none
MDT 2012: howto disable firewall in unattend.xml RRS feed

  • Question

  • Hi,

    Please advise howto disable firewall in unattend.xml.

    This is my config (added via WAIK) but it does not work:

    <component name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <FirewallGroups>
                    <FirewallGroup wcm:action="add" wcm:keyValue="1">
                        <Active>false</Active>
                        <Profile>all</Profile>
                    </FirewallGroup>
                </FirewallGroups>
            </component>

    J.


    Jan Hoedt

    Monday, September 30, 2013 2:50 PM

Answers

  • I think if you took some time out to learn about the Windows Firewall with Advanced Security, you'd understand our concerns.

    When you say "Disable the firewall" we hear "Open all the ports and make my machines vulnerable".

    The Windows Firewall with Advanced Security uses network location awareness to determine which rules to apply. So when it's in a corporate domain, where you have routers, NAT and hardware based firewalls, all the the ports you need for Domain use are open. When the same machine is moved to a Public area, like a coffee shop, most of the ports are closed (except 80,443 etc).

    I'm no security expert, but I know this has been configured by people smarter than me.

    As a deployment expert, I can tell you that you dont need to touch the firewall on windows 7/8. It's optimised for you out of the box. If you need to allow an application, then you can usually enable one of the many built in rules.

    Have a read here: Introduction to Windows Firewall with Advanced Security

    I really hope this helps.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    • Marked as answer by janhoedt Thursday, October 3, 2013 10:00 AM
    Thursday, October 3, 2013 5:54 AM

All replies

  • The *entire* firewall? Wouldn't you just want to open a single port?

    Keith Garner - keithga.wordpress.com

    Wednesday, October 2, 2013 2:47 AM
    Moderator
  • No, the whole firewall.

    Jan Hoedt

    Wednesday, October 2, 2013 5:12 AM
  • If you must, you can run as a command line...

    netsh advfirewall set allprofiles state off

    Good luck

    • Proposed as answer by Brian Gonzalez Wednesday, October 2, 2013 3:03 PM
    Wednesday, October 2, 2013 1:52 PM
  • Thanks but did not work.

    Jan Hoedt

    Wednesday, October 2, 2013 3:44 PM
  • Again, it's not really good practice to disable the firewall.

    Try the above command elevated.


    Blog: http://scriptimus.wordpress.com

    Wednesday, October 2, 2013 8:18 PM
  • Not really good practice? Why on earth would you enable a firewall on non-laptop pc s in a corporate network with several firewall zones and vlans?

    Jan Hoedt

    Wednesday, October 2, 2013 8:29 PM
  • I think if you took some time out to learn about the Windows Firewall with Advanced Security, you'd understand our concerns.

    When you say "Disable the firewall" we hear "Open all the ports and make my machines vulnerable".

    The Windows Firewall with Advanced Security uses network location awareness to determine which rules to apply. So when it's in a corporate domain, where you have routers, NAT and hardware based firewalls, all the the ports you need for Domain use are open. When the same machine is moved to a Public area, like a coffee shop, most of the ports are closed (except 80,443 etc).

    I'm no security expert, but I know this has been configured by people smarter than me.

    As a deployment expert, I can tell you that you dont need to touch the firewall on windows 7/8. It's optimised for you out of the box. If you need to allow an application, then you can usually enable one of the many built in rules.

    Have a read here: Introduction to Windows Firewall with Advanced Security

    I really hope this helps.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    • Marked as answer by janhoedt Thursday, October 3, 2013 10:00 AM
    Thursday, October 3, 2013 5:54 AM
  • Thanks, but pls see my post, I m talking about non-laptop pc s.

    Jan Hoedt

    Thursday, October 3, 2013 7:00 AM
  • Thanks, but pls see my post, I m talking about non-laptop pc s.

    Jan Hoedt

    It looks like you never got an answer to your actual question.  You'd disable them by setting the profile_enablefirewall elements to false under Networking-MPSSVC-Svc.  Looks kind of like this:

            <component name="Networking-MPSSVC-Svc" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <DomainProfile_EnableFirewall>false</DomainProfile_EnableFirewall>
                <PrivateProfile_EnableFirewall>false</PrivateProfile_EnableFirewall>
                <PublicProfile_EnableFirewall>false</PublicProfile_EnableFirewall>
            </component>

    Though you would probably be better served by enabling specific rules as necessary.

    • Proposed as answer by averymcfall Tuesday, November 17, 2015 3:41 PM
    Tuesday, November 18, 2014 12:46 AM