This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 21%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
We have devices, joined to Entra ID, and Intune. I push the following Security baselines:
They all have a Firewall section, including settings for the three network types
All of these have
I have set these to "False" in all locations above. In theory, this means that the firewall does not use the local store, it uses some other store. My questions:
I had a theory that maybe I could push firewall rules to the device using Intune > Devices > Configuration > New Policy > Windows 10 and later > Templates > Endpoint protection > open Firewall section, and start adding rules, and apply that to a group where the device is included. But, that does not appear to do anything, or I am using the wrong method of detection. I also pushed a remediation to the device, using "Set-NetFirewallRule", but likewise, that does not appear to work.
If I set "Allow Local ipsec policy merge" and "Allow Local Policy Merge" to true, then it appears that at least the remediation script does in fact modify the local firewall policy, and that does what I want it to do on the device.
I guess I could just leave those policy merge settings to true, and leave it at that, but it is using local policy which then leaves it up to the configuration of the local device, which is different for each and every device, with local app installs, and admin users able to change it to something non standard.
Any help in finding where I set the firewall settings that specifically work with "Allow Local ipsec policy merge" and "Allow Local Policy Merge" set to true, and then detecting the actual settings on the device would be much appreciated. If there is some well written documentation on this, I would love to read that if it explains what all of these settings mean, how to implement it for best security, and how to test that it actually is set up in the desired state< I would love to hear about that too.
Thank you
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Manny Soto Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
Thanks for Pavel yannara Mirochnitchenko to share the blog and video.
You can either use the local store (local policy merge = allow), or not. If not, you should configure all inbound firewall rules needed with Intune (Endpoint Security section). Most recommend method from security perspective is to it just like that - don't allow local store.