Add endpoint protection settings in Intune
With Intune, you can use device configuration profiles to manage common endpoint protection security features on devices, including:
- Allowing and blocking apps
- Windows Defender and encryption
For example, you can create an endpoint protection profile that only allows macOS users to install apps from the Mac App Store. Or, enable Windows SmartScreen when running apps on Windows 10 devices.
Before you create a profile, review the following articles that detail the endpoint protection settings Intune can manage for each supported platform:
Create a device profile containing endpoint protection settings
Sign in to Intune.
Select Device configuration > Profiles > Create profile.
Enter a Name and Description for the endpoint protection profile.
From the Platform drop-down list, select the device platform to which you want to apply custom settings. Currently, you can choose one of the following platforms for device restriction settings:
- Windows 10 and later
From the Profile type drop-down list, choose Endpoint protection.
Depending on the platform you chose, the settings you can configure are different. See:
After you configure applicable settings, select Create on the Create profile page.
The profile is created and appears on the profiles list page. To assign this profile to groups, see assign device profiles.
Add custom Firewall rules for Windows 10 devices
Custom firewall rules are in Public Preview.
When you configure the Windows Defender Firewall as part of a profile that includes endpoint protection rules for Windows 10, you can configure custom rules for Firewalls. Custom rules let you expand on the pre-defined set of Firewall rules supported for Windows 10.
When you plan for profiles with custom Firewall rules, consider the following information, which could affect how you choose to group firewall rules in your profiles:
- Each profile supports up to 150 firewall rules. When you use more than 150 rules, create additional profiles, each limited to 150 rules.
- For each profile, if a single rule fails to apply, all rules in that profile are failed and none of the rules are applied to the device.
- When a rule fails to apply, all rules in the profile are reported as failed. Intune cannot identify which individual rule failed.
The Firewall rules that Intune can manage are detailed in the Windows Firewall configuration service provider (CSP). To review the list of custom firewall settings for Windows 10 devices that Intune supports, see Custom Firewall rules.
To add custom firewall rules to an Endpoint protection profile
In Intune, go to Device configuration > Profiles > Create Profile.
For Platform, select Windows 10 and later, and then for Profile type select Endpoint protection.
Select Windows Defender Firewall to open the configuration page, and then for Firewall rules select Add to open the Create Rule page.
Specify settings for the Firewall rule, and then select OK to save it. To review the available custom firewall rule options in documentation, see Custom Firewall rules.
After you save the rule, it appears on the Windows Defender Firewall page in the list of rules.
To modify a rule, select the rule from the list, to open the Edit Rule page.
To delete a rule from a profile, select the ellipsis (…) for the rule, and then select Delete.
To change the order in which rules display, select the up arrow, down arrow icon at the top of the rule list.
To assign a profile to groups, see assign device profiles.