SOLVED

Optimal WIndows 10 firewall setting for Teams desktop app?

%3CLINGO-SUB%20id%3D%22lingo-sub-298244%22%20slang%3D%22en-US%22%3EOptimal%20WIndows%2010%20firewall%20setting%20for%20Teams%20desktop%20app%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298244%22%20slang%3D%22en-US%22%3E%3CP%3EI've%2095%25%20sure%20that%2C%20at%20least%20in%20our%20environment%2C%20the%20Teams%20desktop%20app%20isn't%20setting%20Windows%2010%20firewall%20rules%20optimally%2C%20probably%20due%20to%20locking%20down%20the%20build.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20staff%20start%20video%20in%20Teams%20desktop%2C%20they%20see%20a%20one-off%20message%20that%20WIndows%2010%20firewall%20has%20blocked%20certain%20features%20of%20the%20application.%20I'm%20assuming%20this%20is%20Teams%20trying%20to%20use%20UDP%20on%20high%20ports%20for%20it's%20preferred%20protocol(s).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20the%20Windows%2010%20firewall%20rules%20needed%20to%20optimist%20performance%20of%20the%20Teams%20desktop%20app%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENB%20I've%20already%20followed%20MSFT%20guidance%20on%20optimizing%20the%20network%20on%20boundary%20firewalls%20etc.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-298244%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298293%22%20slang%3D%22en-US%22%3ERe%3A%20Optimal%20WIndows%2010%20firewall%20setting%20for%20Teams%20desktop%20app%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298293%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%20described%20in%20this%20article.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fget-client%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fget-client%3C%2FA%3Es%3CBR%20%2F%3E%3CSPAN%3EWhen%20users%20initiate%20a%20call%20using%20the%20Microsoft%20Teams%20client%20for%20the%20first%20time%2C%20they%20might%20notice%20a%20warning%20with%20the%20Windows%20firewall%20settings%20that%20asks%20for%20users%20to%20allow%20communication.%20Users%20might%20be%20instructed%20to%20ignore%20this%20message%20because%20the%20call%20will%20work%2C%20even%20when%20the%20warning%20is%20dismissed.%26nbsp%3B%20Windows%20Firewall%20configuration%20will%20be%20altered%20even%20when%20the%20prompt%20is%20dismissed%20by%20selecting%20%E2%80%9CCancel%E2%80%9D.%20Two%20inbound%20rules%20for%20teams.exe%20will%20be%20created%20with%20Block%20action%20for%20both%20TCP%20and%20UDP%20protocols.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20be%20able%20add%20these%20block%20rules%20with%20an%20Group%20Policy%20that%20you%20deploy%20to%20your%20client%20computers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20also%20a%20Uservoice%20request%20to%20remove%20this%20warning%2C%20go%20in%20and%20vote%20for%20it%20to%20get%20some%20attention%20from%20Microsoft.%3C%2FP%3E%3CP%3E%3CA%20title%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F33697582-microsoft-teams-windows-firewall-pop-up%22%20href%3D%22https%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F33697582-microsoft-teams-windows-firewall-pop-up%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftteams.uservoice.com%2Fforums%2F555103-public%2Fsuggestions%2F33697582-microsoft-teams-windows-firewall-pop-up%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298255%22%20slang%3D%22en-US%22%3ERe%3A%20Optimal%20WIndows%2010%20firewall%20setting%20for%20Teams%20desktop%20app%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298255%22%20slang%3D%22en-US%22%3EHi%20Calum%2C%3CBR%20%2F%3E%3CBR%20%2F%3EHere%20is%20the%20URL's%20and%20IP%20address%20ranges%20for%20Teams%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23skype-for-business-online-and-microsoft-teams%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Foffice365%2Fenterprise%2Furls-and-ip-address-ranges%23skype-for-business-online-and-microsoft-teams%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20that%20helps.%20Let%20me%20know%20how%20you%20get%20on.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-656048%22%20slang%3D%22en-US%22%3ERe%3A%20Optimal%20WIndows%2010%20firewall%20setting%20for%20Teams%20desktop%20app%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-656048%22%20slang%3D%22en-US%22%3EThanks%20for%20this.%20I've%20just%20posted%20on%20uservoice%20that%20it%20would%20be%20really%20neat%20if%20Teams%20didn't%20do%20whatever%20it's%20doing%20to%20trigger%20the%20firewall%20prompt%20(%3CA%20href%3D%22https%3A%2F%2Fi.imgur.com%2FBt0qpip.png%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fi.imgur.com%2FBt0qpip.png%3C%2FA%3E)%20is%20the%20user%20doesn't%20have%20admin%20rights.%20I%20assume%20one%20can%20test%20if%20a%20UAC%20prompt%20would%20be%20triggered%20without%20actually%20triggering%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1431988%22%20slang%3D%22en-US%22%3ERe%3A%20Optimal%20WIndows%2010%20firewall%20setting%20for%20Teams%20desktop%20app%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1431988%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9476%22%20target%3D%22_blank%22%3E%40Linus%20Cansby%3C%2FA%3E%26nbsp%3BHow%20exactly%20do%20we%20create%20a%20firewall%20rule%20for%20a%20user%20profile%20based%20exe%20via%20gpo%3F%26nbsp%3B%20firewall%20rules%20are%20machine%20based-%26nbsp%3B%20this%20is%20a%20user%20based%20path.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I've 95% sure that, at least in our environment, the Teams desktop app isn't setting Windows 10 firewall rules optimally, probably due to locking down the build.

 

When staff start video in Teams desktop, they see a one-off message that WIndows 10 firewall has blocked certain features of the application. I'm assuming this is Teams trying to use UDP on high ports for it's preferred protocol(s).

 

What are the Windows 10 firewall rules needed to optimist performance of the Teams desktop app?

 

NB I've already followed MSFT guidance on optimizing the network on boundary firewalls etc.

4 Replies
Highlighted
Hi Calum,

Here is the URL's and IP address ranges for Teams

https://docs.microsoft.com/en-gb/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-...

Hope that helps. Let me know how you get on.

Best, Chris
Highlighted
Best Response confirmed by Calum Steen (Occasional Contributor)
Solution

Hi,

 

That is described in this article.

https://docs.microsoft.com/en-us/microsoftteams/get-clients
When users initiate a call using the Microsoft Teams client for the first time, they might notice a warning with the Windows firewall settings that asks for users to allow communication. Users might be instructed to ignore this message because the call will work, even when the warning is dismissed.  Windows Firewall configuration will be altered even when the prompt is dismissed by selecting “Cancel”. Two inbound rules for teams.exe will be created with Block action for both TCP and UDP protocols.

 

You should be able add these block rules with an Group Policy that you deploy to your client computers.

 

There is also a Uservoice request to remove this warning, go in and vote for it to get some attention from Microsoft.

https://microsoftteams.uservoice.com/forums/555103-public/suggestions/33697582-microsoft-teams-windo...

 

Highlighted
Thanks for this. I've just posted on uservoice that it would be really neat if Teams didn't do whatever it's doing to trigger the firewall prompt (https://i.imgur.com/Bt0qpip.png) is the user doesn't have admin rights. I assume one can test if a UAC prompt would be triggered without actually triggering it?
Highlighted

@Linus Cansby How exactly do we create a firewall rule for a user profile based exe via gpo?  firewall rules are machine based-  this is a user based path.