Intune – Migrate your Windows Defender Firewall GPO’s rules for use with Intune/Endpoint Configuration Manager

As you know, you can manage and configure your Windows Defender Firewall with Intune/Endpoint Configuration Manager, including rules.

But what about if you already had configured GPO’s (Group Policy Objects) to manage and configure Windows Defender Firewall? Until now you had to manually replicate these rules into Intune/Endpoint Configuration Manager.

Well, good new, you can now migrate your Windows Defender Firewall GPO’s for use with Intune.

First thing you need to download the migration tool (in fact a PowerShell script) available here https://aka.ms/EndpointSecurityFWRuleMigrationTool

Once downloaded, extract the PowerShell script (Export-FirewallRules.ps1).

The PowerShell script accepts the following switches:

  • IncludeLocalRules: will include all locally created/default Windows firewall rules in the export
  • IncludedDisabledRules: will include all enabled and disabled Windows firewall rules in the export

NOTE enabling these switches may result in many included rules

By default only enabled Firewall rules created by GPO will be exported; the use of the above switched allow you to overwrite the default behaviour.

You will need to have appropriate permissions in Intune/Endpoint Configuration Manager to export the firewall rules, either:

  • Endpoint Security Manager
  • Intune Service Administrator
  • Global Administrator
  • or a custom role with Delete, Read, Assign, Create, and Update permissions

Limitations

There are few limitations because of lack of corresponding MDM support for some settings, such as:

  • IPSec related settings (not supported by MDM)
  • Interface Identifier (LUID) which is not manageable
  • Inbound NAT as not exposed by GPO or MDM
  • OS Versioning as not exposed by GPO or MDM
  • Local User Owner SID as not applicable with MDM

Usage of the migration tool/script

Once you are ready, you can run the migration tool/script using a PowerShell prompt (with the Run As Administrator option) with the corresponding switch if you want to overwrite the default behaviour.

If you don’t run it with the Run As Administrator you will get the below error message

Error:  Must run elevated: run as administrator

image_thumb[1]

When running the script, it will install automatically the following PowerShell modules from the PowerShell Gallery:

  • Intune Powershell SDK
  • ImportExcel Module

image_thumb[3]

Then you will be asked to authenticate against your Intune tenant and then an Intune device configuration profile; it is required that the profile does not already exist.

image_thumb[4]

If it already exist, you will get this error message asking your to use a different name

The Profile name you provided already exists. Please enter a unique profile name:

image_thumb[2]

NOTE if there is more than 250 rules additional profiles will be created with an automatic numbering (like <profile name>-1, <profile name>-2…)

You can send telemetry details to Microsoft if an error occurs (default is set to Yes)

image_thumb[5]

During the export process you will see a progress bar telling you how many rules are being processed and how many rules have been discovered for migration

image_thumb[6]

Once completed the migration tool will output the rules that were not automatically migrated and you can access the Intune/Endpoint Configuration Manager firewall profile from the Endpoint Configuration Manager portal (https://endpoint.microsoft.com/) under the Endpoint securityFirewall blade to then deploy the profile(s) to your devices

NOTE you can find the log file in C:WINDOWSsystem32logs to identify which rules have been or not been migrated in Excel format

image_thumb[7]  image_thumb[8]  image_thumb[9]