Manage Windows Defender Firewall with Microsoft Defender ATP and Intune
Published Oct 04 2019 02:57 PM 22.3K Views

Manage Windows Defender Firewall with Microsoft Defender ATP and Intune 

One of the best ways you can improve the security posture of your organization is to use a firewall. Firewalls help prevent unauthorized incoming and outgoing network traffic. Windows Defender Firewall is included in Windows 10 and includes robust capabilities to manage network traffic to and from devices.


We’re excited to announce new capabilities in in Microsoft Defender ATP and Intune to help you manage Windows Defender Firewall controls. New capabilities include:

  • Custom Firewall rules: define your own custom rules for Windows Defender Firewall, helping you block traffic across different profiles
  • Custom Reporting by using Power BI: build your own custom reports that are specific for your needs


Create custom rules for Windows Defender Firewall

You can create custom Windows Defender Firewall rules to allow or block inbound or outbound across three profiles – Domain, Private, Public over:

  • Application: You can specify the file path, Windows service, or Package family name to control connections for an app or program.
  • IP address. You can specify the local or remote addresses to which the rule applies. The IP address can support a single IP address or a range of IP addresses.
  • Port and Protocol. You can specify the local and remote ports and the protocol to which this rule applies
  • Interface types. You can control connections based on the interface types including Remote access, Wireless, and Local area network.
  • Users. You can control from whom the connections are allowed.

Windows Defender Firewall rule authoring capability is available in Microsoft Intune under Endpoint protection > Microsoft Defender Firewall > Firewall rules. For more information, see:  Add custom Firewall rules for Windows 10 devices.

Firewall GA.jpg


Custom Reporting using Power BI

You can view Windows Defender Firewall activities by setting up a custom report using Power BI. By doing so, you can monitor Windows Firewall activities over remote IP, Remote Port, Local Port, Local IP, Computer Name, Process across inbound connections and outbound connections.

First, you must enable Audit Events for Windows Defender Firewall with Advanced Security:

Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe command:

After enabling the events, Microsoft Defender ATP will start to monitor the data. You can then download the Custom Reporting script to monitor the Windows Defender Firewall activities. In the reports, you’ll see a summary of:

  • how many inbound/outbound connections blocked in the last 30 days
  • top 10 local ports that were blocked the most in the last 30 days
  • aggregated information about processes linked to blocked inbound/outbound connections
  • information about the computers with blocked inbound/outbound connections
  • remote IPs attempting to connect with multiple local computers
  • top 10 remote IPs with the most connection attempts
  • information of applications linked to inbound/outbound connections

Firewall Report GA.jpg


For more information about Windows Defender Firewall management, see:


Version history
Last update:
‎Oct 04 2019 03:04 PM
Updated by: