locked
Unable to turn on/change Windows Defender Firewall settings after imaging computers RRS feed

  • Question

  • Hi,

    I am a new SCCM user, and I got my image from my friend. After imaging desktops or laptops with joined domain, all the computers Windows Defender Firewall settings are off.  Please see the picture below. And I am unable to turn on/change the Win Defender Firewall settings even I have the admin rights.

    How can I edit or add script to enable the Windows Defender Firewall settings on SCCM with task sequence? I have tried a brand new laptop(not imaging) with a joined domain. The Windows defender firewall are on after I log into the domain network. So I think the Group Policies doesn't turn off the Windows defender firewall settings. The image/task sequence may have the Windows defender firewall settings in OFF position. Please help me to fix it. Thanks.

    Andy  

    Win Firewall 1

    Win firewall -2

    Thursday, July 23, 2020 5:57 AM

Answers

  • Hi,

    Thanks for posting in TechNet.

    1. Could you check whether the group policy has disabled the windows firewall or not?
    We could see the path and an image below:
    Open the group policy management editor->policy->Administrative Templates->Network->Network Connections->Windows Firewall->Domain Profiles.

    Here is a helpful guide to turn on the windows firewall by GPO:
    https://sys-advisor.com/en/2017/07/11/gpo-tutorial-how-it-disable-firewal-windowsl-by-gpo/

    2. To open the windows firewall, it's recommended that we could add a Run Command Line TS step by running the command as below (with admin permission) to turn on the firewall completely and then please have a try.

    netsh advfirewall set allprofiles state on

    Please refer to this article:
    https://www.windows-commandline.com/enable-disable-firewall-command-line/

    I hope this could help you. Thanks for your time.

    Best regards,
    Fiona Yan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, July 24, 2020 3:47 AM
  • > I will try adding a run command line in TS.

    Once again, this is completely useless if a GPO overrides them.

    > If the TS joined the domain and turns on the windows firewalls, then will the GPO change the windows firewall settings again after users logon?

    Yes.

    > Does the laptop finally configure by the Task Sequence or GPO?

    GPOs always override local configuration -- they'd be worthless if they didn't I strongly suggest you learn some of the fundamentals of Windows management. You're basically asking questions abut algebra without knowing how to multiple or add even.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Sunday, July 26, 2020 12:57 AM

All replies

  • > I got my image from my friend

    What does this mean?

    Are these systems domain joined? If so, have you validated that there are no group policies configuring this?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, July 23, 2020 1:34 PM
  • Hi, All the systems have been domain joined by the image. Where can I find the group policies configuring in SCCM for the task sequence? How to change the group policies? Thank you. Andy
    Thursday, July 23, 2020 2:51 PM
  • ConfigMgr doesn't configure group policies; group policies come from the domain. See https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, July 23, 2020 3:29 PM
  • Thank you for your reply. Could you please help me how to turn on Windows Defender Firewall in task sequence? Thanks. Andy
    Thursday, July 23, 2020 3:42 PM
  • A quick search of the web will get you what you need: https://www.bing.com/search?FORM=U523DF&PC=U523&q=netsh+enabled+firewall&FORM=ANNTA9

    It won't matter if it's overridden by a group policy though.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, July 23, 2020 3:53 PM
  • Hi,

    Thanks for posting in TechNet.

    1. Could you check whether the group policy has disabled the windows firewall or not?
    We could see the path and an image below:
    Open the group policy management editor->policy->Administrative Templates->Network->Network Connections->Windows Firewall->Domain Profiles.

    Here is a helpful guide to turn on the windows firewall by GPO:
    https://sys-advisor.com/en/2017/07/11/gpo-tutorial-how-it-disable-firewal-windowsl-by-gpo/

    2. To open the windows firewall, it's recommended that we could add a Run Command Line TS step by running the command as below (with admin permission) to turn on the firewall completely and then please have a try.

    netsh advfirewall set allprofiles state on

    Please refer to this article:
    https://www.windows-commandline.com/enable-disable-firewall-command-line/

    I hope this could help you. Thanks for your time.

    Best regards,
    Fiona Yan


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, July 24, 2020 3:47 AM
  • Thank you for your time and helpful information. I will try adding a run command line in TS.

    So how the windows defender firewall settings actually work? Does the laptop finally configure by the Task Sequence or GPO?

    If the TS joined the domain and turns on the windows firewalls, then will the GPO change the windows firewall settings again after users logon?

    Thanks,

    Andy 

    Saturday, July 25, 2020 8:57 PM
  • > I will try adding a run command line in TS.

    Once again, this is completely useless if a GPO overrides them.

    > If the TS joined the domain and turns on the windows firewalls, then will the GPO change the windows firewall settings again after users logon?

    Yes.

    > Does the laptop finally configure by the Task Sequence or GPO?

    GPOs always override local configuration -- they'd be worthless if they didn't I strongly suggest you learn some of the fundamentals of Windows management. You're basically asking questions abut algebra without knowing how to multiple or add even.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Sunday, July 26, 2020 12:57 AM
  • Thanks for your reply. I have one more question:

    How come still some companies disabled firewalls for all their computers? Is it common practice? Do they have other ways (firewalls) to protect their PCs and servers? Thanks.

    Andy

    Sunday, July 26, 2020 4:05 AM
  • > How come still some companies disabled firewalls for all their computers? Is it common practice?

    Yes, unfortunately it is common practice, but it is also a terrible practice. Ignorance and lack of will to identify the exceptions needed in the environment are the top reasons IMO.

    > Do they have other ways (firewalls) to protect their PCs and servers? Thanks.

    They think they do, but they're mistaken.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, July 27, 2020 2:44 AM