Untrusted and unsigned processes that run from USB Default is all users. WindowsDefenderSecurityCenter CSP: DisableNotifications. Default: Not configured, BitLocker recovery Information stored to Azure Active Directory The following settings are configured as Endpoint Security policy for macOS Firewalls. An IPv6 address range in the format of "start address-end address" with no spaces included. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. Hide last signed-in user Default: Not configured 2. Rule: Block all Office applications from creating child processes, Win32 imports from Office macro code Specify the local and remote ports to which this rule applies: Protocol False - Disable the firewall. Xbox Accessory Management Service Users sign in with an organization's Azure AD account on a device that is usually owned by the organization. Default: Not configured (see screenshot) 3 Select (dot) Turn off Windows Defender Firewall for each network profile (ex: domain, private . Not configured ( default) - The setting is restored to the system default No - The setting is disabled. Default: Manual CSP: MdmStore/Global/IPsecExempt, Firewall IP sec exemptions allow ICMP Interface Types are available in the Microsoft Defender Firewall Rules profile for all platforms that support Windows. To disable the firewall and network protection notifications using Microsoft Intune, we will use configuration service provider ( CSP ). Default: Disable When viewing a settings information text, you can use its Learn more link to open that content. C:\windows\IMECache. Under Privacy & security , select Windows Security > Firewall & network protection . To enable Windows Defender Firewall on devices and prevent end users from turning it off, you can change the following settings: Assign the policy to a computer group and click Next. Before continuing to read the article, check out the prerequisites: There are Azure AD join types: registered, joined, and hybrid joined. Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key. The Intune Customer Service and Support team's Mark Stanfill created this sample script Test-IntuneFirewallRules to simplify identifying Windows Defender Firewall rules with errors for you (on a test system). This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. Default: Not configured Default: Not configured Define a different account name to be associated with the security identifier (SID) for the account "Administrator". Default: Not configured This setting determines whether the Xbox Game Save Task is Enabled or Disabled. However; if I turn off the firewall for the private network (on the computer hosting . Application Guard CSP: Audit/AuditApplicationGuard, Retain user-generated browser data Default: Not configured A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. Valid tokens include: List of comma separated tokens specifying the remote addresses covered by the rule. Default: Not configured Folder protection Choose from: Client-driven recovery password rotation Default: Not configured Default: Not configured Devices must be Azure Active Directory compliant. Prevent users from enabling BitLocker unless the computer successfully backs up the BitLocker recovery information to Azure Active Directory. Next, assign the profile, and monitor its status. You can choose to Display in app and in notifications, Display only in app, Display only in notifications, or Don't display. Disable Stateful Ftp (Device) Not configured (default) - When not configured, you'll have access to the following IP sec exemption settings that you can configure individually. Firewall CSP: MdmStore/Global/EnablePacketQueue. SmartScreen for apps and files Default: Not configured Default: Not configured. "Windows Defender Firewall has blocked Microsoft Teams on all public, private and domain networks." Local addresses If you don't select an option, the rule applies to all interface types: Authorized users When you enable Credential Guard, the following required features are also enabled: Microsoft Defender Security Center operates as a separate app or process from each of the individual features. Recovery options in the BitLocker setup wizard Rule: Block execution of potentially obfuscated scripts, js/vbs executing payload downloaded from Internet (no exceptions) Default: Allow startup key and PIN with TPM. When set to Require, you can configure the following settings: BitLocker with non-compatible TPM chip You can: Valid entries (tokens) include the following and aren't case-sensitive: More info about Internet Explorer and Microsoft Edge, Endpoint Security policy for macOS Firewalls, Endpoint Security policy for Windows Firewalls, MdmStore/Global/OpportunisticallyMatchAuthSetPerKM, DisableUnicastResponsesToMulticastBroadcast, FirewallRules/FirewallRuleName/App/FilePath, FirewallRules/FirewallRuleName/App/ServiceName, FirewallRules/FirewallRuleName/LocalUserAuthorizationList, FirewallRules/FirewallRuleName/LocalAddressRanges, FirewallRules/FirewallRuleName/RemoteAddressRanges, For custom protocols, enter a number between, When nothing is specified, the rule defaults to. Firewall CSP: AllowLocalIpsecPolicyMerge. Tokens aren't case-sensitive. It also prevents third-party browsers from connecting to dangerous sites. True - The Microsoft Defender Firewall for the network type of private is turned on and enforced. When you use Specified address, you add one or more addresses as a comma-separated list of local addresses that are covered by the rule. LocalPoliciesSecurityOptions CSP: UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations, Virtualize file and registry write failures to per-user locations To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation. Bundle ID - The ID identifies the app. Custom Firewall rules support the following options: Specify a friendly name for your rule. Check them out! Default: Administrators When you select a configuration other than Not configured, you can then configure: List of apps that have access to protected folders Default: Not configured. The profile is available when you configure Intune Firewall policy, and the policy deploys to devices you manage with Configuration Manager when you've configured the tenant attach scenario. LocalPoliciesSecurityOptions CSP: NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers. WindowsDefenderSecurityCenter CSP: DisableHealthUI. CSP: EnableFirewall. Default: Not configured This setting will get applied to Windows version 1809 and above. Configure if end users can view the App and browser control area in the Microsoft Defender Security center. Select Windows Defender Firewall. Using this profile installs a Win32 component to activate Application Guard. Route elevation prompts to user's interactive desktop To confirm that encryption from another provider isn't enabled. We recommend you use the XTS-AES algorithm. BitLocker CSP: ConfigureRecoveryPasswordRotation. We develop the best SCCM/MEMCM Guides, Reports, and PowerBi Dashboards. The profile is created, but it's not doing anything yet. You can also subscribe without commenting. Configure if end users can view the Hardware protection area in the Microsoft Defender Security Center. CSP: MdmStore/Global/IPsecExempt, Certificate revocation list (CRL) verification Application Guard CSP: Settings/AllowPersistence, Graphics acceleration When you Allow printing, you then can configure the following setting: Collect logs Specify the interface types to which the rule belongs. If present, this token must be the only one included. On X64 client machines: Firewall apps To Begin, we will create a profile to make sure that the Windows Defender Firewall is enabled. Default: Not configured LocalPoliciesSecurityOptions CSP: LocalPoliciesSecurityOptions, Rename guest account Not configured ( default) - The client returns to its default, which is to enable the firewall. Firewall CSP: FirewallRules/FirewallRuleName/LocalUserAuthorizationList. LocalPoliciesSecurityOptions CSP: Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn, UIA integrity without secure location C:\windows\IMECache, On X86 client machines: Clear virtual memory pagefile when shutting down Default: Prompt for credentials CSP: MdmStore/Global/DisableStatefulFtp, Number of seconds a security association can be idle before it's deleted CSP: DefaultOutboundAction. Specify a subnet by either the subnet mask or network prefix notation. Default: Allow startup PIN with TPM. LocalPoliciesSecurityOptions CSP: Devices_AllowUndockWithoutHavingToLogon, Install printer drivers for shared printers If you click Statistics, you can see the devices to which the policy has been assigned.