Key Takeaways:
- Enable Local IPsec Policy Merging for Global Security
- Intune Firewall Policy for Security
- Define how data is encrypted and authenticated as it moves across the network
- Can enable it in specific developer or high-complexity environments.
Let’s discuss Enforcing Local IPsec Policy Merging for Global Security using Intune. This setting controls whether locally created IPsec (Internet Protocol Security) rules are allowed to combine (merge) with the centrally managed rules pushed from Intune.
Table of Contents
Table of Contents
Enforcing Local IPsec Policy Merging for Global Security using Intune
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Users with administrative privileges might create firewall rules that expose the system to remote attack.
- 4 New Intune Windows Firewall Logging Configuration Policies
- Ways to Allow an App through Windows Defender Firewall
- Check Firewall Policy Reports from Intune
Example Scenario
For example, An employee connects to a public Wi-Fi at a hotel. The organization has a policy that all traffic to the corporate file server must be encrypted via IPsec. If Allow Local IPsec Policy Merge is Disabled, the Windows Firewall ignores that dangerous local rule and keeps the data encrypted. This protects the company from data interception on a public network.
How to Start Policy Creation
You can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Basic Tab for Name and Description
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Local IPsec Policy Merge
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose Firewall\Enable Public Network Firewall: Allow Local Ipsec Policy Merge.
Enable Local Ipsec Policy Merge
The device uses both the rules defined by the admin and any rules created locally on the machine. By default, this policy is enabled. Look at the below screenshot.
Disable Local Ipsec Policy Merge
When disabled, the firewall ignores any IPsec rules present in the local store and enforces only the policies defined by your organization. Look at the below screenshot.
Scope Tags
With scope tags, you create a restriction to the visibility of the Local Ipsec Policy Merging. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Removing the Assigned Group from Local Ipsec Policy Merging Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Local Ipsec Policy Merging
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
| Value | Description |
|---|---|
| false | AllowLocalPolicyMerge Off. |
| true (Default) | AllowLocalPolicyMerge On. |
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.