Enable Windows Firewall Ruleswith Group Policy

Computer Uptime MPA Tools

How to enable Windows firewall rules with Group Policy

In this post, we will show you how to enable Windows firewall rules with Group Policy. With a Group Policy Object (GPO) configuration, we could either manually add each firewall rule or we can import the firewall rules from a reference computer.

Following our earlier post on how to enable the WMI firewall rules for client accessibility in MPA Tools, we will demonstrate the option to import the WMI firewall rules from a reference computer.

What is Group Policy?

Group Policy is a feature of Microsoft’s Active Directory infrastructure that allows you to implement managed configurations for users and computers in a Windows environment. Group Policy provides centralized management and configuration of Windows operating systems, applications, and end-user settings. For more information, see Group Policy Overview | Microsoft Learn.

Exporting the firewall rule policy

On a reference Windows 10 or Windows 11 computer, open the Windows Defender Firewall with Advanced Security management console. Right-click the top-level Windows Defender Firewall with Advanced Security node and select Export Policy.

A screenshot of a computer Description automatically generated

Specify a file name and then save the file in a location that is accessible to the computer where the Group Policy Management console can be used.

A screenshot of a computer Description automatically generated

This will generate a policy file with a .wfw extension. Click OK.

A screenshot of a computer Description automatically generated

Creating the Group Policy Object (GPO)

Next, to create the GPO, we will need to determine the relevant OU where the GPO will be assigned. In this example, we will link the GPO to the CLIENT DEVICES Organizational Unit (OU).

A screenshot of a computer Description automatically generated

In the Group Policy Management console, navigate to the chosen OU and right-click and select Create a GPO in this domain, and Link it here…

A screenshot of a computer Description automatically generated

Specify the GPO name and then click OK.

A screenshot of a computer Description automatically generated

Important: Since this GPO is now actively linked, any changes we make to the GPO at this point will effectively start applying to the devices in the selected OU. So, to be careful, we will disable all settings in the GPO status, until the GPO is fully configured. Alternatively, we could have first created the GPO and link it to the OU later. Both methods are acceptably safe.

A screenshot of a computer Description automatically generated

Filtering the assignment to a global group

If you would like to assign the GPO to a subset of devices in the OU (for example, test or pilot devices) then create a domain global group that contains only these test or pilot devices. Then under the Scope tab, in the Security Filtering pane, remove Authenticated Users and then add the global group.

Note: Since this GPO will be using the Computer Configuration, the membership of the global group should only contain computers (and not users).

A screenshot of a computer Description automatically generated

Importing the firewall rule policy

Next, right-click on the new GPO link and then select Edit.

A screenshot of a computer Description automatically generated

In the Group Policy Management Editor window, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security. Right-click and select Import Policy.

A screenshot of a computer Description automatically generated

Since we do not have any firewall rules defined in this new GPO yet, we can ignore this message. Click Yes.

Note: If we imported the policy to an existing GPO, then the imported firewall rules would overwrite any existing firewall rules in the GPO.

A screenshot of a computer error Description automatically generated

Navigate to the policy file (.wfw) that was previously exported on the reference device. Select the file and then click Open.

A screenshot of a computer Description automatically generated

Click OK.

A screenshot of a computer error Description automatically generated

On the left-hand navigation pane, select Inbound Rules. Select all the firewall rules except the rules within the group “Windows Management Instrumentation (WMI)”, right-click and then select Delete.

A screenshot of a computer Description automatically generated

Click Yes.

A screenshot of a computer error Description automatically generated

This should leave just the 6x inbound WMI firewall rules. Ensure that the firewall rules are enabled, otherwise select all the rules and then right-click and select Enable Rule.

A screenshot of a computer Description automatically generated

On the left-hand navigation pane, select Outbound Rules. Select all the firewall rules, right-click and then select Delete.

A screenshot of a computer Description automatically generated

Click Yes.

A screenshot of a computer error Description automatically generated

There should be no outbound firewall rules configured. The Group Policy Management Editor window can now be closed, and the settings will be saved.

A screenshot of a computer Description automatically generated

Select the GPO link, right-click and select Refresh to refresh the settings.
A screenshot of a computer Description automatically generated

Then select the Settings tab, scroll through, and confirm that all 6x inbound rules are configured and are enabled.

A screenshot of a computer Description automatically generated

Enabling the GPO

Now we can re-enable the GPO in the GPO status on the Details tab.

A screenshot of a computer Description automatically generated

Click OK.

A screenshot of a computer error Description automatically generated

Testing the GPO

The GPO should now begin applying to all devices in the linked OU at the next group policy refresh interval. To accelerate the process on a test or pilot device, you can execute the group policy update command in an Administrator CMD window.

gpupdate /force

A screenshot of a computer program Description automatically generated

Then on the applicable clients, you can confirm in the Windows Defender Firewall with Advanced Security management console, that all the firewall rules within the group “Windows Management Instrumentation (WMI)” are enabled and have a green check icon next to them.

Note: This GPO method will cause a duplication of the WMI firewall rules, however, the domain GPO defined firewall rules will override the locally configured ones.

A screenshot of a computer Description automatically generated

Finally, we can confirm that MPA Tools should now be able to retrieve all management data from the client and all the client fields will now be populated with the relevant data and the status icon for the client accessibility should now be green (as shown below).

A screenshot of a computer Description automatically generated

This concludes the comprehensive series for enabling the WMI firewall rules for client accessibility in MPA Tools. Remember if you encounter any issues, please reach out to us for support.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Pin It on Pinterest

Share This