Windows Defender Firewall occasionally becoming enabled despite group policy disabling it

ittech 

Hey,

I have been troubleshooting this exact issue for a while! The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.

18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy

Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.

6335 [6] 0834.0DB4::10/18/22-17:41:25.7185403 [lib] fw_gp_cpp68 ReadGPDllNameFromReg() - String value GPExtensionDLL was not found

6336 [6] 0834.0DB4::10/18/22-17:41:25.7185422 [lib] fw_gp_cpp69 ReadGPDllNameFromReg() - Error 0x80070002(ERROR_FILE_NOT_FOUND) generated because

6337 [0] 0834.0DB4::10/18/22-17:41:25.7204562 [lib] fw_gp_cpp99 LoadGPExtensionDll() - Couldn't read extension dll name from registry. Using wfapigp.dll instead.

17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS 
17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
  38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
  38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
  38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
  ...

  98963 [1]0834.0DB4::10/18/22-17:41:47.2591521 [Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose ] The following settings were applied to the Windows Defender Firewall at startup
  98964
  98965     Current Profile:    Public
  98966     IPsec SA Idle time:    300
  98967     IPsec preshared key encoding:    UTF8
  98968     IPsec Exempt:    9
  98969     IPsec CRL Check:    Disabled
  98970     IPsec Through NAT:    Never
  98971     Policy Version Supported:    0x21D
  98972     Policy Version:    0x21D
  98973     Binary Version Supported:    0x21D
  98974     Stateful FTP:    Disabled
  98975     Group Policy Applied:    No
  98976     Remote Machine Authorization List:   
  98977     Remote UserAuthorization List:    

17:41:47.3904028 svchost.exe 2100 3508 Thread Exit  SUCCESS Thread ID: 3508, User Time: 0.5312500, Kernel Time: 3.7968750

17:41:49.3611214 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
17:41:50.0146870 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 0

My quick and dirty solution until Microsoft fixes this is just invoking the following on all servers...

Invoke-Command -ComputerName $s {Set-NetFirewallProfile -Profile Domain -Enabled False}