This project aims to assist organizations in migrating their existing, in-house firewall rule solutions to Intune.
This project is primarily developed in PowerShell. This has the benefits of being flexible for organizations relying on many other Cmdlets and also serving as a reference point to see how they can implement their own export Cmdlets to automate custom firewall rule migration.
Cmdlet development is done as Script Cmdlets instead of traditional Binary Cmdlets developed in C#.
The project follows a slightly modified project structure pattern that is common in a few PowerShell repositories found online. An example
can be found here. Source code is all under the /src directory.
The project has been developed and tested on Windows 10 1903 and with PowerShell Version 5.1.18362.145.
This project relies on Export-FirewallRules.ps1 Script The script install the other dependencies the project relies on such as theIntune PowerShell SDK for submitting Graph API calls and the ImportExcel Module.
- Download and unzip the file Export-FirewallRules.zip.
- Open a powershell session with administrative priviledge and run the script.
Export-FirewallRule.ps1To run the tool, for each PowerShell session, you need to run the script Export-FirewallRule.ps1. This will download and install any prerequisites and import this project into your current PowerShell session by importing the module psm file:
Export-FirewallRule.ps1The user would be prompted to signin to their MSGraph admin account, asked to provide a unique migration profile name and asked permission to send telemetry to intune in a case where there was an exception thrown.
This project uses Pester, a PowerShell unit-testing and mocking framework shipped natively with Windows 10. While Pester is shipped with Windows 10, it is best to update the package, as there are a few syntax changes found between Pester versions.
To run unit tests for the entire project, you can simply run Invoke-Pester . in the src\Tests directory.
For simple migration purposes for net firewall rules on the host, use this:
Export-FirewallRule.ps1This would by default export and send from Group Policy Object Firewall Rules that are enabled.
Exporting and sending rules from Group Policy Object Firewall Rules that are not enabled:
Export-FirewallRule.ps1 -includeDisabledRulesExporting and sending all of Windows Defender Firewall with Advanced Security rules:
Export-FirewallRule.ps1 -includeDisabledRules -includeLocalRulesBy default, the Export-FirewallRule.ps1 will export and send only Group Policy Object Firewall rules, so the following command also works:
Export-FirewallRule.ps1- If a firewall rule has an attribute that is known to be incompatible with Intune beforehand. The tool will raise an exception, send telemetry data to Intune if permitted and automatically progress . Once the tool has run, a report will be generated with rules that were not successfully migrated. You can view any of these rules by viewing RulesError.xlsx found in .\logs.
The following setting values are not supported for migration:
PlayToDiscovery is not supported as a local or remote port range
LocalSubnet6 is not supported as a local or remote address range LocalSubnet4 is not supported as a local or remote address range PlayToDevice is not supported as a local or remote address range
Telemetry is not enabled by default. However, when the script is run a prompt is displayed asking permission to send telemetry to Intune. When the project encounters a firewall rule that is currently incompatible with Intune, if permission was granted, this error message is sent to the Intune team at Microsoft to help us refine the product.