As you know, you can manage and configure your Windows Defender Firewall with Intune/Endpoint Configuration Manager, including rules.
But what about if you already had configured GPO’s (Group Policy Objects) to manage and configure Windows Defender Firewall? Until now you had to manually replicate these rules into Intune/Endpoint Configuration Manager.
Well, good new, you can now migrate your Windows Defender Firewall GPO’s for use with Intune.
First thing you need to download the migration tool (in fact a PowerShell script) available here https://aka.ms/EndpointSecurityFWRuleMigrationTool
Once downloaded, extract the PowerShell script (Export-FirewallRules.ps1).
The PowerShell script accepts the following switches:
NOTE enabling these switches may result in many included rules
By default only enabled Firewall rules created by GPO will be exported; the use of the above switched allow you to overwrite the default behaviour.
You will need to have appropriate permissions in Intune/Endpoint Configuration Manager to export the firewall rules, either:
There are few limitations because of lack of corresponding MDM support for some settings, such as:
Once you are ready, you can run the migration tool/script using a PowerShell prompt (with the Run As Administrator option) with the corresponding switch if you want to overwrite the default behaviour.
If you don’t run it with the Run As Administrator you will get the below error message
Error: Must run elevated: run as administrator
When running the script, it will install automatically the following PowerShell modules from the PowerShell Gallery:
Then you will be asked to authenticate against your Intune tenant and then an Intune device configuration profile; it is required that the profile does not already exist.
If it already exist, you will get this error message asking your to use a different name
The Profile name you provided already exists. Please enter a unique profile name:
NOTE if there is more than 250 rules additional profiles will be created with an automatic numbering (like <profile name>-1, <profile name>-2…)
You can send telemetry details to Microsoft if an error occurs (default is set to Yes)
During the export process you will see a progress bar telling you how many rules are being processed and how many rules have been discovered for migration
Once completed the migration tool will output the rules that were not automatically migrated and you can access the Intune/Endpoint Configuration Manager firewall profile from the Endpoint Configuration Manager portal (https://endpoint.microsoft.com/) under the Endpoint security\Firewall blade to then deploy the profile(s) to your devices
NOTE you can find the log file in C:\WINDOWS\system32\logs to identify which rules have been or not been migrated in Excel format