Anavem
EnglishFrancais
Anavem
Languagefr
How to Enable Log Success Connections in Windows Defender Firewall via Intune

How to Enable Log Success Connections in Windows Defender Firewall via Intune

Configure Windows Defender Firewall through Microsoft Intune to log successful network connections for compliance monitoring and forensic investigations using endpoint security policies.

April 25, 2026 15 min
hardintune 10 steps 15 min

Why Enable Success Connection Logging in Windows Defender Firewall?

Windows Defender Firewall traditionally logs only blocked connections and dropped packets, leaving security teams with an incomplete picture of network activity. By enabling success connection logging through Microsoft Intune, you gain visibility into all allowed network connections, creating a comprehensive audit trail for compliance requirements and forensic investigations.

This capability becomes essential for organizations subject to regulatory compliance frameworks like SOX, HIPAA, or PCI DSS, where detailed network activity logging is mandatory. Security teams can analyze successful connections to identify unusual patterns, unauthorized applications, or potential lateral movement during incident response.

What Makes Intune-Based Configuration Superior to Local Management?

Managing firewall logging through Microsoft Intune provides centralized control across your entire Windows 11 fleet, eliminating the need for manual configuration on individual devices. The new Microsoft Defender Firewall profile template introduced in Intune includes dedicated settings for success connection logging, dropped packet logging, and ignored rules logging across all firewall profiles.

Unlike Group Policy or local configuration, Intune provides real-time compliance monitoring, automatic remediation, and detailed reporting on policy deployment status. This approach scales efficiently for organizations with hundreds or thousands of endpoints while maintaining consistent security posture.

How Does This Integration Support Modern Security Operations?

The combination of file-based logging and Windows Security Event integration creates multiple data sources for security information and event management (SIEM) systems. Log files provide detailed connection information suitable for automated parsing and analysis, while Security Event logs integrate seamlessly with Microsoft Sentinel and other SIEM platforms for real-time alerting and correlation with other security events.

Implementation Guide

Full Procedure

01

Access Microsoft Intune Admin Center and Navigate to Firewall Policies

Start by signing into the Microsoft Intune admin center where you'll create the firewall policy. This is where all endpoint security configurations are managed.

Open your web browser and navigate to https://intune.microsoft.com. Sign in with your administrative credentials that have Intune Service Administrator or Global Administrator permissions.

Once logged in, navigate to Endpoint security in the left navigation pane, then click Firewall. You'll see any existing firewall policies listed here.

Click Create policy to start creating a new firewall configuration policy.

Pro tip: Bookmark the Intune admin center URL for quick access. The interface updates frequently, so familiarize yourself with the current navigation structure.

Verification: You should see the "Create a policy" blade open with platform and profile selection options.

02

Select Platform and Profile for Windows Defender Firewall

Choose the correct platform and profile template to ensure compatibility with your target devices. The selection here determines which settings will be available.

In the "Create a policy" blade:

  • Select Platform: Windows 10, Windows 11, and Windows Server
  • Select Profile: Microsoft Defender Firewall
  • Click Create

This profile template provides access to the new logging settings introduced for Windows Defender Firewall management through Intune.

Warning: Do not select "Windows Firewall" profile as it lacks the newer logging configuration options. The "Microsoft Defender Firewall" profile is required for success connection logging.

Verification: The policy creation wizard should advance to the "Basics" configuration page with the correct profile selected.

03

Configure Policy Basics and Naming

Provide clear identification for your firewall policy to make it easily recognizable in your Intune environment. Good naming conventions help with policy management and troubleshooting.

Fill in the following fields:

  • Name: Enable Firewall Success Connection Logging
  • Description: Enables logging of successful network connections across all firewall profiles for compliance monitoring and forensic analysis

The name should clearly indicate the policy's purpose, especially since you may have multiple firewall policies in your environment.

Click Next to proceed to the configuration settings.

Pro tip: Include the date or version in your policy name if you plan to iterate on configurations, like "Enable Firewall Success Logging v2.0 - April 2026".

Verification: You should now see the "Configuration settings" page with expandable sections for Domain profile, Private profile, and Public profile.

04

Configure Domain Profile Logging Settings

Configure logging settings for the Domain profile, which applies when devices are connected to your corporate domain network. This profile typically has the most restrictive settings.

Expand the Domain profile section and configure these settings:

  • Enable log success connections: Yes
  • Log file path: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
  • Enable log dropped packets: Yes (recommended for comprehensive logging)
  • Log max file size (KB): 4096
  • Enable log ignored rules: Yes

These settings ensure that all successful inbound connections, dropped packets, and ignored rules are logged to the specified file path.

Warning: Success connection logging can generate large volumes of data. Monitor disk space usage and consider log rotation policies to prevent storage issues.

Verification: All logging options should show as configured with "Yes" values and the file path should be properly formatted with double backslashes.

05

Configure Private and Public Profile Logging Settings

Apply the same logging configuration to Private and Public profiles to ensure consistent logging across all network environments. These profiles handle home networks and public Wi-Fi connections respectively.

Expand the Private profile section and configure:

  • Enable log success connections: Yes
  • Log file path: C:\Windows\System32\LogFiles\Firewall\pfirewall.log
  • Enable log dropped packets: Yes
  • Log max file size (KB): 4096
  • Enable log ignored rules: Yes

Repeat the same configuration for the Public profile section with identical settings.

Using the same log file path across all profiles consolidates logging into a single file, making analysis easier.

Pro tip: Consider using different log file paths for each profile if you need to analyze traffic patterns by network type separately, such as adding the profile name to the filename.

Verification: All three profiles (Domain, Private, Public) should have identical logging configurations enabled.

06

Configure Scope Tags and Assignments

Define which devices will receive this firewall policy by configuring scope tags and assignments. Proper targeting ensures the policy applies only to intended devices.

Click Next to reach the "Scope tags" page. If you use scope tags for role-based administration, select the appropriate tags. For most environments, you can leave this as default and click Next.

On the "Assignments" page:

  • Click Add groups under "Included groups"
  • Select your target device groups (e.g., "Windows 11 Corporate Devices")
  • Click Select

Avoid assigning to "All devices" initially. Start with a pilot group to test the configuration.

Warning: This policy only works on Windows 11 devices. Windows 10 devices will show "Not applicable" status. Ensure your target groups contain only compatible devices.

Verification: Your selected device groups should appear in the "Included groups" section with the correct member count displayed.

07

Review and Create the Firewall Policy

Review all configuration settings before creating the policy to ensure everything is configured correctly. Once created, the policy will begin deploying to assigned devices.

Click Next to reach the "Review + create" page. Carefully review:

  • Policy name and description
  • All three firewall profiles have logging enabled
  • Correct device groups are assigned
  • Log file paths are properly formatted

If everything looks correct, click Create to deploy the policy.

The policy will appear in your firewall policies list with a status of "Deploying" initially.

Pro tip: Take a screenshot of your configuration settings before creating the policy. This serves as documentation and helps with troubleshooting if issues arise.

Verification: Navigate back to Endpoint security > Firewall and confirm your new policy appears in the list with "Deploying" or "Succeeded" status.

08

Monitor Policy Deployment and Compliance

Track the deployment progress and verify that target devices are receiving and applying the firewall policy correctly. This step is crucial for ensuring the logging configuration is active.

In the Intune admin center, navigate to Endpoint security > Firewall and click on your newly created policy.

Review the deployment status:

  • Device status: Shows how many devices successfully applied the policy
  • User status: Shows user-level deployment results
  • Click on individual devices to see detailed compliance information

Allow 15-30 minutes for initial deployment to complete. Devices check in with Intune at regular intervals.

Pro tip: Use the "Generate report" option to export deployment status for documentation or troubleshooting purposes.

Verification: Device status should show "Succeeded" for target devices. If you see "Error" or "Not applicable" statuses, investigate the specific device details.

09

Verify Logging Configuration on Target Devices

Connect to a target device to confirm that the firewall logging settings have been applied correctly and that log files are being generated as expected.

On a target Windows 11 device, open PowerShell as Administrator and run these verification commands:

# Check current firewall logging settings
netsh advfirewall show allprofiles

# Verify specific logging settings
netsh advfirewall show domainprofile logging
netsh advfirewall show privateprofile logging
netsh advfirewall show publicprofile logging

# Check if log file exists and has recent entries
Get-Item "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -ErrorAction SilentlyContinue
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Tail 10

The output should show that logging is enabled for successful connections across all profiles, and the log file should contain recent entries.

Warning: If the log file doesn't exist, check that the LogFiles\Firewall directory exists and that the SYSTEM account has write permissions to this location.

Verification: You should see "AllowedConnections" set to "Enable" for all profiles and recent log entries in the pfirewall.log file.

10

Configure Additional Auditing for Event Logs (Optional)

Enable Windows Security Event logging for firewall connections to complement the file-based logging. This provides additional forensic capabilities through the Windows Event Log system.

On target devices, run these commands as Administrator to enable audit policies:

# Enable auditing for firewall packet drops and connections
auditpol /set /category:"System" /SubCategory:"Filtering Platform Packet Drop" /success:enable /failure:enable
auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /success:enable /failure:enable

# Verify audit settings
auditpol /get /category:"System"

You can also deploy these commands via Intune using a PowerShell script policy for automated configuration across all devices.

After enabling auditing, firewall events will appear in the Security event log with Event IDs like 5152 (connection blocked), 5156 (connection allowed), and 5157 (connection blocked).

Pro tip: Create a custom Event Log view in Event Viewer filtering for Event IDs 5152, 5156, and 5157 to easily monitor firewall activity.

Verification: Open Event Viewer > Windows Logs > Security and look for recent firewall-related events with the IDs mentioned above.

Frequently Asked Questions

Why does Windows 10 show 'Not applicable' for success connection logging in Intune?+
The new success connection logging settings in Microsoft Intune's Defender Firewall profile are specifically designed for Windows 11 and newer systems. Windows 10 devices will display 'Not applicable' status because these advanced logging features require the updated firewall management capabilities present in Windows 11. Organizations with Windows 10 devices should consider upgrading to Windows 11 or use alternative methods like Group Policy or custom OMA-URI configurations to enable basic firewall logging.
How much disk space does success connection logging consume on Windows devices?+
Success connection logging can generate significant amounts of data, especially on busy servers or workstations with many network connections. A typical corporate workstation might generate 10-50 MB of log data per day, while servers can produce several hundred MB daily. The log file size limit setting (default 4096 KB) controls individual log file size, but Windows automatically creates new files when limits are reached. Monitor disk usage closely and implement log rotation or centralized log collection to prevent storage issues.
Can I configure different log file paths for Domain, Private, and Public firewall profiles?+
Yes, you can specify different log file paths for each firewall profile in the Intune policy configuration. This allows you to separate logging by network type for easier analysis. For example, use 'C:\Windows\System32\LogFiles\Firewall\domain.log' for Domain profile and 'C:\Windows\System32\LogFiles\Firewall\public.log' for Public profile. However, using a single consolidated log file is often more practical for centralized monitoring and SIEM integration, as it provides a complete timeline of all network activity.
How do I troubleshoot when firewall logs are not being generated after policy deployment?+
First, verify the Intune policy deployed successfully by checking device compliance status in the admin center. On the target device, use 'netsh advfirewall show allprofiles' to confirm logging is enabled. Check that the log directory exists and the SYSTEM account has write permissions to 'C:\Windows\System32\LogFiles\Firewall\'. Ensure Windows Firewall service is running and not disabled by other policies. If using Microsoft Security Baselines, they may override custom firewall settings, requiring policy precedence adjustments or baseline modifications.
What's the difference between file-based logging and Windows Security Event logging for firewall activity?+
File-based logging through pfirewall.log provides detailed, parseable text records of all firewall activity including timestamps, protocols, ports, and IP addresses in a structured format ideal for automated analysis and SIEM ingestion. Windows Security Event logging (Events 5152, 5156, 5157) integrates with the Windows Event Log system, providing standardized event records that work seamlessly with Microsoft Sentinel, SCCM, and other Microsoft security tools. Both methods complement each other - use file logging for detailed forensic analysis and event logging for real-time monitoring and alerting.
Tags
#intune#firewall#logging

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID
tutorial
Cybersecurity

How to Deploy Phishing-Resistant Passwordless Auth in Microsoft Entra ID

Deep Dive
How to Configure Maintenance Windows in Microsoft Intune for Update Control
tutorial
Cloud Computing

How to Configure Maintenance Windows in Microsoft Intune for Update Control

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account