One of the biggest differences there is between supporting an ADD joined Windows devices compared to On-premise is the Domain firewall profile. When a AD joined device are connected to the domain network it switches to a domain firewall profile where we can have management ports open. Administrative shares, WinRM, Remote Registry and much more which is pretty normal. This makes it possible for ServiceDesk and technicians to remotely troubleshoot errors without disturbing the end-user. Or to quote one customer “I haven’t talked to an end-user in 2 years, I am not about to start now” works in third-line without any customer interaction today.
AAD joined devices do not have the Domain Firewall profile they only have Public and Private which leaves us without that option.
For a Zero Trust implementation this works great but many have a network that is still trusted, using 802.1x on Ethernet for desktop devices for example. Then switching the firewall profile makes sense.
How can we Switch to Private Firewall profile on AAD joined Windows on connect then? It requires local admin permissions to switch to a different Firewall Profile which makes perfect sense.
I reused a script I wrote that uses a schedule task that triggers in the event when the computer connects to a specific network https://ccmexec.com/2020/11/map-drives-when-connecting-to-corporate-network/
The Schedule Task uses a custom event trigger based on network name as shown below. Here you need to change the name of the network. The SwitchFirewall.ps1 script has a section in the beginning where additional checks can/should be made that it actually is the corporate network we are connected to.
The following files are needed and can be downloaded here: https://github.com/Ccmexec/Intune-MEM/tree/master/SwitchFirewall
The install.ps1 script will do the following
– Copy the SwitchFirewall.ps1 script to %programfiles%\SwitchFirewall
– Creates a Schedule task with trigger
– Set registry value that can be used for detection by Win32app
# Place additional checks here that the device connected to the correct network. Get-NetConnectionProfile -Name "Demiranda.nu" | Set-NetConnectionProfile -NetworkCategory Private
The download contains 4 files. Install.ps1 and Uninstall.ps1 as described above. and .xml file with the name och the network in the exported rule. And a SwitchFirewall.ps1 script that is executed by the schedule task.
Two files needs to be modified:
-SwitchFirewall Replace the network name
-SwitchFirewall.xml which is the schedule task to import als need to change the network name
Here are the settings needed to deploy the script as a Win32App:
Install Command: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file Install.ps1
Uninstall Command: C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file UnInstall.ps1
With this solution implemented we can deploy our Firewall settings for the Private profile and start to manage them remotely if we want to.
I hope this is useful.