Forum Discussion
Windows Defender Firewall occasionally becoming enabled despite group policy disabling it
I found some potentially interesting information using the "Get-NetFirewallProfile -PolicyStore <store>" powershell cmdlet. On a system where the firewall is active, the ActiveStore's Enabled property is true and on a system where the firewall is inactive, the ActiveStore's Enabled property is false. This store gets its settings from multiple other stores which I will list the results of here:
Computer With Firewall Enabled:
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore localhost * Enabled: False
Computer With Firewall Disabled:
Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore * Enabled: True
Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP * Enabled: False
Get-NetFirewallProfile -Profile Domain -PolicyStore localhost * Enabled: False
So that shows the group policy's RSOP is evaluating that Enabled setting to be False in both cases. The PersistentStore having the Enabled setting being True in both cases seems to indicate that a local setting or program is trying to set the firewall to enabled. In the first case with the firewall enabled, the PersistentStore seems to be taking precedence over the RSOP (GPO) setting, but in the second case with the firewall disabled it is not taking precedence.
I looked for a log file or event log entries to explain why this would behave differently but I came up empty.
Hey,
I have been troubleshooting this exact issue for a while! The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy
Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.
6335 [6] 0834.0DB4::10/18/22-17:41:25.7185403 [lib] fw_gp_cpp68 ReadGPDllNameFromReg() - String value GPExtensionDLL was not found
6336 [6] 0834.0DB4::10/18/22-17:41:25.7185422 [lib] fw_gp_cpp69 ReadGPDllNameFromReg() - Error 0x80070002(ERROR_FILE_NOT_FOUND) generated because
6337 [0] 0834.0DB4::10/18/22-17:41:25.7204562 [lib] fw_gp_cpp99 LoadGPExtensionDll() - Couldn't read extension dll name from registry. Using wfapigp.dll instead.
17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS
17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
...98963 [1]0834.0DB4::10/18/22-17:41:47.2591521 [Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose ] The following settings were applied to the Windows Defender Firewall at startup
98964
98965 Current Profile: Public
98966 IPsec SA Idle time: 300
98967 IPsec preshared key encoding: UTF8
98968 IPsec Exempt: 9
98969 IPsec CRL Check: Disabled
98970 IPsec Through NAT: Never
98971 Policy Version Supported: 0x21D
98972 Policy Version: 0x21D
98973 Binary Version Supported: 0x21D
98974 Stateful FTP: Disabled
98975 Group Policy Applied: No
98976 Remote Machine Authorization List:
98977 Remote UserAuthorization List:17:41:47.3904028 svchost.exe 2100 3508 Thread Exit SUCCESS Thread ID: 3508, User Time: 0.5312500, Kernel Time: 3.7968750
17:41:49.3611214 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
17:41:50.0146870 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 0My quick and dirty solution until Microsoft fixes this is just invoking the following on all servers...
Invoke-Command -ComputerName $s {Set-NetFirewallProfile -Profile Domain -Enabled False}
Hello ittech
I happened to come across this post and I see you had an issue that we had for a while. Our Windows Servers would reboot and no matter what GPO we had applied to turn off the firewall, the ActiveStore policy would enable the Firewall regardless. I haven't been able to find the website or forum post that explained this. Basically, we had to set a specific registry key to stop the ActiveStore firewall from getting enabled. I only did this for the DomainProfile:
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
EnableFirewall (REG_DWORD)
Data: 0x0Once I created this registry key, the ActiveStore firewall state no longer automatically enabled for the DomainProfile.
