Important
Microsoft Defender for Business is now in preview, and will roll out gradually to customers and IT Partners who sign-up here to request it. We will onboard an initial set of customers and partners in the coming weeks and will expand the preview leading up to general availability. Note that preview will launch with an initial set of scenarios, and we will be adding capabilities regularly.
Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
Microsoft Defender for Business (preview) includes firewall capabilities with Windows Defender Firewall. Firewall protection helps secure devices with rules that determine which network traffic is permitted to enter or flow from devices.
You can use firewall protection to specify whether to allow or block connections on devices in various locations. For example, your firewall settings can allow inbound connections on devices that are connected to your company’s internal network, but prevent those connections when the device is on a network with untrusted devices.
This article describes:
Default firewall settings in Defender for Business (preview)
Firewall settings you can configure in Defender for Business (preview)
Default firewall settings in Defender for Business
Microsoft Defender for Business (preview) includes default firewall policies and settings to help protect your company’s devices from day one. As soon as your company’s devices are onboarded to Microsoft Defender for Business (preview), your default firewall policy works as follows:
Outbound connections from devices are allowed by default, regardless of location.
When devices are connected to your company’s network, all inbound connections are allowed by default.
When devices are connected to a public network or a private network, all inbound connections are blocked by default.
In Microsoft Defender for Business (preview), you can define exceptions to block or allow incoming connections. You define these exceptions by creating custom rules. See Manage custom rules for firewall policies.
Firewall settings you can configure in Defender for Business
Microsoft Defender for Business (preview) includes firewall protection through Windows Defender Firewall. The following table lists settings that can be configured for firewall protection in Microsoft Defender for Business (preview).
FIREWALL SETTINGS YOU CAN CONFIGURE IN DEFENDER FOR BUSINESS
Setting Description
Domain network The domain network profile applies to your company’s network. Firewall settings for your domain network apply to inbound connections that are initiated on other devices that are on the same network. By default, incoming connections are set to Allow all.
Public network The public network profile applies to a network that you can use in a public location, such as a coffee shop or an airport. Firewall settings for public networks apply to inbound connections that are initiated on other devices that are on the same network. Because a public network can include devices that you don’t know or don’t trust, incoming connections are set to Block all by default.
Private network The private network profile applies to a network in a private location, such as your home. Firewall settings for private networks apply to inbound connections that are initiated on other devices that are on the same network. In general, on a private network, it is assumed that all other devices on the same network are trusted devices. However, by default, incoming connections are set to Block all.
Custom rules Custom rules allow you to block or allow specific connections. For example, suppose that you want to block all incoming connections on devices that are connected to a private network, except for connections through a specific app on a device. In this case, you would set Private network to block all incoming connections, and then add a custom rule to define the exception.
You can use custom rules to define exceptions for specific files or apps, an Internet protocol (IP) address, or a range of IP addresses.
Depending on the type of custom rule you are creating, here are some example values you can use:
Application file path: C:\Windows\System\Notepad.exe or %WINDIR%\Notepad.exe
IP: A valid IPv4/IPv6 address, such as 192.168.1.0 or 192.168.1.0/24
IP: A valid IPv4/IPv6 address range, formatted like 192.168.1.0-192.168.1.9 (with no spaces included)