This new year starts with short blog post about another nice configuration addition to Windows. Starting with the latest release of Windows 11, it’s now possible to make the Windows Firewall aware of the location of the device. That maybe sounds a bit more than what it actually is. The idea is that it enables Windows to check if it’s on a domain connected network, based on the accessibility of one or more URLs. When one of the URLs is available, Windows will switch the Windows Firewall profile to domain. When none of the URLs are available, Windows will work how it always worked and in general simply rely on the public profile. That behavior enables IT administrators to configure specific firewall exclusions, only when domain connected. Something that can be useful for specific apps that still have an on-premises presence. This post will start with a short introduction about the new settings that are available for this configuration, followed with the steps to actually configure those settings. This post will end with showing the behavior after applying the configuration.
Note: With the latest December updates to Windows 10 and Windows 11, this functionality should be available for all versions of Windows. This functionality does require the Enterprise edition of Windows.
Introducing the Network List Manager configuration options
The intelligence to make the Windows Firewall aware of the location of the device is available within the NetworkListManager node in the Policy CSP. That node contains the settings to configure URLs of TLS authentication endpoints. When Windows can resolve those URLs over HTTPS, the network will be considered as authenticated. That will make sure that the Windows Firewall profile will switch to the domain profile. The table below provides an overview of the new settings in the Policy CSP and how those settings should be used. The root node for all the mentioned settings is ./Device/Vendor/MSFT/Policy/Config/NetworkListManager/.
Setting
Description
AllowedTlsAuthenticationEndpoints
Value: A string with one or more TLS endpoints.
This policy setting controls the list of URLs to endpoints that are only accessible within the corporate network. Multiple URLs can be separated by using the unicode character 0xF000. When any of the URLs can be resolved over HTTPS, the network will be considered authenticated.
ConfiguredTLSAuthenticationNetworkName
Value: A string with a name.
This policy setting controls the string that is to be used to name the authenticated network. That network is authenticated against one of the endpoints that are listed in AllowedTlsAuthenticationEndpoints setting.
When looking at a bit more details about the TLS authentication endpoint, there are a few important things to keep in mind. The endpoint must not have any authentication checks (no login, or MFA), the endpoint must be an internal address (not accessible outside the corporate network), the client device must trust the server certificate (trusted root certificate), and the certificate shouldn’t be a public certificate.
Note: When the network name setting is used for the trusted network detection in an Always On VPN profile, the name must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
Configuring the Network List Manager configuration options
When looking at the actual configuration of these new settings in the Policy CSP, and using Microsoft Intune for the configuration, the configuration is actually pretty straight forward. In the future it will probably even become easier. For now, the configuration will still rely on using a custom device configuration profile. The following nine steps walk through the creation of that custom device configuration profile, with the settings to configure the TLS authentication endpoints. That endpoint should only be available within the corporate network, and the certificate should be trusted by the client.
Data type (3): Select String as data type for the configuration of the value of the setting
Value (4): Specify Intern as value to set a name for the internal authenticated network
Figure 1: Overview of the configuration settings
Note: Make sure to adjust the URL to a TLS authentication endpoint that exists on your corporate network.
On the Scope tags page, configure the required scope tags click Next
On the Assignments page, configure the required assignment and click Next
On the Applicability rules page, configure the required applicability rules and click Next
On the Review + create page, verify the configuration and click Create
Note: At some point in time these settings might become directly available within Microsoft Intune.
Experiencing the Windows Firewall profile switch
Once the configuration is applied, it’s actually quite simple to experience the behavior of the Windows Firewall switching the active profile. Simply get a Windows device, turn it on, and connect it to the corporate network. Below in Figure 2 is an overview of a Windows device that can check the availability of the specified URL (see Name and NetworkCategory), and switched the active profile of the Windows Firewall to Domain network.
Figure 2: Overview of the user experience
Note: For the expected behavior it’s important that the certificate used on the TLS authentication endpoint is trusted on the Windows device. That can be achieved by distributing the root certificate, by using Microsoft Intune.
This new year starts with short blog post about another nice configuration addition to Windows. Starting with the latest release of Windows 11, it’s now possible to make the Windows Firewall aware of the location of the device. That maybe sounds a bit more than what it actually is. The idea is that it enables Windows to check if it’s on a domain connected network, based on the accessibility of one or more URLs. When one of the URLs is available, Windows will switch the Windows Firewall profile to domain. When none of the URLs are available, Windows will work how it always worked and in general simply rely on the public profile. That behavior enables IT administrators to configure specific firewall exclusions, only when domain connected. Something that can be useful for specific apps that still have an on-premises presence. This post will start with a short introduction about the new settings that are available for this configuration, followed with the steps to actually configure those settings. This post will end with showing the behavior after applying the configuration.
Note: With the latest December updates to Windows 10 and Windows 11, this functionality should be available for all versions of Windows. This functionality does require the Enterprise edition of Windows.
Introducing the Network List Manager configuration options
The intelligence to make the Windows Firewall aware of the location of the device is available within the NetworkListManager node in the Policy CSP. That node contains the settings to configure URLs of TLS authentication endpoints. When Windows can resolve those URLs over HTTPS, the network will be considered as authenticated. That will make sure that the Windows Firewall profile will switch to the domain profile. The table below provides an overview of the new settings in the Policy CSP and how those settings should be used. The root node for all the mentioned settings is ./Device/Vendor/MSFT/Policy/Config/NetworkListManager/.
Setting
Description
AllowedTlsAuthenticationEndpoints
Value: A string with one or more TLS endpoints.
This policy setting controls the list of URLs to endpoints that are only accessible within the corporate network. Multiple URLs can be separated by using the unicode character 0xF000. When any of the URLs can be resolved over HTTPS, the network will be considered authenticated.
ConfiguredTLSAuthenticationNetworkName
Value: A string with a name.
This policy setting controls the string that is to be used to name the authenticated network. That network is authenticated against one of the endpoints that are listed in AllowedTlsAuthenticationEndpoints setting.
When looking at a bit more details about the TLS authentication endpoint, there are a few important things to keep in mind. The endpoint must not have any authentication checks (no login, or MFA), the endpoint must be an internal address (not accessible outside the corporate network), the client device must trust the server certificate (trusted root certificate), and the certificate shouldn’t be a public certificate.
Note: When the network name setting is used for the trusted network detection in an Always On VPN profile, the name must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
Configuring the Network List Manager configuration options
When looking at the actual configuration of these new settings in the Policy CSP, and using Microsoft Intune for the configuration, the configuration is actually pretty straight forward. In the future it will probably even become easier. For now, the configuration will still rely on using a custom device configuration profile. The following nine steps walk through the creation of that custom device configuration profile, with the settings to configure the TLS authentication endpoints. That endpoint should only be available within the corporate network, and the certificate should be trusted by the client.
Data type (3): Select String as data type for the configuration of the value of the setting
Value (4): Specify Intern as value to set a name for the internal authenticated network
Figure 1: Overview of the configuration settings
Note: Make sure to adjust the URL to a TLS authentication endpoint that exists on your corporate network.
On the Scope tags page, configure the required scope tags click Next
On the Assignments page, configure the required assignment and click Next
On the Applicability rules page, configure the required applicability rules and click Next
On the Review + create page, verify the configuration and click Create
Note: At some point in time these settings might become directly available within Microsoft Intune.
Experiencing the Windows Firewall profile switch
Once the configuration is applied, it’s actually quite simple to experience the behavior of the Windows Firewall switching the active profile. Simply get a Windows device, turn it on, and connect it to the corporate network. Below in Figure 2 is an overview of a Windows device that can check the availability of the specified URL (see Name and NetworkCategory), and switched the active profile of the Windows Firewall to Domain network.
Figure 2: Overview of the user experience
Note: For the expected behavior it’s important that the certificate used on the TLS authentication endpoint is trusted on the Windows device. That can be achieved by distributing the root certificate, by using Microsoft Intune.
x
Cookie-Zustimmung verwalten
Unser Webseiten Template mit den darin inkludierten Plugins verwendet Cookies. Sie stimmen der Nutzung von Cookies und unseren Datenschutzbestimmungen zu.
Funktional
Immer aktiv
Die technische Speicherung oder der Zugang ist unbedingt erforderlich für den rechtmäßigen Zweck, die Nutzung eines bestimmten Dienstes zu ermöglichen, der vom Teilnehmer oder Nutzer ausdrücklich gewünscht wird, oder für den alleinigen Zweck, die Übertragung einer Nachricht über ein elektronisches Kommunikationsnetz durchzuführen.
Vorlieben
Die technische Speicherung oder der Zugriff ist für den rechtmäßigen Zweck der Speicherung von Präferenzen erforderlich, die nicht vom Abonnenten oder Benutzer angefordert wurden.
Statistiken
Die technische Speicherung oder der Zugriff, der ausschließlich zu statistischen Zwecken erfolgt.Die technische Speicherung oder der Zugriff, der ausschließlich zu anonymen statistischen Zwecken verwendet wird. Ohne eine Vorladung, die freiwillige Zustimmung deines Internetdienstanbieters oder zusätzliche Aufzeichnungen von Dritten können die zu diesem Zweck gespeicherten oder abgerufenen Informationen allein in der Regel nicht dazu verwendet werden, dich zu identifizieren.
Marketing
Die technische Speicherung oder der Zugriff ist erforderlich, um Nutzerprofile zu erstellen, um Werbung zu versenden oder um den Nutzer auf einer Website oder über mehrere Websites hinweg zu ähnlichen Marketingzwecken zu verfolgen.
