Add Endpoint protection settings in Intune

With Intune, you can use device configuration profiles to manage common Endpoint protection security features on devices, including:

  • Firewall
  • BitLocker
  • Allowing and blocking apps
  • Microsoft Defender and encryption

For example, you can create an Endpoint protection profile that only allows macOS users to install apps from the Mac App Store. Or, enable Windows SmartScreen when running apps on Windows 10/11 devices.

Before you create a profile, review the following articles that detail the Endpoint protection settings Intune can manage for each supported platform:

Create a device profile containing Endpoint protection settings

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Configuration > Create.

  3. Enter the following properties:

    • Platform: Choose the platform of your devices. Your options:

      • macOS
      • Windows 10 and later
    • Profile: Select Templates > Endpoint protection.

  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.
    • Description: Enter a description for the policy. This setting is optional, but recommended.

    Select Next.

  6. In Configuration settings, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:

  7. Select Next.

  8. In Assignments, select the users or groups that will receive your profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  9. In Applicability Rules, use the Rule, Property, and Value options to define how this profile applies within assigned groups. Intune applies the profile to devices that meet the rules you enter. For more information about applicability rules, see Applicability rules.

    Select Next.

  10. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Add custom Firewall rules for Windows 10/11 devices

When you configure the Windows Firewall as part of a profile that includes endpoint protection rules for Windows 10/11, you can configure custom rules for Firewalls. Custom rules let you expand on the pre-defined set of Firewall rules supported for Windows devices.

When you plan for profiles with custom Firewall rules, consider the following information, which could affect how you choose to group firewall rules in your profiles:

  • Each profile supports up to 150 firewall rules. When you use more than 150 rules, create additional profiles, each limited to 150 rules.

  • For each profile, if a single rule fails to apply, all rules in that profile are failed and none of the rules are applied to the device.

  • When a rule fails to apply, all rules in the profile are reported as failed. Intune cannot identify which individual rule failed.

The Firewall rules that Intune can manage are detailed in the Windows Firewall configuration service provider (CSP). To review the list of custom firewall settings for Windows devices that Intune supports, see Custom Firewall rules.

To add custom firewall rules to an Endpoint protection profile

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Configuration > Create.

  3. Enter the following properties:

    • Platform: Choose Windows 10 and later.

    • Profile: Select Templates > Endpoint protection.

  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name might include the profile type and platform.
    • Description: Enter a description for the policy. This setting is optional, but recommended.

    Select Next.

  6. In Configuration settings, expand Windows Firewall. Next, for Firewall rules, select Add to open the Create Rule page.

  7. Specify settings for the Firewall rule, and then select Save to save it. To review the available custom firewall rule options in documentation, see Custom Firewall rules.

    1. The rule appears on the Windows Firewall page in the list of rules.
    2. To modify a rule, select the rule from the list, to open the Edit Rule page.
    3. To delete a rule from a profile, select the ellipsis (…) for the rule, and then select Delete.
    4. To change the order in which rules display, select the up arrow, down arrow icon at the top of the rule list.

    Select Next.

  8. In Assignments, select the device groups that will receive this profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  9. In Applicability Rules, use the Rule, Property, and Value options to define how this profile applies within assigned groups. Intune applies the profile to devices that meet the rules you enter. For more information about applicability rules, see Applicability rules.

    Select Next.

  10. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Next steps

Monitor the profile status.