Let’s discuss How to Enable Enterprise IP Range Policy to Lock Down Windows 11 Corporate Apps using Intune. Enterprise IP Range setting within the Network Boundary policies for Windows Network Isolation. This setting is crucial for defining the trusted network perimeter of your organization on an endpoint device.
This policy defines This setting is crucial for defining the trusted network perimeter of your organization on an endpoint device. The main purpose of this policy is to explicitly tell the Windows operating system which IP addresses represent the secure, internal network of the organization.
The App access for this policy is only Windows Store (Universal Windows Platform – UWP) apps that have declared the “Home/Work Networking” capability in their manifest can access resources on these defined IP ranges. This is a security feature to restrict which applications can interact with the protected corporate network.
Organizations can configure this policy for different benefits. Admins can enable this policy for Improved Data protection. This policy ensures that only apps specifically authorized for “Home/Work Networking” can communicate with the internal corporate environment, which limits the attack surface.
Table of Contents
How to Enable Enterprise IP Range Policy to Lock Down Windows 11 Corporate Apps using Intune
Enterprise IP Range policy is applicable for different scenarios. Let me explain with an example. An admin configuring this policy in an enterprise for Protecting Data in a Hybrid Work Model. By configuring this policy, admins goal is to Ensure corporate data can only be accessed by corporate applications when the user is on the company network (or a trusted VPN).
- How to Manage Legacy Network Discovery in Windows using Intune Policy
- How to Continue Syncing on Metered Networks on OneDrive using Intune Policy
- How to Restrict OneDrive Sync Speed in a Fixed Rate via Intune Policy
How to Configure Policy from Intune Portal
By enabling this policy, admins have full control over Universal Windows Platform/UWP apps with the “Home/Work Networking” capability. They can ensure that, only approved, validated apps can communicate with sensitive servers, restricting lateral movement by potential threats.
- Sign in to Microsoft Intune admin center.
- Then go to Devices > Configuration > +Create >+ New Policy.
Profile Creation for Policy
The next step is Profile Creation for Policy that allows admins to choose specific platform and profile type. This is very essential to apply the policy to appropriate Platform and Profile Type. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Basics Tab for Beginning Policy
As per the heading, basic tab is the begging stage that helps you to add basic details like name and description for the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configuration Settings for Selecting Settings
Next is the the configuration settings tab that helps you to access settings picker to select specific settings for policy creation. To get the Settings Picker, click on the +Add settings hyperlink. Here, I would like to select the settings by browsing by Category. I choose Network Isolation. Then, I choose Enterprise IP Range Policy settings.
Adding Value
If you enable this policy setting, it ensures that apps with the Home/Work Networking capability have appropriate access to your corporate network. These addresses are only accessible to apps if and only if the app has declared the Home/Work Networking capability.
- 3efe:1092::/96,18.1.1.1/10
Selecting Scope Tags
Scope Tags sections help you add restrictions to the visibility of the Policy. But it is not a mandatory step, so you can skip this step. Here, I don’t add scope tags for Enterprise IP Range Policy. Click on the Next button.
Selecting Group from the Assignment Tab
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync, the device on the Company Portal, Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Event Viewer
It helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
Removing the Assigned Group from Enterprise IP Range Policy Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Enterprise IP Range Policy
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
Windows Network Isolation attempts to automatically discover private network hosts. By default, the addresses configured with this policy setting are merged with the hosts that are declared as private through automatic discovery. To ensure that these addresses are the only addresses ever classified as private, enable the “Subnet definitions are authoritative” policy setting.
./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRange
| Name | Value |
|---|---|
| Name | WF_NetIsolation_PrivateSubnet |
| Friendly Name | Private network ranges for apps |
| Element Name | Private subnets. |
| Location | Computer Configuration |
| Path | Network > Network Isolation |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation |
| ADMX File Name | NetworkIsolation.admx |
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc