Manage Windows Firewall Rulesets on devices

A Windows Firewall Ruleset contains a collection of Windows Firewall Rules that can be applied to one or more managed devices. These rules allow or block a range of different options like applications, services or IP ranges from accessing the system. You can apply multiple rulesets to a single device.

NOTE: Windows Firewall configuration settings override any settings specified on the device locally. For example, when forcing stealth mode or ignoring authorized applications is part of the configuration, when that configuration is applied to the device, stealth mode cannot be changed on the device and any authorized apps on the device are ignored unless they are part of a Firewall Ruleset deployed to that device.

In some cases there can be a conflict between two or more rules applied to a device. For example, Microsoft Teams can be blocked in one rule and allowed in another. In this case, the following logic applies:

  1. Explicitly defined allow rules take precedence over the default block setting.
  2. Explicit block rules take precedence over any conflicting allow rules.
  3. More specific rules take precedence over less specific rules, except in the case of explicit block rules as mentioned in step 2. For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 takes precedence.

Caution: Creating Windows Firewall Rules assumes that you have a good understanding of the Windows Defender Firewall. Some configurations are very complex and require extensive knowledge and experience to complete. While many types of rules and their combinations are possible, not all of them are advisable, as they can cause unexpected results and require a device reset.

For troubleshooting information, see Accidentally blocking access to devices.

For technical details, see Best practices for configuring Windows Defender Firewall.

To apply a Windows Firewall Ruleset to managed devices:

  1. To apply a Windows Firewall Ruleset to one or more Windows devices using the Devices tab:
    1. Select the Devices tab in top navigation.
    2. Select one or more Windows devices in the list.
    3. In the right panel, click Security.
    4. In the Security area that appears, on the right of Windows Firewall Ruleset, click Add Ruleset.
    5. In the Security Configuration Library view that appears, select a Windows Firewall Ruleset, and click Apply to Device.
    6. Add more rulesets to the device, as required.

    For more information about working with devices using the Devices tab, see Managing devices.

  2. To apply a Windows Firewall configuration to one or more devices using policies:
    1. Select the Policies tab in top navigation.
    2. Complete one of the following steps:
      • To create a policy, click Add New.
      • To edit an existing policy, in the policy row, click the Edit button.
    3. In the General section, select one or more labels associated with target devices. For more details about labels, see Using labels to group similar items.
    4. In the policy view that appears, in the left panel, click Security.
    5. In the Security Configurations list, select a Windows Firewall Ruleset.
    6. In the right panel that appears, click Link to Policy.
    7. In the top right corner, click Activate and Push Changes.
    8. Link more Windows Firewall Rulesets to the policy, as required.

      9. For more information about policies, see Using policies to manage device configurations.