Windows Defender Firewall occasionally becoming enabled despite group policy disabling it

Copper Contributor

Hello,

 

I have some workstations which will occasionally enable the Windows Defender Firewall despite having group policy disable it.

 

This is happening both on Windows 10 1803 and Windows 10 1909.

 

Here's some settings from one workstation in particular that I'm troubleshooting in detail this morning:

 

The group policy is taking effect in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - EnableFirewall = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - EnableFirewall = 0

 

And I can see the policy in a gpresult:

(copy/pasted from a gpresult /h html file)

Windows Defender Firewall: Protect all network connections          Disabled

 

So as you can see, the firewall is definitely configured to be Disabled.

 

Most of the time, the firewall is indeed disabled and things like RDP work just fine. However sometimes the firewall becomes enabled and the user can't RDP to their PC. I'm guessing when the PC boots up it sometimes ignores the registry setting and the firewall becomes enabled anyways.

 

I've verified that the firewall is running and active/enabled by two different methods:

 

First, a powershell command "Get-NetFirewallProfile -PolicyStore ActiveStore" reports for each of the profiles Domain, Private and Public, that the property "Enabled" is "True".

 

Second, I enabled firewall logging on a workstation using a remote command:

netsh advfirewall set allprofiles logging droppedconnections enable

 

Then I checked the log and found my dropped RDP packets to TCP port 3389:

Get-Content '\\pcname\c$\windows\system32\LogFiles\Firewall\pfirewall.log'

2020-11-12 <time> DROP TCP <source IP> <destination IP> <source port> 3389 52 S 2774183116 0 64240 - - - RECEIVE

 

If the firewall was disabled as intended then it would not be dropping any packets, contrary to what's shown above.

 

When I reboot the PC, it will act normally and disable the firewall... for a while. The user will report it again in a number of days.

 

This is happening on numerous PCs in the domain and intermittently prevents users from working remotely until someone onsite locates and reboots their workstation.

 

Does anyone have any ideas why the Windows Defender Firewall becomes enabled/active despite group policy being configured to disable it? Is it a bug in the firewall code, resulting in it occasionally ignoring the group policy setting?

 

Thanks!

 

2 Replies

I found some potentially interesting information using the "Get-NetFirewallProfile -PolicyStore <store>" powershell cmdlet. On a system where the firewall is active, the ActiveStore's Enabled property is true and on a system where the firewall is inactive, the ActiveStore's Enabled property is false. This store gets its settings from multiple other stores which I will list the results of here:

 

Computer With Firewall Enabled:

Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

 

Computer With Firewall Disabled:

Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

 

So that shows the group policy's RSOP is evaluating that Enabled setting to be False in both cases. The PersistentStore having the Enabled setting being True in both cases seems to indicate that a local setting or program is trying to set the firewall to enabled. In the first case with the firewall enabled, the PersistentStore seems to be taking precedence over the RSOP (GPO) setting, but in the second case with the firewall disabled it is not taking precedence.

 

I looked for a log file or event log entries to explain why this would behave differently but I came up empty.

@ittech 

Hey,

I have been troubleshooting this exact issue for a while! The problem is the following setting which is part of the recommended configurations in the CIS benchmark for Windows Server.

 

18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' (Automated)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy

 

Registry processing takes too long and the MpsSvc starts with the settings in the PersistentStore.

 

6335 [6] 0834.0DB4::10/18/22-17:41:25.7185403 [lib] fw_gp_cpp68 ReadGPDllNameFromReg() - String value GPExtensionDLL was not found

6336 [6] 0834.0DB4::10/18/22-17:41:25.7185422 [lib] fw_gp_cpp69 ReadGPDllNameFromReg() - Error 0x80070002(ERROR_FILE_NOT_FOUND) generated because

6337 [0] 0834.0DB4::10/18/22-17:41:25.7204562 [lib] fw_gp_cpp99 LoadGPExtensionDll() - Couldn't read extension dll name from registry. Using wfapigp.dll instead.

17:41:36.9470338 svchost.exe 2000 2596 RegDeleteValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS 
17:41:44.6079838 svchost.exe 2100 3508 RegQueryValue HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
  38724 [3] 0834.0DB4::10/18/22-17:41:44.6986418 [windows] dllmain_cpp1227 FwGPLockInternal() - FwGPLockInternal: EnterCriticalPolicySectionExStub returned 0000000000000000
  38725 [3] 0834.0DB4::10/18/22-17:41:44.6986465 [lh] fw_prof_mgr_c2023 FwProfileMgrUpdateCachedPolicy() - Acquiring the GP Lock Failed... GP will not be pushed, until next GP notification (soon to come)
  38726 [3] 0834.0DB4::10/18/22-17:41:44.6986473 [lh] fw_prof_mgr_c2027 FwProfileMgrUpdateCachedPolicy() - updateGroupStore=0
  ...

  98963 [1]0834.0DB4::10/18/22-17:41:47.2591521 [Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose ] The following settings were applied to the Windows Defender Firewall at startup
  98964
  98965     Current Profile:    Public
  98966     IPsec SA Idle time:    300
  98967     IPsec preshared key encoding:    UTF8
  98968     IPsec Exempt:    9
  98969     IPsec CRL Check:    Disabled
  98970     IPsec Through NAT:    Never
  98971     Policy Version Supported:    0x21D
  98972     Policy Version:    0x21D
  98973     Binary Version Supported:    0x21D
  98974     Stateful FTP:    Disabled
  98975     Group Policy Applied:    No
  98976     Remote Machine Authorization List:   
  98977     Remote UserAuthorization List:    

17:41:47.3904028 svchost.exe 2100 3508 Thread Exit  SUCCESS Thread ID: 3508, User Time: 0.5312500, Kernel Time: 3.7968750

17:41:49.3611214 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 1
17:41:50.0146870 svchost.exe 2000 2596 RegSetValue HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall SUCCESS Type: REG_DWORD, Length: 4, Data: 0

 

 

My quick and dirty solution until Microsoft fixes this is just invoking the following on all servers...

 

Invoke-Command -ComputerName $s {Set-NetFirewallProfile -Profile Domain -Enabled False}