Windows Defender Firewall occasionally becoming enabled despite group policy disabling it

%3CLINGO-SUB%20id%3D%22lingo-sub-1882381%22%20slang%3D%22en-US%22%3EWindows%20Defender%20Firewall%20occasionally%20becoming%20enabled%20despite%20group%20policy%20disabling%20it%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1882381%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20some%20workstations%20which%20will%20occasionally%20enable%20the%20Windows%20Defender%20Firewall%20despite%20having%20group%20policy%20disable%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20happening%20both%20on%20Windows%2010%201803%20and%20Windows%2010%201909.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere's%20some%20settings%20from%20one%20workstation%20in%20particular%20that%20I'm%20troubleshooting%20in%20detail%20this%20morning%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20group%20policy%20is%20taking%20effect%20in%20the%20registry%3A%3C%2FP%3E%3CP%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindowsFirewall%5CDomainProfile%20-%20EnableFirewall%20%3D%200%3C%2FP%3E%3CP%3EHKEY_LOCAL_MACHINE%5CSOFTWARE%5CPolicies%5CMicrosoft%5CWindowsFirewall%5CStandardProfile%20-%20EnableFirewall%20%3D%200%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20I%20can%20see%20the%20policy%20in%20a%20gpresult%3A%3C%2FP%3E%3CP%3E(copy%2Fpasted%20from%20a%20gpresult%20%2Fh%20html%20file)%3C%2FP%3E%3CP%3EWindows%20Defender%20Firewall%3A%20Protect%20all%20network%20connections%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20Disabled%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20as%20you%20can%20see%2C%20the%20firewall%20is%20definitely%20configured%20to%20be%20Disabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMost%20of%20the%20time%2C%20the%20firewall%20is%20indeed%20disabled%20and%20things%20like%20RDP%20work%20just%20fine.%20However%20sometimes%20the%20firewall%20becomes%20enabled%20and%20the%20user%20can't%20RDP%20to%20their%20PC.%20I'm%20guessing%20when%20the%20PC%20boots%20up%20it%20sometimes%20ignores%20the%20registry%20setting%20and%20the%20firewall%20becomes%20enabled%20anyways.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20verified%20that%20the%20firewall%20is%20running%20and%20active%2Fenabled%20by%20two%20different%20methods%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFirst%2C%20a%20powershell%20command%26nbsp%3B%22Get-NetFirewallProfile%20-PolicyStore%20ActiveStore%22%20reports%20for%20each%20of%20the%20profiles%20Domain%2C%20Private%20and%20Public%2C%20that%20the%20property%20%22Enabled%22%20is%20%22True%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecond%2C%20I%20enabled%20firewall%20logging%20on%20a%20workstation%20using%20a%20remote%20command%3A%3C%2FP%3E%3CP%3Enetsh%20advfirewall%20set%20allprofiles%20logging%20droppedconnections%20enable%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20checked%20the%20log%20and%20found%20my%20dropped%20RDP%20packets%20to%20TCP%20port%203389%3A%3C%2FP%3E%3CP%3EGet-Content%20'%5C%5Cpcname%5Cc%24%5Cwindows%5Csystem32%5CLogFiles%5CFirewall%5Cpfirewall.log'%3C%2FP%3E%3CP%3E2020-11-12%20%3CTIME%3E%20%3CSTRONG%3EDROP%3C%2FSTRONG%3E%20TCP%20%3CSOURCE%20ip%3D%22%22%3E%20%3CDESTINATION%20ip%3D%22%22%3E%20%3CSOURCE%20port%3D%22%22%3E%20%3CSTRONG%3E3389%3C%2FSTRONG%3E%2052%20S%202774183116%200%2064240%20-%20-%20-%20RECEIVE%3C%2FSOURCE%3E%3C%2FDESTINATION%3E%3C%2FSOURCE%3E%3C%2FTIME%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20firewall%20was%20disabled%20as%20intended%20then%20it%20would%20not%20be%20dropping%20any%20packets%2C%20contrary%20to%20what's%20shown%20above.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20reboot%20the%20PC%2C%20it%20will%20act%20normally%20and%20disable%20the%20firewall...%20for%20a%20while.%20The%20user%20will%20report%20it%20again%20in%20a%20number%20of%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20happening%20on%20numerous%20PCs%20in%20the%20domain%20and%20intermittently%20prevents%20users%20from%20working%20remotely%20until%20someone%20onsite%20locates%20and%20reboots%20their%20workstation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20have%20any%20ideas%20why%20the%20Windows%20Defender%20Firewall%20becomes%20enabled%2Factive%20despite%20group%20policy%20being%20configured%20to%20disable%20it%3F%20Is%20it%20a%20bug%20in%20the%20firewall%20code%2C%20resulting%20in%20it%20occasionally%20ignoring%20the%20group%20policy%20setting%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

I have some workstations which will occasionally enable the Windows Defender Firewall despite having group policy disable it.

 

This is happening both on Windows 10 1803 and Windows 10 1909.

 

Here's some settings from one workstation in particular that I'm troubleshooting in detail this morning:

 

The group policy is taking effect in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - EnableFirewall = 0

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile - EnableFirewall = 0

 

And I can see the policy in a gpresult:

(copy/pasted from a gpresult /h html file)

Windows Defender Firewall: Protect all network connections          Disabled

 

So as you can see, the firewall is definitely configured to be Disabled.

 

Most of the time, the firewall is indeed disabled and things like RDP work just fine. However sometimes the firewall becomes enabled and the user can't RDP to their PC. I'm guessing when the PC boots up it sometimes ignores the registry setting and the firewall becomes enabled anyways.

 

I've verified that the firewall is running and active/enabled by two different methods:

 

First, a powershell command "Get-NetFirewallProfile -PolicyStore ActiveStore" reports for each of the profiles Domain, Private and Public, that the property "Enabled" is "True".

 

Second, I enabled firewall logging on a workstation using a remote command:

netsh advfirewall set allprofiles logging droppedconnections enable

 

Then I checked the log and found my dropped RDP packets to TCP port 3389:

Get-Content '\\pcname\c$\windows\system32\LogFiles\Firewall\pfirewall.log'

2020-11-12 <time> DROP TCP <source IP> <destination IP> <source port> 3389 52 S 2774183116 0 64240 - - - RECEIVE

 

If the firewall was disabled as intended then it would not be dropping any packets, contrary to what's shown above.

 

When I reboot the PC, it will act normally and disable the firewall... for a while. The user will report it again in a number of days.

 

This is happening on numerous PCs in the domain and intermittently prevents users from working remotely until someone onsite locates and reboots their workstation.

 

Does anyone have any ideas why the Windows Defender Firewall becomes enabled/active despite group policy being configured to disable it? Is it a bug in the firewall code, resulting in it occasionally ignoring the group policy setting?

 

Thanks!

 

1 Reply
Highlighted

I found some potentially interesting information using the "Get-NetFirewallProfile -PolicyStore <store>" powershell cmdlet. On a system where the firewall is active, the ActiveStore's Enabled property is true and on a system where the firewall is inactive, the ActiveStore's Enabled property is false. This store gets its settings from multiple other stores which I will list the results of here:

 

Computer With Firewall Enabled:

Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

 

Computer With Firewall Disabled:

Get-NetFirewallProfile -Profile Domain -PolicyStore ActiveStore   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore PersistentStore   * Enabled: True

Get-NetFirewallProfile -Profile Domain -PolicyStore RSOP   * Enabled: False

Get-NetFirewallProfile -Profile Domain -PolicyStore localhost    * Enabled: False

 

So that shows the group policy's RSOP is evaluating that Enabled setting to be False in both cases. The PersistentStore having the Enabled setting being True in both cases seems to indicate that a local setting or program is trying to set the firewall to enabled. In the first case with the firewall enabled, the PersistentStore seems to be taking precedence over the RSOP (GPO) setting, but in the second case with the firewall disabled it is not taking precedence.

 

I looked for a log file or event log entries to explain why this would behave differently but I came up empty.