none
Windows Servr 2016 RDSH - Firewall rules created at every login. RRS feed

  • Question

  • Hi,

    I have a setup with the following servers running Windows Server 2016

    1x RDGW, RDCB, RDWA, RDLicensing.

    5x RDSH

    Im using UPD on the collection.

    I have noticed very long login times, after policys etc are shown on screen it sits at a black screen for between 20sec and sometimes up to 5min.

    I have also noticed that the svchost.exe that controls the Windows Firewall is using 25% to 50% when a user logs in and using around 1200Mb memory.

    After I found this I checked the Windows Firewall with Advanced Security and found thousands of Cortana, Work or school account, Your account, Contact Support rules. 

    I found a script in this thread that could delete the rules https://social.technet.microsoft.com/Forums/windows/en-US/9aad7675-d1ba-4900-9d85-0cd117f5514f/new-firewall-rules-created-for-each-user?forum=win10itprosetup

    This made the CPU usage and memory usage go down to normal levels, but after every login a user does it builds up the list of rules again. With many users logging in to the system the rules build up very fast and the login times gets high and every server gets slow.

    Example on our RDSH01 server that have been running in production since 2017-04-13 the script found and deleted 66153 rules that it found with "$Rules = Get-NetFirewallRule -All | Where-Object {$profiles.sid -notcontains $_.owner -and $_.owner }"

    The script also tryed to get rules with this command "$rules2 = Get-NetFirewallRule -All -PolicyStore ConfigurableServiceStore | Where-Object { $profiles.sid -notcontains $_.owner -and $_.owner }" but fails with an "not enough space error"

    The script removes the rules from here with the content of $rules "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules"

    and $rules2 was meant to clean up at "HKLM:\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"

    but doesnt do anything because of the error on the Get-command. If I try to access it with regedit it stops to respond, guessing there are too many items in that container for it to handle.

    Anyone know a solution for this problem? 

    Regards Fredrik

    • Moved by Amy Wang_Moderator Tuesday, June 27, 2017 1:45 AM from Windows Server 2016 General forum
    Monday, June 26, 2017 9:03 AM

Answers

  • Hi Fredrik,

    I have tested with UPD enabled, I can confirm that in my case each time user logs on, 11 firewall rules are added, which already exist and are unnecessary as they are duplicates.

    I suggest you open a case with MS to see whether they can get this issue fixed, and if the issue has been proved as system flaw, the consulting fee would be refund.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 2:53 AM
    Moderator

All replies

  • Hi Fredrik,

    If possible, please try to disable Store Apps for which firewall rules are created to see whether the issue persist.

    Configure access to Microsoft Store

    https://docs.microsoft.com/en-us/windows/configuration/stop-employees-from-using-the-windows-store

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 27, 2017 6:39 AM
    Moderator
  • Microsoft Store is not available on Windows Server 2016 so there are no Store Apps to disable. 

    Cortana, Work or school account, Your account, Contact Support are built in "apps" shipped with the OS.

    Tuesday, June 27, 2017 8:30 AM
  • Hi Fredrik,

    What's the total memory on the RD SH?

    How many remote desktop users are logged on when the issue occurs?

    Please check whether there are any related error messages logged within Event Viewer.

    If Windows Firewall is disabled temporarily, would slow logon issue occur?

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 28, 2017 7:52 AM
    Moderator
  • Hi

    Each RDSH server (total of 5 servers) has 4 CPU, 16Gb memory.

    There are 50 users total logging in, so around 10 on each server. The issue still exists if there are only 1-3 users logged in.

    The Event Viewers loggs error on AppModel-Runtime event-id: 69

    Error 0x490 occured when AppModel Runtime-status got modified for package Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy for user CORP\val-kassa23 (status = 0x0, prefered status = 0x20).

    Same error for AAD.BrokerPlugin, Windows.Cortana, ShellExperienceHost and a couple of more built in "apps"

    Error message is translated from Swedish so it might be some translation errors made by me.

    Disabling the Windows Firewall does not solve the slow logins and the service MpsSvc still uses alot of CPU everytime a users logs in.

    Regards

    Fredrik

    Wednesday, June 28, 2017 10:07 AM
  • Hi Fredrik,

    In my tests, 11 firewall rules are added when a new user logs in, and if there are subsequent login attempts from the user, firewall rules are not re-created as they already exist, which would not result in massive system resource usage.

    In addition, if users are accessing RemoteApp session instead of full desktop session, only single firewall outbound rule would be created (Windows Shell Experience), you may use it as a workaround if accessing RemoteApp is enough for users.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 8:57 AM
    Moderator
  • Hi,

    Did you do the test with User Profile Disk enabled? 

    I installed a new server and added it to the collection and did some logins with the same account and it added new rules for every login.

    Login 1

    Login 2

    54 Rules total added in Default PolicyStore and PolicyStore ConfigurableServiceStore for 1 login. In other words it doesnt seem to understand that its the same user logging in. I havent tested this without UPD but my guess is that UPDs have some thing to do with the problem.

    Using RemoteApp isnt possible for this customer either.

    Regards Fredrik

    • Proposed as answer by whykillme Thursday, March 7, 2019 8:52 AM
    • Unproposed as answer by whykillme Thursday, March 7, 2019 8:52 AM
    Monday, July 3, 2017 4:22 PM
  • Hi Fredrik,

    I have tested with UPD enabled, I can confirm that in my case each time user logs on, 11 firewall rules are added, which already exist and are unnecessary as they are duplicates.

    I suggest you open a case with MS to see whether they can get this issue fixed, and if the issue has been proved as system flaw, the consulting fee would be refund.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 4, 2017 2:53 AM
    Moderator
  • Hi Amy,

    Thanks for taking the time to test it. Its always nice to know that its not only my system thatss not working as intended. I will open a case on the issue.

    Regards Fredrik

    Tuesday, July 4, 2017 6:24 AM
  • Hello everyone,

    I've got the same issue on a PROD and TEST RDS environment, both with UPDs on a Server 2016 platform.

    Everything under the C:\Windows\SystemApps will create a rule for every user who logs in to the Session Host, either via RDS Gateway or directly with MSTSC.

    Uninstalling with 'Get-AppxPackage *NaughtyPackageName* | Remove-AppxPackage' fails with an error pertaining to that app being part of the OS. This happens with ALL the packages I tried to remove.

    You can simply move the app folders from that directory which prevents them from running & creating the firewall rules but that also prevents a large chunk of additional functionality that some people might like. On top of that the folders with their apps will apparently re-appear at the next CU. A more granular control would be preferable, I'm toying with the idea of changing the security settings of that registry key mentioned above so the apps can't be written.

    All in all that would just be a work-around for this MS issue, does anyone know if MS are working on an actual fix for this?

    Thanks,

    Stan


    • Edited by Stan Keetley Wednesday, February 21, 2018 3:42 PM
    Wednesday, February 21, 2018 3:35 PM
  •  I spoke to MS support and there is a proposed fix for this little-known bug due out in Redstone 5 (that's the arse end of 2018!)

     

    I implemented a Scheduled task in group policy to delete the contents of the registry key at every login and there are a couple 'Gotchas' that I list in the instructions below.

     

    I created a Scheduled Task in the Group Policy under Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks

    GOTCHA #1 I could NOT get this working by simply typing the account name NT AUTHORITY\System!

    NOTE: To get this working I did the following when creating a Scheduled Task:

    1. Under "When running the task, use the following user account:", click "Change User or Group..."
    2. Click "Locations"
    3. Expand the [domain FQDN] and select the "Builtin" container, then click OK
    4. In the box labelled "Enter the object name to select:" type "system", then click OK
    5. You should see "NT AUTHORITY\System" in the box

    I credit this info (with thanks!) from 'Alex_ZZ (I can't add in the weblink here cos I'm not yet verified)

    The Argument string is below (all on one line, its been truncated in my view);

     delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System /va /f

     

    GOTCHA #2

    NOTE: I could NOT browse to the executable and add in via the GUI I had to TYPE the path in MANUALLY! Whenever I 'browsed' to an executable it killed off the MMC session.

     

    Set the triggers & conditions as you like and you're done!

     

    I made notes where possible that this is only a temporary fix and an MS Hotfix will be out later.

    It is VERY annoying that these AppX apps create firewall rules at all especially considering these are corporate 'Server 2016' systems.

    I couldn't add the pictures or reference links in here as, once again, I am not verified just yet.

    I hope this helps someone, it sounds like this is a creeping issue that until recently has been mis-identified as system slowdown and only revealed as the main cause of the problem after an exhaustive amount of troubleshooting.

    Stan 

    • Proposed as answer by Stan Keetley Tuesday, March 13, 2018 11:27 AM
    Tuesday, March 13, 2018 10:32 AM
  • Hi, same problem here. More then 250.000 duplicated firewall rules resulting in a logon time of 5 - 10 minutes. Shutdown takes +10minutes. And a lazy RDS server caused by the firewall service, which is using 1,5 gig memory and a whole processor capacity to do his job. We're working with 30 users per server (64GB) and UPD. 

    We have also seen this issue on systems of our cloudprovider.

    Any updates on this issue?

    Any fix available?

    I will workaround the issue by creating a scheduled task to wipe all automatically creates rules by the unused AppX applications.

    Thank you guys for posting this usefull topic.

    I have opened a support call for this. Will try to prove the performance degrade to reach a higher priority. Hopefully Microsoft wil provide us a fix for this issue. 





    Monday, April 9, 2018 4:57 PM
  • To save time of everyone who's experiencing the same issue and is searching for a script to clean-up duplicate firewall rules: here is my script to work-around the issue. First you have to manually clean up the Inbound and Outbound firewall rules. After that you can periodically launch this Powershell script to keep your Windows Firewall clean.

    It Counts the # of rules and the # of unique rules. If they differ than the delta rules are removed. The script only works with a few thousand rules. With more rules it will take too much time or will run out of storage.

    Cleanup Inbound Rules:

    $FWInboundRules       = Get-NetFirewallRule -Direction Inbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner 
    $FWInboundRulesUnique = Get-NetFirewallRule -Direction Inbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 
    
    Write-Host "# inbound rules         : " $FWInboundRules.Count
    Write-Host "# inbound rules (Unique): " $FWInboundRulesUnique.Count 
    
    if ($FWInboundRules.Count -ne $FWInboundRulesUnique.Count) {
    Write-Host "# rules to remove       : " (Compare-Object -referenceObject $FWInboundRules  -differenceObject $FWInboundRulesUnique).Count
    Compare-Object -referenceObject $FWInboundRules  -differenceObject $FWInboundRulesUnique   | select -ExpandProperty inputobject |Remove-NetFirewallRule }


    Cleanup Outbound Rules 

    $FWOutboundRules       = Get-NetFirewallRule -Direction Outbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner 
    $FWOutboundRulesUnique = Get-NetFirewallRule -Direction Outbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 
    Write-Host "# outbound rules         : : " $FWOutboundRules.Count
    Write-Host "# outbound rules (Unique): " $FWOutboundRulesUnique.Count 
    if ($FWOutboundRules.Count -ne $FWOutboundRulesUnique.Count)  {
    Write-Host "# rules to remove       : " (Compare-Object -referenceObject $FWOutboundRules  -differenceObject $FWOutboundRulesUnique).Count
    Compare-Object -referenceObject $FWOutboundRules  -differenceObject $FWOutboundRulesUnique   | select -ExpandProperty inputobject |Remove-NetFirewallRule}


    Cleanup Configurable Service Rules 

    $FWConfigurableRules       = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner 
    $FWConfigurableRulesUnique = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 
    Write-Host "# service configurable rules         : " $FWConfigurableRules.Count
    Write-Host "# service configurable rules (Unique): " $FWConfigurableRulesUnique.Count 
    if ($FWConfigurableRules.Count -ne $FWOutboundRulesUnique.Count)  {
    Write-Host "# rules to remove                    : " (Compare-Object -referenceObject $FWConfigurableRules  -differenceObject $FWConfigurableRulesUnique).Count
    Compare-Object -referenceObject $FWConfigurableRules  -differenceObject $FWConfigurableRulesUnique   | select -ExpandProperty inputobject |Remove-NetFirewallRule}







    • Edited by Paul Boerefijn CCS Saturday, April 14, 2018 5:33 PM
    • Proposed as answer by DNG-INC Wednesday, July 11, 2018 5:35 PM
    Thursday, April 12, 2018 3:36 PM
  • We had the same problem, deleting the registry keys fixed our problems.

    Wednesday, May 9, 2018 7:43 AM
  • Over 80k rules to remove: 

    

    Monday, June 18, 2018 1:39 PM
  • Hi all,

    First, thx a lot for this topic because I was really lost with that 2016 rds server using UPD profiles which started to slowly but surely become unstable.

    I did not had black screen but strange behavior of users sessions. One day a user couldn't add a attachment in a mail, the system saying that there is not enough space left on the disk... Another day some users couldn't print anything... another day it was the logon to their professionnal sofware that had problems... Strange behaviors...

    I found this topic because of the traces of hundreds of entries in event viewer related to the firewall...

    So I gave a shot to the cleaning script of windows registry, and the cleaning ps1 scripts for the duplicated firewall rules. They did make their job, for sure cause thousands of rules where deleted and yes, ot took hours for those scripts to complete

    So now, after the week-end, just to check what happened, I looked at registry, it refills again, I ran ps1 scripts : more than one hundred duplicated rules deleted.

    I only got 12 users on that server, they are not supposed to work a lot the week-end but, the result is here...

    I'm wondering : anyone had some news from Microsoft about this serious problem??

    Thx

    Monday, August 6, 2018 9:57 AM
  • I have the same issue with serveral 2016 farms on Citrix with User Profile Management. Apparently it's just another Microsoft issue according to this topic...

    Someone has an idea when it will be fixed ?

    Monday, October 15, 2018 3:53 PM
  • Yea update on a fix for this 
    Thursday, October 18, 2018 12:09 PM
  • The expected fix for the Firewall Rules exploit is the third week of this month. Have taken a Support Call on Microsoft too then found this thread.

    If you have a case where the below symptoms are visible in RDS session hosts using UPDs (or large number of unique standard user profile logons occur) please use the below steps to resolve one or some of the symptoms:

     

    •Server hang

     

    •Slow performance

     

    •Slow Logons

     

    •Black screen when logging in

     

    •Inability to launch start menu or Cortana

     

     

    Resolution:

     

    Workaround 1: Manually delete clear registry of firewall rules

    Manually delete registry firewall rules from HKLM\System\CCS\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System

    If there are too many entries

    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"  /va /f


    Thursday, November 8, 2018 2:44 PM
  • Has anyone had word of this fix yet. We're past the 3rd week in November now

    Sunday, November 25, 2018 10:27 PM
  • Thank you Fedrick, Paul, Holger, and all on this thread,

    Your help and affirming information is much appreciated.

    This is very disappointing.

    Microsoft, please address this, I can only imagine how much time collectively has been spent looking at this issue.


    Sean

    Friday, November 30, 2018 11:58 PM
  • Microsoft We need a fix, this has been going on since Server 2016 was released.

    I have to run a script to cleanup the firewall rules on our RDS Server at least once a week or they start to slow down and cause issue for our employees.

    Wednesday, December 5, 2018 4:44 PM
  • Agreed, this is becoming a huge problem for us. We also run a script periodically to clean this mess up. Had well over 150,000 combined (outbound, inbound, service) rules on one server when we first started running it. When you've got 80 users logging into an RDS with UPDs multiple times per day, it adds up quickly.

    Microsoft -- get this fixed!!
    • Edited by RainTech Friday, December 7, 2018 6:22 PM
    Friday, December 7, 2018 6:21 PM
  • the fix is released for the rdsh rules firewall ?

    thx !

    Wednesday, January 9, 2019 8:17 PM
  • November 27, 2018—KB4467684

    • Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 

    I'm testing this now to see if this is the fix for this issue. Honestly though if it is, I don't understand why we have to "activate" the fix by setting a registry value. It should just be fixed by simply applying the patch and nothing more. A critical issue/bug should not be present after patching, IMO.

    • Proposed as answer by Jeuwnah Thursday, January 17, 2019 1:08 PM
    Wednesday, January 16, 2019 10:15 PM
  • November 27, 2018—KB4467684

    • Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 

    I'm testing this now to see if this is the fix for this issue. Honestly though if it is, I don't understand why we have to "activate" the fix by setting a registry value. It should just be fixed by simply applying the patch and nothing more. A critical issue/bug should not be present after patching, IMO.

    this worked for me!
    Thursday, January 17, 2019 1:08 PM
  • November 27, 2018—KB4467684

    • Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 

    I'm testing this now to see if this is the fix for this issue. Honestly though if it is, I don't understand why we have to "activate" the fix by setting a registry value. It should just be fixed by simply applying the patch and nothing more. A critical issue/bug should not be present after patching, IMO.

    Looks like server 2019 has the same problem, but this patch is only for server 2016.

    Can anybody confirm this, and when can we expect it to get patched?

    Friday, January 25, 2019 11:04 AM
  • Hey,

    i need to refresh this post.i had the same issue at this time.
    But i am not shure if i understood.

    go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

    left klick firewallPollicy

    in the right window:
    New then dword 32bit
    and add the key right?

    thats does not help me :(

    please let me die not stupid :)

    Regards

    Thabs


    Thursday, January 31, 2019 10:27 AM
  • Is this working for anyone?

    I am still seeing firewall rules being created at each user logon.

    Full patched Windows 2016 with XenApp 7.15


    Viklund

    Monday, February 4, 2019 11:05 AM
  • I have server 2016 with latest patches and using UPD. I started seeing this issue recently when a customer of mine added many new users to their RDS. They have around 80 concurrent users now. The patch has been installed since November, but I enabled the registry key and rebooted as suggested (see below) but I see NO difference. I still have firewall rules created at every login and performance is poor. Can anyone else comment on what the behavior was after enabling this registry key? I should also mention I use the powershell scripts to clean these up every day.

    Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 


    • Edited by clarkry Wednesday, February 13, 2019 4:43 PM forgot to add some info
    Wednesday, February 13, 2019 4:33 PM
  • IMHO, in case of  Configurable Service Rules you should use

    $FWConfigurableRules       = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner, Direction 
    $FWConfigurableRulesUnique = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner, Direction -Unique 

    instead of 

    $FWConfigurableRules       = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner 
    $FWConfigurableRulesUnique = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 

    my blog: http://shserg.ru/



    • Edited by s.h.s. _ Thursday, February 14, 2019 2:01 PM
    Thursday, February 14, 2019 2:00 PM
  • IMHO, in case of  Configurable Service Rules you should use

    $FWConfigurableRules       = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner, Direction 
    $FWConfigurableRulesUnique = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner, Direction -Unique 

    instead of 

    $FWConfigurableRules       = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner 
    $FWConfigurableRulesUnique = Get-NetFirewallRule -policystore configurableservicestore |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 

    my blog: http://shserg.ru/



    Hello s.h.s,
    What is the difference?
    Friday, March 8, 2019 12:39 PM
  • It is probably better, because there can be rules under ConfigurableServiceStore for a username with different direction: Inbound/Outbound. This way the uniqueness is ensured. However, if you run the deletion of the Key, there's no need to run the script to delete the ConfigurableRules.

    Do this:

    1.  

    reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System"  /va /f

    2.

    Be sure to add the Registry key (this will prevent duplicated rules in the future and removes user existing rules on logoff):

    "DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1. 


    3.

    Run the 2 scripts provided by Paul Boerefijn CCS, (RemoveInbound, RemoveOutbound) to remove duplicated rules, this will clean up the Firewall.

    Now rules are still created for every user login in the servers (3 inbound, 8 outbound), but they are removed on user log off.

    Cheers!




    • Edited by meloncillo Friday, March 22, 2019 11:01 AM
    • Proposed as answer by meloncillo Friday, March 22, 2019 11:01 AM
    Friday, March 22, 2019 10:33 AM
  • Hi meloncillo, 

    If I delete the reg keys via GPO, is #3 still required? I noticed that if the key gets deleted the server does perform better but I can still see the rules in the Advanced Firewall GUI. 

    We are using Citrix PVS, the servers reboot nightly and users tend to not log off so I need a solution that fits. I'm assuming the scripts in #3 are for servers that do not reboot daily and revert to a set image.

    There has been a Mar 19 CU, has anyone tried it to see if things are better?

    Thanks, 

    Xavier 

    Friday, March 22, 2019 12:56 PM
  • Meloncillo, I too am experiencing Start Menu and Taskbar issues with our Server 2016 RDS setup.  However, we're not getting any black screens.  I have implemented the DeleteUserAppContainersOnLogoff regkey following the installation of the Microsoft patch for this issue.  Do I still need to delete all of the entries in the registry under the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System?  Or will they get deleted eventually anyway following several logins/logoffs with this new DeleteUserAppContainersOnLogoff setting that Microsoft provided?

    I am also finding a lot of entries in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules, but I haven't touched either of these registry locations assuming that the DeleteUserAppContainersOnLogoff entry would resolve things automatically.  Can you confirm or correct my thinking if I'm wrong?

    Thanks.
    Ken

    Friday, March 29, 2019 8:19 PM
  • Thank you so much for this.  We have been experiencing issues in recent times with the Windows Shell, task bar and start menu freezing on users.  Applying this process has dramatically changed our servers.  Not only are they not freezing up now, general login performance has greatly increased.. Win 2016 servers are back to taking 10 seconds or so to login, some of our servers had got to over a minute logging on.  Our older servers with many logins had tens of thousands of duplicate firewall rules, taking hours to clear.  After the tidy up, they run like new machines.

    Confirm we are using User Profile Disks.

    We wrote this PowerShell to loop through a list and remotely connect to servers, delete the key and clean up the rules.  We are applying the systemic fix via GPO so all new servers get it as well.  Unbelievable you have to TURN ON this fix for such an ugly Microsoft bug.

    This script reads a list of servers and reports back inbound rules, unique inbound rules, outbound rules and unique outbound rules.. if the numbers are vastly different between unique and non unique rules, the server has the issue.

    PLEASE NOTE - I provide No warranty on these scripts. Use them full or in part at your own discretion.  Thank you to others in this thread that provided snippets of powershell.. i have just put in to one script and used powershell remoting so i can run the cleanup from one location.

    $serversText = get-content E:\dev\servers.txt

    $servers = $serversText.Split([Environment]::NewLine)

    foreach ($server in $servers)

    {   

        $remoteCommand = {

            $resultObject = New-Object -TypeName psobject

            $FWInboundRules = Get-NetFirewallRule -Direction Inbound | Where {$_.Owner -ne $Null} | sort Displayname, Owner

            $resultObject | Add-Member -MemberType NoteProperty -Name InboundRules -Value $FWInboundRules.Count

            $FWInboundRulesUnique = Get-NetFirewallRule -Direction Inbound | Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique

            $resultObject | Add-Member -MemberType NoteProperty -Name InboundRulesUnique -Value $FWInboundRulesUnique.Count

           

            $FWOutboundRules = Get-NetFirewallRule -Direction Outbound | Where {$_.Owner -ne $Null} | sort Displayname, Owner

            $resultObject | Add-Member -MemberType NoteProperty -Name OutboundRules -Value $FWOutboundRules.Count

            $FWOutboundRulesUnique = Get-NetFirewallRule -Direction Outbound | Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 

            $resultObject | Add-Member -MemberType NoteProperty -Name OutboundRulesUnique -Value $FWOutboundRulesUnique.Count

            return $resultObject

        }

        $results = Invoke-Command -ComputerName $server -ScriptBlock $remoteCommand

       

        $now = (Get-Date)

        $resultsText = "$($now),$($server),$($results.InboundRules),$($results.InboundRulesUnique),$($results.OutboundRules),$($results.OutboundRulesUnique)"

        $resultsText | Out-File "E:\dev\results.csv" -Append

        Write-Host $resultsText

    }

    -------------

    This script connects to the remote server, removes the key and trashes the dupe rules.

    $servers = @()

    $servers += "APP1"

    #$servers += "APP2"

    foreach ($server in $servers)

    {

        #remove registry entries

        $regDeleteCommand = {

             reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System" /va /f

        }

        Invoke-Command -ComputerName $server -ScriptBlock $regDeleteCommand

        #remove inbound rules

        $inboundCommand = {

            $FWInboundRules = Get-NetFirewallRule -Direction Inbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner

            $FWInboundRulesUnique = Get-NetFirewallRule -Direction Inbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique

            Write-Host "# inbound rules: " $FWInboundRules.Count

            Write-Host "# inbound rules (Unique): " $FWInboundRulesUnique.Count     

            if ($FWInboundRules.Count -ne $FWInboundRulesUnique.Count) {

                Write-Host "# rules to remove: " (Compare-Object -referenceObject $FWInboundRules  -differenceObject $FWInboundRulesUnique).Count

                Compare-Object -referenceObject $FWInboundRules -differenceObject $FWInboundRulesUnique | select -ExpandProperty inputobject | Remove-NetFirewallRule

            }

        }

        Invoke-Command -ComputerName $server -ScriptBlock $inboundCommand

        #remove outbound rules

        $outboundCommand = {

            $FWOutboundRules = Get-NetFirewallRule -Direction Outbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner

            $FWOutboundRulesUnique = Get-NetFirewallRule -Direction Outbound |Where {$_.Owner -ne $Null} | sort Displayname, Owner -Unique 

            Write-Host "# outbound rules: " $FWOutboundRules.Count

            Write-Host "# outbound rules (Unique): " $FWOutboundRulesUnique.Count     

            if ($FWOutboundRules.Count -ne $FWOutboundRulesUnique.Count) {

                Write-Host "# rules to remove: " (Compare-Object -referenceObject $FWOutboundRules  -differenceObject $FWOutboundRulesUnique).Count

                Compare-Object -referenceObject $FWOutboundRules -differenceObject $FWOutboundRulesUnique | select -ExpandProperty inputobject | Remove-NetFirewallRule

            }

        }

        Invoke-Command -ComputerName $server -ScriptBlock $outboundCommand

    }




    Monday, April 8, 2019 8:31 PM
  • IN our experience YES, delete the key and then run the PS to clean up the dupe rules.
    Monday, April 8, 2019 8:33 PM
  • Everybody owes you a beer or 6 for this catch.
    Wednesday, April 10, 2019 10:58 PM