Introduction
Host firewalls aren’t optional—they’re a core control in any modern endpoint security blueprint. Misconfigured or weakly governed rules can be abused to blind your EDR by silently blocking outbound telemetry, letting attacks unfold undetected. This post lays out a practical, platform-wide approach to get your firewall house in order and keep it that way.
We’ll cover a rollout strategy that ensures consistent, enforceable settings across Windows 11/Windows Server and macOS. You’ll see how to stage deployment in rings, handle exceptions safely, and continuously verify that policies are active on every device. To close the loop, we’ll also show how to monitor firewall changes and alert on tampering, so attempts to disable or silence protections are caught.
Roll-out Strategy. (Windows)
If you already use Microsoft Defender for Endpoint (MDE), manage the Windows firewall from one control plane with Intune’s Security management for Microsoft Defender for Endpoint. This lets you push and enforce firewall policies to any MDE-onboarded device—even if it isn’t MDM-enrolled—so you get consistent settings and centralized reporting. –> Learn about using Intune to manage Microsoft Defender settings on devices that aren’t enrolled with Intune – Microsoft Intune | Microsoft Learn . Unfortunate AVD is not supported so for AVD your need to create a GPO.
Use these baseline settings to standardize your firewall. Note: when you deploy this policy via Intune, it becomes the source of truth and overrides existing local firewall settings on targeted devices. That’s intentional—you gain centralized, auditable control and prevent silent local changes.
| Setting | Value |
|---|---|
| Enable Domain Network Firewall | True |
| Default Outbound Action (Domain) | Allow |
| Disable Inbound Notifications (Domain) | True |
| Enable Logging Of Dropped Packets (Domain) | Configured |
| Log Max File Size (Domain) | 16384 |
| Default Inbound Action (Domain) | Block |
| Enable Logging Of Successful Connections (Domain) | Configured |
| Enable Private Network Firewall | True |
| Log Max File Size (Private) | 16384 |
| Default Inbound Action (Private) | Block |
| Enable Logging Of Successful Connections (Private) | Configured |
| Enable Logging Of Dropped Packets (Private) | Configured |
| Disable Inbound Notifications (Private) | True |
| Default Outbound Action (Private) | Allow |
| Enable Public Network Firewall | True |
| Log Max File Size (Public) | 16384 |
| Default Outbound Action (Public) | Allow |
| Disable Inbound Notifications (Public) | True |
| Allow Local Policy Merge (Public) | False |
| Default Inbound Action (Public) | Block |
| Enable Logging Of Successful Connections (Public) | Configured |
| Allow Local IPsec Policy Merge (Public) | False |
| Enable Logging Of Dropped Packets (Public) | Configured |
The Allow Local Policy Merge setting controls whether device-local rules are combined with your centrally managed policy. Set it to False neither local admins, scripts, nor malware can slip in rules that mute EDR telemetry or open unsolicited ports. With merge disabled, only Intune/GPO rules apply, giving you a tamper-resistant baseline. We’ll dive deeper into trade-offs and safe exceptions later in the post.
Auditing
- For the Microsoft Defender portal to start receiving data, you must enable Audit Events for Windows Defender Firewall with Advanced Security. See the following articles:
Roll-out Strategy. (AVD)
For AVD you can use Powershell or GPO the settings would be the same as windows servers/windows 11 only you need to configure this in a group policy.
Roll-out Strategy. (Mac)
For Mac you can use the below settings you can use Intune to deploy these firewall settings you can not use the unified endpoint experience management.
| Settings | Value |
|---|---|
| Enable Firewall | Yes |
| Block all incoming connections | Yes |
| Enable stealth mode | Yes |
Detecting Firewall-Based Tampering
As long as someone has admin rights he can create firewall rules to block EDR communication if windows defender is enabled it will block rules . However, the key point is that this can be done against any EDR, and if they’re not monitoring, the network communications will be cut off.
In order to detect changes in the firewall rule lets say someone bypass the firewall merges policy or you want to have some degree of auditing / control of the firewall rule settings you need to enable the the auditing and the change the SACL.
Create a GPO or an intune configuration policy to enable the below auditing
| Settings | Value |
|---|---|
| Object Access Audit Registry | Success |
Navigate to “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules”
Add “everyone” to the System Access control list to the folder firewalls rules
Query Value, Set Value, and Delete to record that a value for this key has changed.
The following event ID will be created.
No you can use your SIEM to monitor on this event ID.
Complaince
In intune you can also create an compliance policy to make sure every device has firewall enabled. Go to Intune –> Devices –> Complaince –> Select Platform –> Device Security.
Here you can mark a device incompliant when Defender has been turned off.
Windows
Mac
Conclusion
Hopefully this helps Security Engineers to start building a robust Windows Firewall strategy.
Ontdek meer van Rockit One
Abonneer je om de nieuwste berichten naar je e-mail te laten verzenden.