Forum Discussion
Windows Defender Firewall occasionally becoming enabled despite group policy disabling it
Hello,
I have some workstations which will occasionally enable the Windows Defender Firewall despite having group policy disable it.
This is happening both on Windows 10 1803 and Windows 10 1909.
Here's some settings from one workstation in particular that I'm troubleshooting in detail this morning:
The group policy is taking effect in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - EnableFirewall = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - EnableFirewall = 0
And I can see the policy in a gpresult:
(copy/pasted from a gpresult /h html file)
Windows Defender Firewall: Protect all network connections Disabled
So as you can see, the firewall is definitely configured to be Disabled.
Most of the time, the firewall is indeed disabled and things like RDP work just fine. However sometimes the firewall becomes enabled and the user can't RDP to their PC. I'm guessing when the PC boots up it sometimes ignores the registry setting and the firewall becomes enabled anyways.
I've verified that the firewall is running and active/enabled by two different methods:
First, a powershell command "Get-NetFirewallProfile -PolicyStore ActiveStore" reports for each of the profiles Domain, Private and Public, that the property "Enabled" is "True".
Second, I enabled firewall logging on a workstation using a remote command:
netsh advfirewall set allprofiles logging droppedconnections enable
Then I checked the log and found my dropped RDP packets to TCP port 3389:
Get-Content '\\pcname\c$\windows\system32\LogFiles\Firewall\pfirewall.log'
2020-11-12 <time> DROP TCP <source IP> <destination IP> <source port> 3389 52 S 2774183116 0 64240 - - - RECEIVE
If the firewall was disabled as intended then it would not be dropping any packets, contrary to what's shown above.
When I reboot the PC, it will act normally and disable the firewall... for a while. The user will report it again in a number of days.
This is happening on numerous PCs in the domain and intermittently prevents users from working remotely until someone onsite locates and reboots their workstation.
Does anyone have any ideas why the Windows Defender Firewall becomes enabled/active despite group policy being configured to disable it? Is it a bug in the firewall code, resulting in it occasionally ignoring the group policy setting?
Thanks!
- ittechCopper Contributor
I found some potentially interesting information using the "Get-NetFirewallProfile -PolicyStore <store>" powershell cmdlet. On a system where the firewall is active, the ActiveStore's Enabled property is true and on a system where the firewall is inactive, the ActiveStore's Enabled property is false. This store gets its settings from multiple other stores which I will list the results of here:
Computer With Firewall Enabled:
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore localhost * Enabled: False
Computer With Firewall Disabled:
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore localhost * Enabled: False
So that shows the group policy's RSOP is evaluating that Enabled setting to be False in both cases. The PersistentStore having the Enabled setting being True in both cases seems to indicate that a local setting or program is trying to set the firewall to enabled. In the first case with the firewall enabled, the PersistentStore seems to be taking precedence over the RSOP (GPO) setting, but in the second case with the firewall disabled it is not taking precedence.
I looked for a log file or event log entries to explain why this would behave differently but I came up empty.
- m43ttuCopper Contributor
Hey,
I have been troubleshooting this exact issue for a while! The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.
6335 [6] 0834.0DB4::10/18/22-17:41:25.7185403 [lib] fw_gp_cpp68 ReadGPDllNameFromReg() - String value GPExtensionDLL was not found
6336 [6] 0834.0DB4::10/18/22-17:41:25.7185422 [lib] fw_gp_cpp69 ReadGPDllNameFromReg() - Error 0x80070002(ERROR_FILE_NOT_FOUND) generated because
6337 [0] 0834.0DB4::10/18/22-17:41:25.7204562 [lib] fw_gp_cpp99 LoadGPExtensionDll() - Couldn't read extension dll name from registry. Using wfapigp.dll instead.
17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS
17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
...98963 [1]0834.0DB4::10/18/22-17:41:47.2591521 [Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose ] The following settings were applied to the Windows Defender Firewall at startup
98964
98965 Current Profile: Public
98966 IPsec SA Idle time: 300
98967 IPsec preshared key encoding: UTF8
98968 IPsec Exempt: 9
98969 IPsec CRL Check: Disabled
98970 IPsec Through NAT: Never
98971 Policy Version Supported: 0x21D
98972 Policy Version: 0x21D
98973 Binary Version Supported: 0x21D
98974 Stateful FTP: Disabled
98975 Group Policy Applied: No
98976 Remote Machine Authorization List:
98977 Remote UserAuthorization List:17:41:47.3904028 svchost.exe 2100 3508 Thread Exit SUCCESS Thread ID: 3508, User Time: 0.5312500, Kernel Time: 3.7968750
17:41:49.3611214 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
17:41:50.0146870 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 0My quick and dirty solution until Microsoft fixes this is just invoking the following on all servers...
Invoke-Command -ComputerName $s {Set-NetFirewallProfile -Profile Domain -Enabled False}