Managing Microsoft Teams Firewall requirements with Intune

iphase.dk Michael Mardahl, MVP

C:\IPHASE\POSTS\INTUNE

Name Size Date

.. <UP--DIR> SECURI~1.TXT 6,359 21-05-12 MIGRAT~1.TXT 4,184 21-01-12 KEEPIN~1.TXT 2,378 20-04-29 MANAGI~1.TXT 3,160 20-03-29 FORCEI~1.TXT 5,944 19-09-22 HOWTON~1.TXT 14,053 19-07-10 UNDERS~1.TXT 9,881 18-10-28

7 files, 0 dirs

Managing Microsoft Teams Firewall requirements with Intune

>> The Problem

With over 44 million active users, Microsoft Teams creates a familiar headache: the annoying "Windows Security Alert" from Windows Firewall every time users try to share their screen.

The Teams executable requires an inbound Firewall rule when it detects users on the same domain network. Teams tries to create the rules automatically but they require admin permissions. Dismissing the prompt actually creates two BLOCKING Firewall rules for Teams.exe.

The complication: Teams.exe is usually installed PER-USER in the user's APPDATA folder (%localappdata%\Microsoft\Teams\current\Teams.exe), making it impossible to create a single rule via the built-in Firewall CSP.

>> The Script Solution

The official Microsoft script is simple but not intelligent. The improved script is specifically designed for Intune:

FETCH IT FROM GITHUB: Update-TeamsFWRules.ps1 (https://github.com/mardahl/MyScripts-iphase.dk/blob/master/Update-TeamsFWRules.ps1)

Improvements over the Microsoft script:

* Designed for Intune PowerShell script deployment assigned to user groups

* Runs once per user and detects who is signed in

* Cleans up existing blocking rules created by dismissed firewall prompts

>> Configuring the PowerShell script in Intune

Navigate to https://endpoint.microsoft.com:

1. Go to DEVICES > WINDOWS > POWERSHELL SCRIPTS

2. Click ADD

3. Name it "Teams firewall prompt fix"

4. Upload the script. LEAVE SCRIPT SETTINGS AS-IS (runs in system context, NOT user context)

5. Assign to a GROUP OF USERS (not devices)

6. Review and click ADD

>> Troubleshooting

The script generates log files:

* System log: %windir%\Temp\log_Update-TeamsFWRules.txt

* User log: %localappdata%\Temp\log_Update-TeamsFWRules.txt

Key reminders:

* Assign to a group of USERS not devices

* DON'T run in the user's own context

* Intune Management Extension is required for PowerShell script execution

>> Conclusion

We now have a simple way of deploying Firewall rules that target programs installed in user profiles. This approach can be adapted for other per-user applications in the future.

65 lines

C:\IPHASE\POSTS\INTUNE\MANAGI~1.TXT

1 Help 3 Home 5 About 7 Posts 8 Contact 10 LinkdIn