One of the configuration options for Windows Firewall is called Local Policy Merge. In general, Local Policy Merge exists in other settings as well, for example, it appears in several places within Microsoft Defender. And it is generally recommended to disable Local Policy Merge. This is because Local Policy Merge means that in addition to the centrally defined rules, the local configuration will also be taken into account. And this is usually undesirable.

How to disable Local Policy Merge on Windows via Microsoft Intune

Disabling Local Policy Merge for Windows Firewall is possible through Microsoft Intune. Go to Microsoft Intune Admin Center – Endpoint Security – Firewall and create a new policy. Select Windows 10, Windows 11, and Windows Server as the Platform and select Windows Firewall as the Profile.

Name the new profile however you like on the first page.

On the next page, the actual Windows Firewall configuration is created. If we want to disable Local Policy Merge, we need to create a configuration for each type of firewall rules (Domain / Private / Public) where we want to disable Local Policy Merge. We will demonstrate this with the Domain Network Firewall example. You can configure this in the same way for the remaining firewall profile types.

By doing so, you have disabled Local Policy Merge for the domain profile on the Windows Firewall.

Watch out for the side effect

With Windows Firewall, you need to be well aware of all the consequences. By default, Windows Firewall contains a number of built-in rules. By disabling Local Policy Merge, these default built-in rules will not be applied. And probably a lot of things may stop working.

If you have a normal configuration that allows all outgoing and blocks all incoming traffic, nothing is likely to happen at first sight. But you may find over time that something doesn’t work. It could be such elementary things as the device not responding to an ICMP echo request (ping), which it does by default. Or wireless screen sharing may not work properly, etc.

But most likely, it will also break IPv6 completely. Router Advertisements (RAs), which are usually necessary to proper IPv6 functionality, will not work properly – in fact, the device will ignore them. This can result in domain name resolution not working on IPv6, and as a result, the computer will drop the default gateway configuration for IPv6 after a few minutes.

Disabling Local Policy Merge on Windows Firewall will break IPv6 functionality unless you manually create the necessary inbound rules.

Also keep in mind that you will still see the default rules on the firewall. These rules do not disappear from the settings, they just don’t apply. If you want to see the rules that are actually active and applied, you need to open Monitoring – Firewall on your computer, where the list will probably be empty unless you have manually created some rules in Microsoft Intune.

You can find a detailed video showing all the settings with spoken commentary describing each configuration option in detail on my Patreon. By subscribing you also support my work. Thank you!