I've been dealing with a strange issue on my Entra AP devices where users report getting a pop-up asking if they want to allow an app through the Windows Firewall. The catch is that the option to allow is greyed out and only the cancel option is available, which leads to the app being blocked. Recently, I discovered that this problem only occurs when the device is connected to the VPN with the domain firewall active. In my testing using Intune, I removed the network list TLS entries in my test policy, which allowed me to control app requests again, but that seems to defeat the purpose of having a programmable domain firewall. My Intune setup mimics my GPO setup for hybrid boxes pretty closely. I've tried various configurations like local merge rules, leaving settings unconfigured, and having a default firewall in place, but nothing sticks. Is there any workaround for this? Can a registry key be adjusted? It seems that none of the Intune firewall settings are making an impact.
1 Answer
One clear fix would be to compile a list of the Firewall ports and rules that users need for the specific apps and set them up through your Intune GPOs. This way, all the necessary access is granted ahead of time.
That could work, but I'm really aiming to simplify things for the end users. Plus, I'm baffled as to why enabling the trusted TLS option for the domain is causing the allow button to grey out. It's odd—some of the apps are internal, while others are well-known apps, and they all get blocked on the corporate network. The hybrid users seem fine, so the difference in how GPOs and Intune policies are processed seems to be the issue.