none
How to enable the WMI entry in the firewall configuration using GPO on Win7

    Question

  • How could I enable the "Windows Management Instrumentation (WMI)" entry in the Windows 7 firewall using a group policy?

    I'm able to add custom ports and programs for inbound access but it seems not to be possible to activate the predefined entries using group policies.

    Best regards, Nils.
    Tuesday, March 16, 2010 9:51 AM

Answers

  • Hi, Nils.

    Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present.

    1. Edit the group policy object you wish to put these settings into.
    2. Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.
    3. Right-click in the working area and choose New Rule...
    4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, Next.
    5. There are a number of options here, but I tend to just select one: the (WMI-In) option with the Domain profile value. If you aren't sure what you need, then just remember you can come back and add the others later. Next button.
    6. Allow the connection > Finish.

    That's all that is required.

    Cheers,
    Lain
    Tuesday, March 16, 2010 12:36 PM

All replies

  • Hi, Nils.

    Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present.

    1. Edit the group policy object you wish to put these settings into.
    2. Expand the Computer Config > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules node.
    3. Right-click in the working area and choose New Rule...
    4. Choose the Predefined option, and select Windows Management Instrumentation (WMI) from the drop-down list, Next.
    5. There are a number of options here, but I tend to just select one: the (WMI-In) option with the Domain profile value. If you aren't sure what you need, then just remember you can come back and add the others later. Next button.
    6. Allow the connection > Finish.

    That's all that is required.

    Cheers,
    Lain
    Tuesday, March 16, 2010 12:36 PM
  • Hi Lain,

    thank you. This is exactly the step I was looking for.

    I just haven't found that I have to create a new role with the appropriate settings.

    Best regards, Nils.
    Thursday, March 18, 2010 7:23 AM
  • How could I do this for an XP/2003 environment?
    Thursday, June 21, 2012 7:06 AM
  • For XP/2003, Give a try to these command-lines in file (.cmd or .bat)

    call netsh firewall set service RemoteAdmin enable
    call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135
    call netsh firewall add allowedprogram program=%windir%\system32\wbem\unsecapp.exe name=WMI
    call netsh firewall add allowedprogram program=%windir%\system32\dllhost.exe name=Dllhost


    Barry Mohamed

    Thursday, June 28, 2012 4:09 PM
  • Thanks a lot for this

    Save me a lot of time

    Monday, July 30, 2012 10:49 PM
  • Hi Lain-

    Do you know if once the GPO is created, whether or not a reboot is required by the machine once it syncs w/ the domain controller?

    -Ken

    Friday, January 03, 2014 4:42 PM
  • Hi Ken,

    Nope, a reboot is not required. Firewall rules are applied dynamically while the operating system is running.

    Cheers,
    Lain

    Saturday, January 04, 2014 2:20 AM
  • Hi Barry,

    this definitely rocks!

    Thanks a lot.

    fp

    Wednesday, March 05, 2014 12:32 PM