This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 33%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERG%3C/text%3E%3C/svg%3E)
Hello
I want to apply an Intune Firewall policy so that only certain applications connect to the internet and the rest are blocked.
To secure the connection of these computers to Intune, what application/ports do I need to add to the firewall rules so that the computers do not lose connection to Intune and Windows udpate?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Raul Guchinife,Thanks for posting in Q&A.
From your description, I know that you want to allow certain applications connect to the internet and the rest are blocked via Firewall Rule and ensure the connection of computers to Intune and Windows update.
Based on my researching, we can create a firewall rule policy follow the steps below to achieve this.
1.Sign into Intune portal > Click Devices > Click Configuration Profiles.
2.Create a profile for Windows 10 and later as platform type > Under Profile Type, select Templates and then Endpoint Protection and click on Create > In the Configuration settings section, select Windows Firewall > Expand the dropdown and then select Add to specify apps and rules for incoming connections for the app.
3.In Applications settings, select Package family name and enter the Package family name.
4.In Port and protocol settings, select TCP under Protocol, and enter 80 and 443 under Local ports and Remote ports.
5.In Assignment page, assign it to user or device group and click Create.
You can get the Package family name via PowerShell command 'Get-AppxPackage -AllUsers'.
Computers connect with Intune via TCP port 80 and 443.
Computers use TCP port 80 and 443 to communicate with the Windows Update service.
Here is some detailed information about Firewall Rules in the below link you can refer.
Hope above information can help you. If there is any update, feel free to let me know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello..
In the rule that you have put as a problem I see that if I open for all destination addresses port 80 and 443, users will be able to browse without problems.
The issue is that they cannot browse and that the connection with intune is not interrupted.
@Raul Guchinife,Thanks for your update.
If you want computers connect with Internet, you can configure Direction as Outbound and configure Action as Allow to check if it can work.
Hello, I only want the computers to be connected to windows update and intune. They should not browse the internet.
If I open the ports 443 and 80 the computers as I said before will be able to browse the internet.
@Raul Guchinife,Thanks for your share.
If you want to block computers connect with Internet but allow computers connect with Intune and Windows Updates. You can add two Firewall rules, one set block Inbound, the other one set block Outbound but specify two TCP ports 80 and 443 in the two Firewall rules to connect with Intune and Windows Update.
Hope this can be helpful.
@Raul Guchinife,Hope things going well.
May I know the status from your side? If there is any update, feel free to let me know.