Anavem
EnglishFrancais
Anavem
Languagefr
How to Enable Private Network Firewall Using Microsoft Intune

How to Enable Private Network Firewall Using Microsoft Intune

Configure Windows Firewall policies for private networks through Microsoft Intune's endpoint security framework to ensure consistent protection across managed devices.

May 7, 2026 15 min
hardintune 8 steps 15 min

Why Configure Private Network Firewall Through Microsoft Intune?

Managing Windows Firewall settings across hundreds or thousands of corporate devices manually is both time-consuming and error-prone. Microsoft Intune's endpoint security framework provides centralized firewall policy management that ensures consistent security posture across your entire Windows device fleet. When devices connect to private networks—whether in corporate offices, branch locations, or secure remote sites—they need robust firewall protection that blocks unauthorized inbound connections while allowing legitimate business traffic.

What Makes Intune Firewall Management Essential for Enterprise Security?

Traditional Group Policy-based firewall management often falls short in modern hybrid work environments where devices frequently move between networks and may not always connect to domain controllers. Intune's cloud-based approach ensures firewall policies apply regardless of device location, providing consistent protection whether users work from corporate offices, home networks, or public Wi-Fi hotspots. The private network profile specifically targets trusted network environments where devices still need protection against lateral movement attacks and unauthorized access attempts.

How Does Microsoft Intune's 2026 Firewall Framework Improve Security?

Microsoft's 2026 Q2 service release introduced enhanced firewall reporting capabilities and expanded the Settings Catalog with more granular firewall controls. The platform now offers three distinct methods for firewall policy deployment: Settings Catalog for maximum flexibility, Endpoint Security policies for streamlined security management, and traditional Endpoint Protection templates for legacy compatibility. This tutorial focuses on the Settings Catalog approach, which provides the most comprehensive control over Windows Defender Firewall settings while maintaining compatibility with the latest Windows 11 24H2 builds and Windows 10 systems running version 1809 or later.

Implementation Guide

Full Procedure

01

Access Microsoft Endpoint Manager and Create New Policy

Start by navigating to the Microsoft Endpoint Manager admin center and creating a new configuration policy using the Settings Catalog method, which provides the most granular control over firewall settings.

https://endpoint.microsoft.com

Sign in with your Intune Administrator credentials. Once logged in, navigate to Devices > Configuration > Create > New policy. Select Windows 10 and later as the platform and choose Settings catalog as the profile type.

Name your policy something descriptive like "Private Network Firewall - Enable & Block Inbound" to clearly identify its purpose in your policy list.

Pro tip: Use consistent naming conventions for your Intune policies. Include the network profile type and primary action in the name for easy identification.

Verification: Confirm you're on the Settings catalog creation page with the correct platform selected before proceeding to the next step.

02

Configure Private Network Firewall Settings

Now you'll configure the specific firewall settings for the private network profile. Click Add settings and search for "Firewall" in the settings browser. Expand Windows Defender Firewall to access the firewall configuration options.

Configure these three critical settings:

Setting 1: Enable Private Network Firewall

Path: Administrative Templates/Network/Windows Defender Firewall/Private Profile
Setting: Private Network Firewall
Value: Enable

Setting 2: Default Inbound Action

Path: Administrative Templates/Network/Windows Defender Firewall/Private Profile
Setting: Private Network Firewall - Default Inbound Action
Value: Block

Setting 3: Default Outbound Action

Path: Administrative Templates/Network/Windows Defender Firewall/Private Profile
Setting: Private Network Firewall - Default Outbound Action
Value: Allow (Standard) or Block (High security environments)
Warning: Setting the default outbound action to Block will require explicit allow rules for all outbound traffic. Only use this in high-security environments where you can manage all required outbound connections.

Verification: Ensure all three settings show "Configured" status with your selected values before proceeding to assignments.

03

Assign Policy to Target Groups

Navigate to the Assignments tab to specify which devices or users will receive this firewall policy. Click Select groups to include and choose your target device groups or user groups.

For device-based assignment (recommended for firewall policies):

Assignment type: Device groups
Target: All Corporate Devices (or specific security groups)
Filter: None (unless using assignment filters)

For user-based assignment:

Assignment type: User groups
Target: IT Security Team, Remote Workers, etc.
Filter: Platform = Windows

Review your assignments carefully. Firewall policies can impact network connectivity, so start with a pilot group before rolling out to all devices.

Pro tip: Create a pilot group with 5-10 test devices first. Monitor for 24-48 hours before expanding to production groups.

Click Next to proceed to the review screen, then click Review + create to finalize the policy.

Verification: Confirm the policy shows "Created" status and appears in your Configuration policies list under Devices > Configuration.

04

Create Endpoint Security Firewall Policy (Alternative Method)

As an alternative or complementary approach, you can create a dedicated endpoint security firewall policy. Navigate to Endpoint security > Firewall > Create Policy.

Configure the policy with these settings:

Platform: Windows 10, 11, and Windows Server
Profile: Microsoft Defender Firewall
Name: Private Network Security Policy

In the configuration settings, focus on the Private Profile section:

{
  "Enable Private Network Firewall": "Yes",
  "Default inbound action": "Block",
  "Default outbound action": "Allow",
  "Notifications": "Block",
  "Unicast response to multicast": "Block"
}

This method provides a more streamlined interface specifically designed for security policies and integrates better with Intune's security reporting dashboard.

Assign this policy to the same groups as your configuration policy, or use it as a standalone solution if you prefer the endpoint security approach.

Verification: Check that the policy appears under Endpoint security > Firewall and shows the correct assignment count.

05

Force Policy Sync on Target Devices

To expedite policy deployment, force a sync on your target devices. You can do this through the Intune admin center or directly on the devices.

Method 1: Through Intune Admin Center

Navigate to Devices > All devices, select a target device, and click Sync. This triggers an immediate policy refresh.

Method 2: On the Device Directly

Open Settings on the Windows device and navigate to Accounts > Access work or school. Click on your work account and select Sync.

Method 3: PowerShell Command

# Check device registration status
dsregcmd /status

# Force Intune policy sync
Get-ScheduledTask -TaskName "PushLaunch" | Start-ScheduledTask

# Alternative sync method
Invoke-Command -ScriptBlock {Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask}

Wait 5-10 minutes after forcing the sync before checking policy application status.

Verification: Run dsregcmd /status and look for recent "LastSyncTime" entries to confirm the sync completed successfully.

06

Verify Firewall Configuration on Target Devices

Once policies have been deployed and synced, verify that the firewall configuration has been applied correctly on your target devices.

PowerShell Verification Commands:

# Check private network firewall profile status
Get-NetFirewallProfile -Profile Private

# Verify specific firewall settings
Get-NetFirewallProfile -Profile Private | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Check Windows Firewall service status
Get-Service -Name "MpsSvc" | Select-Object Name, Status, StartType

Expected output for a properly configured private network firewall:

Name                 : Private
Enabled              : True
DefaultInboundAction : Block
DefaultOutboundAction: Allow
LogAllowed           : False
LogBlocked           : False

Registry Verification:

# Check MDM firewall policy registry entries
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM\DMMap\AutoEnroll\Extensions\firewall"

# Verify private profile registry settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile"
Warning: If the firewall shows as disabled or not configured, check for conflicting Group Policy Objects (GPOs) that might be overriding Intune policies.

Verification: Confirm that Enabled shows as True and DefaultInboundAction shows as Block in the PowerShell output.

07

Monitor Policy Compliance and Reporting

Use Intune's built-in reporting capabilities to monitor firewall policy compliance across your managed devices. Navigate to Reports > Endpoint security > Firewall to access comprehensive firewall reporting.

Key Reports to Monitor:

1. MDM Firewall status - Overall compliance summary
2. Firewall policy compliance - Device-level compliance details
3. Firewall configuration - Applied settings per device
4. Non-compliant devices - Devices requiring attention

Access the firewall reports dashboard:

https://endpoint.microsoft.com/#view/Microsoft_Intune_Reporting/FirewallBlade

Set up automated compliance monitoring by creating custom reports that filter for:

  • Devices with firewall disabled
  • Devices with policy application failures
  • Devices not checking in for policy updates

PowerShell Monitoring Script:

# Create a monitoring script for firewall compliance
$FirewallStatus = Get-NetFirewallProfile -Profile Private
if ($FirewallStatus.Enabled -eq $false) {
    Write-Output "ALERT: Private network firewall is disabled"
    # Add logging or alerting logic here
} else {
    Write-Output "OK: Private network firewall is enabled"
}
Pro tip: Schedule weekly reviews of firewall compliance reports to identify trends and address issues proactively. Export reports to CSV for further analysis in Excel or Power BI.

Verification: Confirm that your target devices appear in the compliance reports with "Compliant" status within 24 hours of policy deployment.

08

Troubleshoot Common Policy Application Issues

Address common issues that may prevent proper firewall policy application. Use these troubleshooting steps when devices don't show compliant status or firewall settings aren't applied correctly.

Issue 1: Policy Not Applying

# Check device enrollment status
dsregcmd /status | findstr "AzureAdJoined\|DomainJoined\|WorkplaceJoined"

# Verify Intune management extension
Get-Process -Name "Microsoft.Management.Services.IntuneWindowsAgent" -ErrorAction SilentlyContinue

# Check event logs for policy errors
Get-WinEvent -LogName "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" -MaxEvents 50

Issue 2: Group Policy Conflicts

# Check for conflicting GPO settings
gpresult /r /scope:computer | findstr "Firewall"

# View applied group policies
gpresult /h c:\temp\gpresult.html

Issue 3: Local Administrator Overrides

Prevent local administrators from disabling the firewall by adding this setting to your policy:

Setting: Private Network Firewall - Prevent users from disabling firewall
Value: Enable

Common Resolution Steps:

  1. Force device sync: Get-ScheduledTask -TaskName "PushLaunch" | Start-ScheduledTask
  2. Restart Windows Firewall service: Restart-Service -Name "MpsSvc" -Force
  3. Clear policy cache: Remove-Item "C:\Windows\System32\GroupPolicy\Machine\Registry.pol" -Force
  4. Reboot device if persistent issues occur
Warning: Always test troubleshooting steps on non-production devices first. Clearing policy cache or restarting services can temporarily disrupt network connectivity.

Verification: After troubleshooting, run Get-NetFirewallProfile -Profile Private again to confirm the firewall is properly configured and enabled.

Frequently Asked Questions

What's the difference between Settings Catalog and Endpoint Security firewall policies in Microsoft Intune?+
Settings Catalog provides the most granular control over Windows Defender Firewall settings with access to all available Group Policy equivalents, while Endpoint Security policies offer a streamlined interface focused on common security scenarios. Settings Catalog supports up to 150 custom firewall rules per profile and includes advanced options like WDAC integration, whereas Endpoint Security policies are designed for standard corporate firewall configurations with simplified rule management.
How long does it take for Intune firewall policies to apply to Windows devices?+
Intune firewall policies typically apply within 8-24 hours during normal sync cycles, but you can force immediate application using device sync commands. The policy application time depends on device check-in frequency, network connectivity, and whether the device is actively connected to the internet. For critical security updates, use the manual sync option in Endpoint Manager or run 'Get-ScheduledTask -TaskName PushLaunch | Start-ScheduledTask' on target devices.
Can Group Policy Objects override Microsoft Intune firewall settings?+
Yes, Group Policy Objects can override Intune firewall settings if the device is domain-joined and receives conflicting GPO policies. GPOs typically have higher precedence than MDM policies for firewall settings. To resolve conflicts, either remove conflicting GPO settings, set Intune policies to 'Block' mode for higher priority, or use the 'MDM policy wins over GP' registry setting. Always verify policy precedence using 'gpresult /r' command on affected devices.
What happens if users try to disable Windows Firewall on Intune-managed devices?+
When properly configured, Intune firewall policies prevent standard users from disabling Windows Firewall through the Control Panel or Settings app. However, local administrators can still override these settings unless you enable the 'Prevent users from disabling firewall' setting in your Intune policy. For maximum security, combine firewall policies with administrative template policies that restrict local admin rights and implement Windows Defender Application Control (WDAC) to prevent unauthorized firewall modifications.
How do I troubleshoot Intune firewall policies that show as 'Not Configured' in reports?+
The 'Not Configured' status typically indicates that the policy hasn't reached the device or conflicts with existing settings. First, verify device enrollment status using 'dsregcmd /status' and check the last sync time. Force a policy sync, then examine the Windows Event Logs under 'Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin' for specific error messages. Common causes include network connectivity issues, certificate problems, or conflicting Group Policy settings that need to be resolved at the domain level.
Tags
#intune#firewall#endpoint-security

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss
tutorial
Windows

How to Upgrade to Windows Server 2025 Using Windows Update Without Data Loss

Deep Dive
How to Remove Applications Using Microsoft Intune Admin Center
tutorial
Cloud Computing

How to Remove Applications Using Microsoft Intune Admin Center

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account