none
Windows Firewall GPO don't add registry key on some servers?

    Question

  • Hi,

    We add Windows Firewall settings with GPO - "Windows Firewall with Advanced Security" to our servers.

    But on some servers that have Windows Firewall enable by GPO but don't have the  HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall registry key set to 1. All FW rules is there if you look in the Control Panel\All Control Panel Items\Windows Firewall and it says that it is manage by you administrator.

    So anyone know why the registry key was not set by the GPO? 


    /SaiTech

    Tuesday, April 25, 2017 3:14 PM

Answers

  • Hi,
    Before we go further, please run gpresult /h command to view the group policy report if the GPO is applied successfully on the clients.
    If the GPO is not applying, you could check the following article for common reasons to try troubleshooting:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    And you could check if MS16-072 is installed on clients and domain controllers which might cause user group policy not working, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    In addition, please make sure that there are no other GPOs or scripts modifying the registry.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 27, 2017 5:39 AM
    Moderator

All replies

  • Hi,
    Before we go further, please run gpresult /h command to view the group policy report if the GPO is applied successfully on the clients.
    If the GPO is not applying, you could check the following article for common reasons to try troubleshooting:
    10 Common Problems Causing Group Policy To Not Apply
    http://social.technet.microsoft.com/wiki/contents/articles/22457.10-common-problems-causing-group-policy-to-not-apply.aspx
    And you could check if MS16-072 is installed on clients and domain controllers which might cause user group policy not working, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see: https://support.microsoft.com/en-sg/kb/3163622
    In addition, please make sure that there are no other GPOs or scripts modifying the registry.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 27, 2017 5:39 AM
    Moderator
  • You can check here,

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]


    Saturday, April 29, 2017 9:39 AM
  • Hi,

    I run gpresult /H, and it look a bit strange

    FW Basic Server Rules AD / SYSVOL Version Mismatch
    FW Basic Server Rules
    Link Location intra.Domain.com/Servers
    Extensions Configured Registry
    Enforced No
    Disabled None
     
    Reason Denied Access Denied (Security Filtering)


    /SaiTech

    Tuesday, May 2, 2017 5:35 PM
  • Hi,

    This key is set, I would like to see if it is set by a GPO

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    EnableFirewall = 1


    /SaiTech

    Tuesday, May 2, 2017 5:38 PM
  • Hi Folks,

    I found what was wrong, and it is a bit embarrassing. The GPO was tattooed so I thought the GPO was hitting. But the thing was that the servers was not in the Security Filtering any more I did add them again and wolla then it worked again.

    Thanks all for supporting me, some times you dont see the forest for all the trees :)


    /SaiTech

    Wednesday, May 3, 2017 7:07 AM