Forum Discussion

ittech's avatar
ittech
Copper Contributor
Nov 12, 2020

Windows Defender Firewall occasionally becoming enabled despite group policy disabling it

Hello,

 

I have some workstations which will occasionally enable the Windows Defender Firewall despite having group policy disable it.

 

This is happening both on Windows 10 1803 and Windows 10 1909.

 

Here's some settings from one workstation in particular that I'm troubleshooting in detail this morning:

 

The group policy is taking effect in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - EnableFirewall = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - EnableFirewall = 0

 

And I can see the policy in a gpresult:

(copy/pasted from a gpresult /h html file)

Windows Defender Firewall: Protect all network connections          Disabled

 

So as you can see, the firewall is definitely configured to be Disabled.

 

Most of the time, the firewall is indeed disabled and things like RDP work just fine. However sometimes the firewall becomes enabled and the user can't RDP to their PC. I'm guessing when the PC boots up it sometimes ignores the registry setting and the firewall becomes enabled anyways.

 

I've verified that the firewall is running and active/enabled by two different methods:

 

First, a powershell command "Get-NetFirewallProfile -PolicyStore ActiveStore" reports for each of the profiles Domain, Private and Public, that the property "Enabled" is "True".

 

Second, I enabled firewall logging on a workstation using a remote command:

netsh advfirewall set allprofiles logging droppedconnections enable

 

Then I checked the log and found my dropped RDP packets to TCP port 3389:

Get-Content '\\pcname\c$\windows\system32\LogFiles\Firewall\pfirewall.log'

2020-11-12 <time> DROP TCP <source IP> <destination IP> <source port> 3389 52 S 2774183116 0 64240 - - - RECEIVE

 

If the firewall was disabled as intended then it would not be dropping any packets, contrary to what's shown above.

 

When I reboot the PC, it will act normally and disable the firewall... for a while. The user will report it again in a number of days.

 

This is happening on numerous PCs in the domain and intermittently prevents users from working remotely until someone onsite locates and reboots their workstation.

 

Does anyone have any ideas why the Windows Defender Firewall becomes enabled/active despite group policy being configured to disable it? Is it a bug in the firewall code, resulting in it occasionally ignoring the group policy setting?

 

Thanks!

 

  • ittech's avatar
    ittech
    Copper Contributor

    I found some potentially interesting information using the "Get-NetFirewallProfile -PolicyStore <store>" powershell cmdlet. On a system where the firewall is active, the ActiveStore's Enabled property is true and on a system where the firewall is inactive, the ActiveStore's Enabled property is false. This store gets its settings from multiple other stores which I will list the results of here:

     

    Computer With Firewall Enabled:

    Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: True

    Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

    Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

    Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

     

    Computer With Firewall Disabled:

    Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: False

    Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

    Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

    Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

     

    So that shows the group policy's RSOP is evaluating that Enabled setting to be False in both cases. The PersistentStore having the Enabled setting being True in both cases seems to indicate that a local setting or program is trying to set the firewall to enabled. In the first case with the firewall enabled, the PersistentStore seems to be taking precedence over the RSOP (GPO) setting, but in the second case with the firewall disabled it is not taking precedence.

     

    I looked for a log file or event log entries to explain why this would behave differently but I came up empty.

    • m43ttu's avatar
      m43ttu
      Copper Contributor

      ittech 

      Hey,

      I have been troubleshooting this exact issue for a while! The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.

       

      18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)

      HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy

       

      Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.

       

      6335 [6] 0834.0DB4::10/18/22-17:41:25.7185403 [lib] fw_gp_cpp68 ReadGPDllNameFromReg() - String value GPExtensionDLL was not found

      6336 [6] 0834.0DB4::10/18/22-17:41:25.7185422 [lib] fw_gp_cpp69 ReadGPDllNameFromReg() - Error 0x80070002(ERROR_FILE_NOT_FOUND) generated because

      6337 [0] 0834.0DB4::10/18/22-17:41:25.7204562 [lib] fw_gp_cpp99 LoadGPExtensionDll() - Couldn't read extension dll name from registry. Using wfapigp.dll instead.

      17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS 
      17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
        38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
        38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
        38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
        ...

        98963 [1]0834.0DB4::10/18/22-17:41:47.2591521 [Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose ] The following settings were applied to the Windows Defender Firewall at startup
        98964
        98965     Current Profile:    Public
        98966     IPsec SA Idle time:    300
        98967     IPsec preshared key encoding:    UTF8
        98968     IPsec Exempt:    9
        98969     IPsec CRL Check:    Disabled
        98970     IPsec Through NAT:    Never
        98971     Policy Version Supported:    0x21D
        98972     Policy Version:    0x21D
        98973     Binary Version Supported:    0x21D
        98974     Stateful FTP:    Disabled
        98975     Group Policy Applied:    No
        98976     Remote Machine Authorization List:   
        98977     Remote UserAuthorization List:    

      17:41:47.3904028 svchost.exe 2100 3508 Thread Exit  SUCCESS Thread ID: 3508, User Time: 0.5312500, Kernel Time: 3.7968750

      17:41:49.3611214 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
      17:41:50.0146870 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 0

       

       

      My quick and dirty solution until Microsoft fixes this is just invoking the following on all servers...

       

      Invoke-Command -ComputerName $s {Set-NetFirewallProfile -Profile Domain -Enabled False}

Resources