Windows Firewall Policy Settings
The Windows Firewall policy template lets you create policies that you can use to control incoming and outgoing network traffic. You can configure Windows Firewall settings in policies that you create based on this template and use the policies to deploy these settings to groups of computers. Windows Intune does not let you manage custom exceptions for Windows Firewall and does not affect non-Microsoft firewalls.
Nota
If you delete a Windows Firewall settings policy that is deployed to computers, the values of the Windows Firewall settings configured by that policy on those computers are reset to the values that exist in the default state of the operating system.
Profile Settings
You can use these policy settings to configure Windows Firewall for each kind of network profile.
Turn on Windows Firewall
Policy Setting | Description |
---|---|
Domain profile |
On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to domain networks, such as at a workplace.
Recommended value: Yes |
Private profile |
On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to trusted networks, such as a home network.
Recommended value: Yes |
Public profile |
On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to untrusted networks at public places, such as at airports or coffee shops.
Recommended value: Yes Required operating system: Windows Vista® or later versions |
Block all incoming connections, including those in the list of allowed programs
Importante
If your environment includes managed computers that are running Windows Vista with no service packs installed, you must either install the update associated with article 971800 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=188405) or else disable the Block all incoming connections policy settings in policies deployed to those computers.
Policy Setting | Description |
---|---|
Domain profile |
On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to domain networks, such as at a workplace. This includes those connections in the list of exceptions.
Recommended value: No |
Private profile |
On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to trusted networks, such as a home network. This includes those connections in the list of exceptions.
Recommended value: No |
Public profile |
On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to untrusted networks at public places, such as at airports or coffee shops. This includes those connections in the list of exceptions.
Recommended value: No Required operating system: Windows Vista or later versions |
Notify the user when Windows Firewall blocks a new program
Policy Setting | Description |
---|---|
Domain profile |
On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to domain networks, such as at a workplace.
Recommended value: Yes |
Private profile |
On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to trusted networks, such as a home network.
Recommended value: Yes |
Public profile |
On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to untrusted networks at public places, such as at airports or coffee shops.
Recommended value: Yes Required operating system: Windows Vista or later versions |
Predefined Exceptions
You can use these policy settings to configure Windows Firewall exceptions to enable or disable services for specific network profiles. Some exceptions apply only to certain operating systems. For more information, see the setting tooltip.
Policy Setting | Description |
---|---|
BranchCache - Content Retrieval |
This policy setting configures whether BranchCache clients can use HTTP to retrieve content from one another in the distributed mode and from the hosted cache in hosted cache mode. This setting uses HTTP.
Recommended value: Disable Required operating system: Windows® 7 |
BranchCache - Hosted Cache Client |
This policy setting configures whether BranchCache clients can use a hosted cache. This setting uses HTTPS.
Recommended value: Disable Required operating system: Windows 7 |
BranchCache - Hosted Cache Server |
This policy setting configures whether BranchCache clients can use a hosted cache. This setting uses HTTPS.
Recommended value: Disable Required operating system: Windows 7 |
BranchCache - Peer Discovery |
This policy setting configures whether BranchCache clients can use the WS Discovery protocol to look up content availability on the local subnet.
Recommended value: Disable Required operating system: Windows 7 |
BITS Peercaching |
This policy setting configures whether Background Intelligent Transfer Service (BITS) clients that are in the same subnet can find and share files that are stored in the BITS cache. This setting uses WSDAPI and RPC.
Recommended value: Disable Required operating system: Windows Vista |
Connect to a Network Projector |
This policy setting configures whether users can connect to projectors over wired or wireless networks to project presentations. This setting uses WSDAPI.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Core Networking |
This policy setting configures reliable IPv4 and IPv6 connectivity.
Recommended value: Enable for all profiles Required operating system: Windows Vista or later versions |
Distributed Transaction Coordinator |
This policy setting configures whether clients can coordinate transactions that update transaction-protected resources, such as databases, message queues, and file systems.
Recommended value: Disable Required operating system: Windows Vista or later versions |
File and Printer Sharing |
This policy setting configures sharing of local files and printers with other users on the network. This setting uses NetBIOS, LLMNR, SMB, and RPC.
Recommended value: Disable Required operating system: Windows XP or later versions |
HomeGroup |
This policy setting configures whether clients can participate in a HomeGroup network.
Recommended value: Disable Required operating system: Windows 7 |
iSCSI Service |
This policy setting configures whether clients can connect to iSCSI target servers and devices.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Key Management Service |
This policy setting configures computer counting and license compliance in enterprise environments.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Media Center Extenders |
This policy setting configures whether Media Center Extenders can communicate with a computer that is running Windows Media Center. This setting uses SSDP and qWave.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Netlogon Service |
This policy setting configures a security channel between domain clients and a domain controller for authenticating users and services. This setting uses RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Network Discovery |
This policy setting configures whether computers can discover other devices and be discovered by other devices on the network. This setting uses Function Discovery Host and Publication Services and SSDP, NetBIOS, LLMNR, and UPnP™ network protocols.
Recommended value: Enable for Private profile Required operating system: Windows Vista or later versions |
Performance Logs and Alerts |
This policy setting configures remote management of the Performance Logs and Alerts service. This setting uses RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Remote Administration |
This policy setting allows remote administration of the computer.
Recommended value: Disable Required operating system: Windows Vista |
Remote Assistance |
This policy setting configures whether users of managed computers can request remote assistance from other users on the network. This setting uses SSDP, PNRP, Teredo, and UPnP network protocols.
Recommended value: Enable for Domain and Private profiles Required operating system: Windows XP or later versions |
Remote Desktop |
This policy setting configures access to the desktop from a remote computer.
Recommended value: Disable Required operating system: Windows XP or later versions |
Remote Event Log Management |
This policy setting configures remote viewing and management of the client event log. This setting uses Named Pipes and RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Remote Scheduled Tasks Management |
This policy setting configures remote management of the task scheduling service. This setting uses RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Remote Service Management |
This policy setting configures remote management of local services on clients. This setting uses Named Pipes and RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Remote Volume Management |
This policy setting configures remote software and hardware disk volume management. This setting uses RPC.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Routing and Remote Access |
This policy setting configures whether clients can have incoming VPN and remote access connections.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Secure Socket Tunneling Protocol |
This policy setting configures incoming VPN connections to clients by using Secure Socket Tunneling Protocol (SSTP). This setting uses HTTPS.
Recommended value: Disable Required operating system: Windows Vista or later versions |
SNMP Trap |
This policy setting configures whether SNMP Trap service traffic is received by managed computers.
Recommended value: Disable Required operating system: Windows Vista or later versions |
UPnP Framework |
This policy setting configures the UPnP Framework service on managed computers.
Recommended value: Disable Required operating system: Windows XP |
Windows Collaboration Computer Name Registration Service |
This policy setting configures whether managed computers can find and communicate with other computers by using the Peer Name Resolution Protocol. This setting uses SSDP and PNRP.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Windows Media Player |
This policy setting configures whether users can receive streaming media over UDP.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Windows Media Player Network Sharing Service |
This policy setting configures whether users can share media over a network. This setting uses SSDP, qWave, and UPnP network protocols.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Windows Media Player Network Sharing Service (Internet) |
This policy setting configures whether users can share out home media over the Internet.
Recommended value: Disable Required operating system: Windows 7 |
Windows Meeting Space |
This policy setting configures whether clients can collaborate over a network to share documents, programs, or the desktop with other people. This setting uses DFSR and P2P.
Recommended value: Disable Required operating system: Windows Vista |
Windows Peer to Peer Collaboration Foundation |
This policy setting configures various peer-to-peer programs and technologies. This setting uses SSDP and PNRP.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Windows Remote Management |
This policy setting configures remote management of the client by using WS-Management, a Web services-based protocol for remote management of operating systems and devices.
Recommended value: Disable Required operating system: Windows Vista or later versions |
Windows Virtual PC |
This policy setting configures whether one or more virtual machines, each with its own operating system, can be run and communicate with other computers from a single computer.
Recommended value: Enable for all profiles Required operating system: Windows 7 |
Wireless Portable Devices |
This policy setting configures the transfer of media from a network-enabled camera or media device to managed computers by using the Media Transfer Protocol (MTP). This setting uses SSDP and UPnP network protocols.
Recommended value: Disable Required operating system: Windows Vista or later versions |