Key Takeaways:
- Helps identify blocked traffic, troubleshoot connectivity issues
- Windows Firewall Advanced Security Integration
- Offering visibility into denied inbound/outbound traffic
- Ensuring consistent firewall logging across all enrolled devices
Let’s discuss How to Enable Log Dropped Packets in Windows Firewall for Advanced Security using Intune. Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.
Table of Contents
Table of Contents
How to Enable Log Dropped Packets in Windows Firewall for Advanced Security using Intune
Organizations must balance security visibility against system performance and privacy. If an attacker is scanning an endpoint for open ports or attempting a brute-force attack, these attempts will show up as “dropped” packets. Logging them allows security teams to identify the source IP addresses of potential attackers.
- 4 New Intune Windows Firewall Logging Configuration Policies
- Ways to Allow an App through Windows Defender Firewall
- Check Firewall Policy Reports from Intune
How to Start Policy Creation
As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation for Policy
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Adding the Basic Details
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Block Office Applications from Creating Executable Content
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose Firewall\Enable Public Network Firewall: Enable Log Dropped Packets.
Disable Log Dropped Packets
Disable is the default value of this policy. On a busy network, a device might drop hundreds of background packets every minute. Continually writing these events to the disk can consume storage space and, in extreme cases on older hardware, cause slight performance overhead.
Enable Log Dropped Packets
If an attacker is scanning an endpoint for open ports or attempting a brute-force attack, these attempts will show up as “dropped” packets. Logging them allows security teams to identify the source IP addresses of potential attackers. So you can enable this setting.
Scope Tags
With scope tags, you create a restriction to the visibility of the Enable Log Dropped Packets in Windows Defender Firewall. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer Details
Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > Windows Defender > Operational.
| Event Viewer Details |
|---|
| Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration \ToastOrSso Trigger = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\UX Configuration \ToastOrSsoTrigger = 0x0 |
Removing the Assigned Group from How to Block Log Success Connections in Windows Defender Firewall
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete How to Delete Log Success Connections in Windows Defender Firewall
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let “on” values win.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the WhatsApp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair is a Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is a blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, and Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, and Microsoft Security.