RuleForge v20 and MDE Troubleshooting Mode: Mastering Windows Firewall and Defender for Endpoint + Video

By /

Listen to this Post

Featured Image

Introduction:

For security administrators, managing Windows Firewall rules across an enterprise can be a tedious, error-prone process, while troubleshooting Microsoft Defender for Endpoint (MDE) often requires delicate maneuvering to avoid disabling critical protections. Nathan Hutchinson’s recent GitHub updates address both pain points directly: RuleForge v2.0 introduces a graphical interface to streamline the creation and migration of firewall rules to Intune, while a new MDE Troubleshooting Mode guide provides a surgical, step-by-step methodology for temporarily disabling Defender components during incident analysis without leaving the environment permanently exposed.

Learning Objectives:

  • Understand how to utilize RuleForge v2.0 to simplify Windows Firewall rule management and prepare policies for Intune deployment.
  • Learn the official, scripted process for entering and exiting MDE Troubleshooting Mode to isolate application or performance issues.
  • Gain practical experience with PowerShell commands for firewall rule manipulation and Defender service control.
  • Identify best practices for transitioning from legacy on-premises firewall policies to cloud-managed Microsoft Intune security baselines.

You Should Know:

  1. RuleForge v2.0: Bridging the Gap Between Legacy Firewalls and Intune
    Nathan Hutchinson has updated RuleForge to version 2.0, transitioning from a command-line tool to a Windows Presentation Foundation (WPF) GUI. This tool is designed for administrators who need to audit, create, or migrate large sets of Windows Firewall rules. The primary use case is exporting existing rules from a reference machine or building new rule sets graphically, with the ultimate goal of importing them into Microsoft Intune for modern management.

Step‑by‑step guide to using RuleForge v2.0:

  1. Download and Launch: Download the latest release from the RuleForge GitHub repository (https://lnkd.in/eK_rpT7m). Extract the files and run RuleForge.exe.
  2. Audit Existing Rules: Upon launch, the GUI will typically load the current Windows Firewall rules from the local machine. Review the list to identify redundant, deprecated, or overly permissive rules.
  3. Create a New Rule: Click the “New Rule” button (or equivalent). Define the rule properties:

– Name: `Block_Outbound_SMB`
– Direction: Outbound
– Action: Block
– Protocol: TCP
– Local/Remote Port: 445
– Profile: Domain, Private
4. Export for Intune: Use the export function to save the rule set as a PowerShell script or a JSON configuration file. This file can then be used to create a custom Windows Firewall policy in Intune via the “Endpoint Security” blade.
5. Manual Rule Deployment (if not using Intune): To apply a rule immediately to the local machine via PowerShell, you could use:

New-NetFirewallRule -DisplayName "Block_SMB_Outbound" -Direction Outbound -LocalPort 445 -Protocol TCP -Action Block
  1. MDE Troubleshooting Mode: Surgical Isolation of Defender Components
    The new MDE Troubleshooting Mode workflow on Hutchinson’s GitHub (https://lnkd.in/eZmX_RHH) provides administrators with a controlled method to disable specific Microsoft Defender for Endpoint features. This is crucial when a legacy application conflicts with Defender’s real-time protection or when you need to determine which component is causing a performance degradation.

Step‑by‑step guide to using MDE Troubleshooting Mode:

  1. Access the Scripts: Download the scripts from the provided GitHub link. Review the `README.md` for specific prerequisites (typically administrative rights and the latest MDE client version).
  2. Verify MDE Status: Before making changes, check the current status of Defender services. Open PowerShell as an Administrator and run: 
    Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, BehaviorMonitorEnabled
  3. Initiate Troubleshooting Mode: Execute the provided script (e.g., Start-MDETroubleshooting.ps1). The script will likely prompt you to specify which component to disable:

– Option 1: Disable Real-Time Protection.
– Option 2: Disable Behavior Monitoring.
– Option 3: Disable Cloud-Delivered Protection.
4. Confirm Changes: After running the script, verify the changes:

Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring, DisableBehaviorMonitoring

5. Conduct Testing: With the specific protection disabled, run the problematic application or process. This isolation helps identify the root cause.
6. Exit Troubleshooting Mode: Once testing is complete, re-enable all protections using the exit script (Exit-MDETroubleshooting.ps1). A full restart of the Windows Defender service can also be forced via PowerShell:

Update-MpSignature
Start-MpWDOScan

3. Automating Firewall Rule Audits with PowerShell

While RuleForge provides a GUI, understanding the underlying PowerShell commands is essential for automation. Administrators can use these commands to generate reports or clean up rules before using a tool like RuleForge to migrate them.

Step‑by‑step guide for firewall auditing:

  1. List All Insecure Rules: Run PowerShell as Administrator to find rules that are too permissive (e.g., “Allow All” for an application). 
    Get-NetFirewallRule -Direction Inbound -Action Allow | Where-Object { $_.Profiles -ne "Domain" }
  2. Export Rules to CSV: For documentation or review before using RuleForge. 
    Get-NetFirewallRule | Select-Object DisplayName, Direction, Action, Enabled, Profile | Export-Csv -Path "C:\Temp\FirewallRules.csv" -NoTypeInformation
  3. Remove a Blocked Rule: If a test rule causes issues, remove it. 
    Remove-NetFirewallRule -DisplayName "Block_SMB_Outbound"

4. Managing MDE Preferences via PowerShell

Beyond the troubleshooting mode scripts, direct manipulation of MDE preferences is a valuable skill for security engineers who need to enforce or test configurations.

Step‑by‑step guide to modifying MDE preferences:

  1. Check Current Exclusions: Before adding exclusions, verify existing ones. 
    Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
  2. Add a Temporary Exclusion: To test a potential false positive without fully disabling Defender (as per troubleshooting mode). 
    Add-MpPreference -ExclusionPath "C:\TestApplication"
  3. Set Cloud Protection Level: Ensure the cloud-delivered protection level is set correctly. 
    Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -CloudBlockLevel High

5. Integrating Rules into Intune via Custom Scripts

RuleForge v2.0’s ultimate goal is Intune migration. Once rules are generated, they must be deployed as a PowerShell script or a custom configuration profile in Intune.

Step‑by‑step guide to deploying a firewall rule via Intune:
1. Prepare the Script: Take the PowerShell command generated or exported by RuleForge and save it as a `.ps1` file (e.g., Deploy-CustomFirewallRules.ps1).
2. Sign In to Microsoft Endpoint Manager: Navigate to Apps > All Apps > Add > Windows app (Win32).
3. Upload Script as Win32 App: Package the PowerShell script into an `.intunewin` file using the Microsoft Win32 Content Prep Tool. Upload the package.
4. Set Installation Command: In the app configuration, set the install command to:

powershell.exe -ExecutionPolicy Bypass -File "Deploy-CustomFirewallRules.ps1"

5. Assign the App: Assign the application to the desired Azure AD device group. The script will run in the system context, adding the firewall rules.

What Undercode Say:

  • GUI vs. CLI Harmony: Nathan’s update to RuleForge v2.0 acknowledges that while security professionals love the power of the command line, operational teams often need a GUI for rapid adoption and auditing. The tool doesn’t replace knowledge of Get-NetFirewallRule, but it lowers the barrier to entry for complex firewall migrations to Intune.
  • Controlled Chaos in MDE: The MDE Troubleshooting Mode scripts are a perfect example of “secure troubleshooting.” By providing a methodical, scripted way to disable protections, Hutchinson prevents the common practice of admins simply turning Defender off entirely, which leaves a system vulnerable. This approach ensures that the “break glass” procedure is documented, reversible, and traceable.

Prediction:

As Microsoft pushes organizations toward Microsoft 365 E5 and unified security management in Intune, tools like RuleForge will become standard utilities in every security architect’s toolbox. The future of Windows security management lies in automation and cloud-driven policies. We predict that within the next 12 months, Microsoft will either acquire or natively integrate similar rule-conversion capabilities directly into the Intune console, making the migration from on-prem GPOs to cloud policies a seamless, one-click experience rather than a fragmented, script-heavy process. The demand for these bridging tools signals a full-scale migration of endpoint security to the cloud.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Natehutchinson Windows – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: