In this blog I’ll explain how to deploy your Windows firewall baseline policy rules into Intune. Configuring firewall rules on your Windows 10 device shouldn’t be forgotten. If you remember my blog about securing Windows 10 endpoints, you’ll know I recommend deploying it with a PowerShell script.

When writing this blog, the Microsoft defender firewall rule migration tool was released. Of course, I tested it, but it didn’t work out great at the time. Trying to change imported firewall rules ended up returning weird errors:

So, I think we should just forget the Microsoft migration tool for now.

Of course, a PowerShell script works! But, wouldn’t it be nicer to configure the firewall rules within the endpoint security section instead of deploying the firewall rules to your devices with a PowerShell script? Because altering an existing firewall rule through PowerShell is not ideal.

As you can see, you can define your own additional firewall rules.

What rules are we going to implement? Looking back at my blog about Applocker where I mentioned the Lolbas project.

https://lolbas-project.github.io/

It’s a lot of work if you choose to configure all these Lolbins manually. It takes about 1 or 2 minutes to create just one firewall rule. So, it’s going to take a lot of time to blocking all the Lolbins.

Let the automation begin! Download and run the script:

https://call4cloud.nl/wp-content/uploads/2020/07/Windows10_firewall_rules.txt

Now go check if the firewall rules are deployed. When looking at the advanced firewall rules, you’ll notice the rules you configured are missing. It’s weird… but look at the monitoring/firewall section.

You can also open the registry to check if the firewall rules are active!

The only sad thing I can think of is that removing the device assignment won’t remove the Firewall rules. Of course, you can alter the settings to allowed or not configured within the policy and it’ll be pushed to the Windows 10 Client. There were some improvements within the CSP handling behaviour but not for the Firewall CSP I guess, it still results in a tattooed setting. ☹

Conclusion:

Blocking specific programs for outbound connections is a great idea but you have to be careful. Because blocking a programs outbound connection can break some stuff. It’s also best practice to block PowerShell outbound. Beware the rules are for all users! When you block PowerShell, it’ll be blocked for everyone! In this script PowerShell is NOT blocked. Hopefully, the migration tool will be fixed at some point so we can make exclusions. For now, you can create your own firewall rule baseline through automation!