Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure Default Inbound Action for Public Profile in Windows Defender

How to Configure Default Inbound Action for Public Profile in Windows Defender

Configure Windows Defender Firewall public profile settings through Microsoft Intune to block unsolicited inbound traffic on public networks, enhancing security for remote and mobile devices.

April 28, 2026 15 min
hardintune 10 steps 15 min

Why Configure Windows Defender Firewall Public Profile Settings?

When employees work remotely or travel with company devices, they frequently connect to untrusted public networks in coffee shops, airports, hotels, and coworking spaces. These networks pose significant security risks because other users on the same network can potentially access your devices through unsolicited inbound connections.

Microsoft Intune's Windows Defender Firewall configuration provides centralized control over how your managed devices handle network traffic based on the network location profile. The public profile specifically activates when devices detect they're connected to public networks, automatically applying more restrictive security policies.

What Does Default Inbound Action Control?

The Default Inbound Action setting determines how Windows handles incoming network connections that don't match any specific firewall rules. When set to "Block" for public profiles, it creates a default-deny security posture where all unsolicited inbound traffic is rejected unless explicitly allowed by a firewall rule.

This configuration is critical for mobile and remote devices because it prevents network-based attacks like port scanning, lateral movement attempts, and exploitation of vulnerable services running on the device. Combined with Intune's centralized management, you can ensure consistent security policies across your entire device fleet regardless of where employees connect.

How Does This Integrate with Modern Zero Trust Architecture?

Configuring restrictive firewall policies through Intune aligns with Zero Trust security principles by treating all networks as untrusted by default. This approach complements other Intune security features like Conditional Access, device compliance policies, and Microsoft Defender for Endpoint integration to create comprehensive endpoint protection.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Firewall Configuration

Open your browser and navigate to the Microsoft Intune admin center. Sign in with your administrator credentials that have Endpoint Security permissions.

Navigate to Endpoint security in the left navigation pane, then select Firewall. You'll see the Firewall summary page showing existing policies and their deployment status.

Click on Summary to view the current firewall policy overview. This page displays all active firewall policies, their assignment status, and device compliance metrics.

Pro tip: Bookmark the Endpoint security > Firewall page for quick access during policy management tasks.

Verification: Confirm you can see the Firewall policies dashboard with options to create new policies and view existing ones.

02

Create a New Microsoft Defender Firewall Policy

From the Firewall summary page, click Create policy to start the policy creation wizard.

In the policy creation dialog, select the following options:

  • Platform: Windows 10, Windows 11, and Windows Server
  • Profile: Microsoft Defender Firewall

Click Create to proceed to the policy configuration wizard.

On the Basics tab, provide the following information:

Name: Public Network Firewall - Block Inbound
Description: Blocks unsolicited inbound connections on public networks for enhanced security
Platform: Windows 10, Windows 11, and Windows Server

Click Next to proceed to the configuration settings.

Verification: Ensure the policy name appears in the wizard header and the platform shows as "Windows 10, Windows 11, and Windows Server".

03

Configure Public Profile Firewall Settings

In the Configuration settings tab, locate the Public Profile section. This section controls firewall behavior when devices connect to public networks like coffee shops, airports, or hotels.

Configure the following critical settings:

Enable Public Network Firewall (Device): True
Default Inbound Action for Public Profile (Device): Block
Default Outbound Action (Device): Allow
Shielded: True

Here's what each setting does:

  • Enable Public Network Firewall: Activates the firewall when connected to public networks
  • Default Inbound Action - Block: Denies all unsolicited inbound connections (recommended for security)
  • Default Outbound Action - Allow: Permits outbound traffic for normal application functionality
  • Shielded - True: Prevents end users from modifying these firewall settings
Warning: Setting Default Inbound Action to "Allow" on public networks creates significant security risks. Always use "Block" for public profiles.

Verification: Double-check that "Block" is selected for Default Inbound Action and "True" is selected for both Enable Public Network Firewall and Shielded.

04

Configure Domain and Private Profile Settings

For comprehensive protection, configure the Domain and Private profiles as well. Scroll to the Domain Profile section and set:

Enable Domain Network Firewall (Device): True
Default Inbound Action for Domain Profile (Device): Allow
Default Outbound Action (Device): Allow
Shielded: True
Note: Keep Domain Profile inbound action as "Allow" to prevent remote task failures from the Intune portal. Setting this to "Block" will break remote management capabilities.

Next, configure the Private Profile section:

Enable Private Network Firewall (Device): True
Default Inbound Action for Private Profile (Device): Block
Default Outbound Action (Device): Allow
Shielded: True

Private networks include home and work networks where you have more control over the network infrastructure.

Pro tip: Document your firewall profile strategy. Public = Block all inbound, Private = Block with exceptions, Domain = Allow for management.

Verification: Confirm Domain profile has "Allow" for inbound action while Private and Public profiles have "Block" selected.

05

Enable Firewall Auditing and Logging

Scroll to the Auditing section to enable comprehensive logging for troubleshooting and security monitoring.

Configure the following audit settings:

Audit Dropped Packets: Success + Failure
Audit Successful Connections: Success + Failure

These settings enable detailed logging of both successful connections and blocked traffic attempts. The logs will be available in Windows Event Viewer under:

Applications and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security > Firewall

Logging helps with:

  • Identifying blocked legitimate applications
  • Detecting potential security threats
  • Troubleshooting connectivity issues
  • Compliance reporting

Verification: Ensure both audit options show "Success + Failure" in the dropdown selections.

06

Configure Scope Tags and Assignments

Click Next to proceed to the Scope tags section. If your organization uses scope tags for role-based access control, select the appropriate tags. For most deployments, you can leave this as default and click Next.

On the Assignments tab, click Add groups to specify which device groups will receive this firewall policy.

Select Include and choose your target groups. Common group selections include:

  • All Windows devices
  • Remote workers group
  • Mobile device users
  • Specific department groups

Example assignment configuration:

Assignment Type: Include
Selected Groups: 
  - All Windows 10/11 Devices
  - Remote Workers
  - Executive Mobile Devices
Warning: Test firewall policies on a small pilot group before deploying to all devices. Incorrect settings can block legitimate network traffic.

Verification: Confirm your selected groups appear in the "Included groups" section with the correct member count displayed.

07

Review and Deploy the Firewall Policy

Click Next to reach the Review + create tab. Carefully review all configured settings:

Policy Summary:
✓ Public Profile: Block inbound, Allow outbound
✓ Domain Profile: Allow inbound, Allow outbound  
✓ Private Profile: Block inbound, Allow outbound
✓ Auditing: Enabled for both success and failure
✓ Shielded: True (prevents user modification)
✓ Target Groups: [Your selected groups]

Verify the policy configuration matches your security requirements. Pay special attention to:

  • Public profile has "Block" for inbound action
  • Domain profile has "Allow" for inbound action (critical for Intune management)
  • Correct device groups are assigned
  • Shielded is enabled to prevent user tampering

Click Create to deploy the policy. The policy will begin deploying to assigned devices immediately.

Verification: After creation, you'll see the new policy in the Firewall policies list with deployment status "Deploying" or "Succeeded".

08

Monitor Policy Deployment and Compliance

Navigate back to Endpoint security > Firewall to monitor your policy deployment. Click on your newly created policy to view detailed deployment status.

The policy overview shows:

Deployment Status:
- Succeeded: [number] devices
- In progress: [number] devices  
- Failed: [number] devices
- Not applicable: [number] devices

Click Device status to see per-device deployment results. Look for devices showing "Not applicable" - these may be using Security Management for Microsoft Defender for Endpoint, which is expected behavior.

Common deployment statuses:

  • Succeeded: Policy applied successfully
  • In progress: Policy deployment underway
  • Failed: Check device connectivity and permissions
  • Not applicable: Device doesn't support the setting or uses alternative management
Pro tip: Set up automated reports to monitor firewall policy compliance across your device fleet using Intune's reporting capabilities.

Verification: Confirm at least 80% of target devices show "Succeeded" status within 24 hours of policy deployment.

09

Test and Validate Firewall Configuration

Connect a test device to a public network (coffee shop, mobile hotspot, or guest network) to validate the firewall policy is working correctly.

On the test device, open Command Prompt as administrator and run:

netsh advfirewall show allprofiles state

Expected output should show:

Public Profile Settings:
State: ON
Firewall Policy: BlockInbound,AllowOutbound

Domain Profile Settings:
State: ON  
Firewall Policy: AllowInbound,AllowOutbound

Private Profile Settings:
State: ON
Firewall Policy: BlockInbound,AllowOutbound

Test inbound blocking by attempting to connect to the device from another machine on the same public network. The connection should be blocked.

Verify outbound connectivity works by browsing websites or accessing cloud services.

Check Windows Event Viewer for firewall logs:

eventvwr.msc

Navigate to: Applications and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security > Firewall

Verification: Confirm blocked inbound attempts appear in the firewall logs and legitimate outbound traffic flows normally.

10

Create Exception Rules for Required Applications

After deploying the restrictive firewall policy, you'll likely need to create exception rules for legitimate applications that require inbound connections.

Return to Endpoint security > Firewall and click Create policy. Select:

  • Platform: Windows 10, Windows 11, and Windows Server
  • Profile: Microsoft Defender Firewall Rules

Configure application-specific rules:

Rule Name: Allow Remote Desktop - Public Networks
Action: Allow
Direction: Inbound
Protocol: TCP
Local Port: 3389
Profile: Public
Program Path: %SystemRoot%\system32\svchost.exe
Service Name: TermService

Common applications requiring inbound exceptions:

  • Remote Desktop (TCP 3389)
  • File sharing (TCP 445, 139)
  • VPN clients (various ports)
  • Business applications with peer-to-peer features
Warning: Only create inbound exceptions for absolutely necessary applications. Each exception reduces security posture on public networks.

Assign the exception rules to the same device groups as your main firewall policy.

Verification: Test that the specific application works on public networks while other inbound traffic remains blocked.

Frequently Asked Questions

What happens if I set Default Inbound Action to Block for Domain Profile in Intune?+
Setting Domain Profile Default Inbound Action to Block will prevent remote task execution from the Intune portal and break management capabilities. Microsoft recommends keeping Domain Profile inbound action as Allow or Not configured to maintain proper Intune management functionality. Only use Block for Public and Private profiles where enhanced security is needed.
How long does it take for Windows Defender Firewall policies to deploy through Intune?+
Firewall policies typically deploy within 15-30 minutes to online devices, but can take up to 8 hours for devices that check in less frequently. The deployment speed depends on device connectivity, Intune service load, and whether devices are actively checking for policy updates. You can force immediate policy refresh using the Sync action in the Intune portal.
Can users override Windows Defender Firewall settings configured through Intune?+
When you set the Shielded setting to True in your Intune firewall policy, end users cannot modify the firewall settings through Windows Security or Control Panel. They'll see a message stating 'For your security, some settings are controlled by Group Policy.' This prevents users from accidentally or intentionally weakening security policies on managed devices.
Why do some devices show 'Not Applicable' status for firewall policies in Intune?+
Devices showing 'Not Applicable' status are typically using Security Management for Microsoft Defender for Endpoint attach solution, which manages firewall settings through a different mechanism. This is expected behavior and doesn't indicate a problem. These devices receive firewall configuration through Defender for Endpoint instead of standard Intune policies.
How do I troubleshoot applications blocked by Windows Defender Firewall public profile settings?+
Enable firewall auditing in your Intune policy to log both successful and blocked connections. Check Windows Event Viewer under Applications and Services Logs > Microsoft > Windows > Windows Firewall With Advanced Security > Firewall for blocked connection attempts. Create specific inbound allow rules for legitimate applications that need network access, but avoid broad exceptions that weaken security on public networks.
Tags
#intune#firewall#endpoint-security

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Network Locations via Group Policy in Windows Server 2025
tutorial
Networking

How to Deploy Network Locations via Group Policy in Windows Server 2025

Deep Dive
How to Configure Default Inbound Action for Public Profile in Windows Defender
tutorial
Cybersecurity

How to Configure Default Inbound Action for Public Profile in Windows Defender

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account