Windows Firewall Policy Settings

The Windows Firewall policy template lets you create policies that you can use to control incoming and outgoing network traffic. You can configure Windows Firewall settings in policies that you create based on this template and use the policies to deploy these settings to groups of computers. Windows Intune does not let you manage custom exceptions for Windows Firewall and does not affect non-Microsoft firewalls.

Nota

If you delete a Windows Firewall settings policy that is deployed to computers, the values of the Windows Firewall settings configured by that policy on those computers are reset to the values that exist in the default state of the operating system.

Profile Settings

You can use these policy settings to configure Windows Firewall for each kind of network profile.

Turn on Windows Firewall

Policy Setting	Description
Domain profile	On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to domain networks, such as at a workplace. Yes enables Windows Firewall on managed computers while they are connected to domain networks. No disables Windows Firewall on managed computers while they are connected to domain networks. Recommended value: Yes
Private profile	On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to trusted networks, such as a home network. Yes enables Windows Firewall on managed computers while they are connected to trusted networks. No disables Windows Firewall on managed computers while they are connected to trusted networks. Recommended value: Yes
Public profile	On computers to which this policy is deployed, this policy setting controls Windows Firewall while the computers are connected to untrusted networks at public places, such as at airports or coffee shops. Yes enables Windows Firewall on managed computers while they are connected to untrusted networks. No disables Windows Firewall on managed computers while they are connected to untrusted networks. Recommended value: Yes Required operating system: Windows Vista® or later versions

Block all incoming connections, including those in the list of allowed programs

Importante

If your environment includes managed computers that are running Windows Vista with no service packs installed, you must either install the update associated with article 971800 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=188405) or else disable the Block all incoming connections policy settings in policies deployed to those computers.

Policy Setting	Description
Domain profile	On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to domain networks, such as at a workplace. This includes those connections in the list of exceptions. Yes blocks all incoming connections on managed computers while they are connected to domain networks. This includes those connections in the list of exceptions. No blocks all incoming connections that are not in the list of exceptions on managed computers while they are connected to domain networks. Recommended value: No
Private profile	On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to trusted networks, such as a home network. This includes those connections in the list of exceptions. Yes blocks all incoming connections on managed computers while they are connected to trusted networks. This includes those connections in the list of exceptions. No blocks all incoming connections that are not in the list of exceptions on managed computers while they are connected to trusted networks. Recommended value: No
Public profile	On computers to which this policy is deployed, this policy setting lets you block all incoming connections while the computers are connected to untrusted networks at public places, such as at airports or coffee shops. This includes those connections in the list of exceptions. Yes blocks all incoming connections on managed computers while they are connected to untrusted networks. This includes those connections in the list of exceptions. No blocks all incoming connections that are not in the list of exceptions on managed computers while they are connected to untrusted networks. Recommended value: No Required operating system: Windows Vista or later versions

Notify the user when Windows Firewall blocks a new program

Policy Setting	Description
Domain profile	On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to domain networks, such as at a workplace. Yes notifies the user when Windows Firewall blocks a new program while the computer is connected to a domain network. No does not notify the user when Windows Firewall blocks a new program while the computer is connected to a domain network. Recommended value: Yes
Private profile	On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to trusted networks, such as a home network. Yes notifies the user when Windows Firewall blocks a new program while the computer is connected to a trusted network. No does not notify the user when Windows Firewall blocks a new program while the computer is connected to a trusted network. Recommended value: Yes
Public profile	On computers to which this policy is deployed, this policy setting lets Windows Firewall notify users when it blocks a new program while the computers are connected to untrusted networks at public places, such as at airports or coffee shops. Yes notifies the user when Windows Firewall blocks a new program while the computer is connected to an untrusted network. No does not notify the user when Windows Firewall blocks a new program while the computer is connected to an untrusted network. Recommended value: Yes Required operating system: Windows Vista or later versions

Predefined Exceptions

You can use these policy settings to configure Windows Firewall exceptions to enable or disable services for specific network profiles. Some exceptions apply only to certain operating systems. For more information, see the setting tooltip.

Policy Setting	Description
BranchCache - Content Retrieval	This policy setting configures whether BranchCache clients can use HTTP to retrieve content from one another in the distributed mode and from the hosted cache in hosted cache mode. This setting uses HTTP. Enable opens the HTTP port (port 80) for the client to provide encrypted data to requesting clients. Disable does not open the HTTP port (port 80). Recommended value: Disable Required operating system: Windows® 7
BranchCache - Hosted Cache Client	This policy setting configures whether BranchCache clients can use a hosted cache. This setting uses HTTPS. Enable opens ports on the hosted cache to let the client communicate with the hosted cache. Disable does not open ports on the hosted cache. Recommended value: Disable Required operating system: Windows 7
BranchCache - Hosted Cache Server	This policy setting configures whether BranchCache clients can use a hosted cache. This setting uses HTTPS. Enable lets the hosted cache communicate with other clients. Disable does not let the hosted cache communicate with other clients. Recommended value: Disable Required operating system: Windows 7
BranchCache - Peer Discovery	This policy setting configures whether BranchCache clients can use the WS Discovery protocol to look up content availability on the local subnet. Enable opens the port for WS Discovery so that the client can watch for these incoming requests and respond to them. Disable does not open the port for WS Discovery. Recommended value: Disable Required operating system: Windows 7
BITS Peercaching	This policy setting configures whether Background Intelligent Transfer Service (BITS) clients that are in the same subnet can find and share files that are stored in the BITS cache. This setting uses WSDAPI and RPC. Enable lets clients that are in the same subnet find and share files that are stored in the BITS cache. Disable does not let clients that are in the same subnet find and share files that are stored in the BITS cache. Recommended value: Disable Required operating system: Windows Vista
Connect to a Network Projector	This policy setting configures whether users can connect to projectors over wired or wireless networks to project presentations. This setting uses WSDAPI. Enable lets clients connect to projectors over the network. Disable does not let clients connect to projectors over the network. Recommended value: Disable Required operating system: Windows Vista or later versions
Core Networking	This policy setting configures reliable IPv4 and IPv6 connectivity. Enable lets clients connect by using IPv4 and IPv6. Disable does not let clients connect by using IPv4 and IPv6. Recommended value: Enable for all profiles Required operating system: Windows Vista or later versions
Distributed Transaction Coordinator	This policy setting configures whether clients can coordinate transactions that update transaction-protected resources, such as databases, message queues, and file systems. Enable lets clients participate in distributed transactions. Disable does not let clients participate in distributed transactions. Recommended value: Disable Required operating system: Windows Vista or later versions
File and Printer Sharing	This policy setting configures sharing of local files and printers with other users on the network. This setting uses NetBIOS, LLMNR, SMB, and RPC. Enable lets users share local files and printers with other users. Disable does not let users share local files and printers. Recommended value: Disable Required operating system: Windows XP or later versions
HomeGroup	This policy setting configures whether clients can participate in a HomeGroup network. Enable lets clients participate in a HomeGroup network. Disable does not let clients participate in a HomeGroup network. Recommended value: Disable Required operating system: Windows 7
iSCSI Service	This policy setting configures whether clients can connect to iSCSI target servers and devices. Enable lets clients connect to iSCSI target servers and devices. Disable does not let clients connect to iSCSI target servers and devices. Recommended value: Disable Required operating system: Windows Vista or later versions
Key Management Service	This policy setting configures computer counting and license compliance in enterprise environments. Enable lets clients be counted for license compliance. Disable does not let clients be counted. Recommended value: Disable Required operating system: Windows Vista or later versions
Media Center Extenders	This policy setting configures whether Media Center Extenders can communicate with a computer that is running Windows Media Center. This setting uses SSDP and qWave. Enable lets Media Center Extenders communicate with a computer that is running Windows Media Center. Disable does not let Media Center Extenders communicate. Recommended value: Disable Required operating system: Windows Vista or later versions
Netlogon Service	This policy setting configures a security channel between domain clients and a domain controller for authenticating users and services. This setting uses RPC. Enable configures a security channel between domain clients and a domain controller. Disable does not configure a security channel. Recommended value: Disable Required operating system: Windows Vista or later versions
Network Discovery	This policy setting configures whether computers can discover other devices and be discovered by other devices on the network. This setting uses Function Discovery Host and Publication Services and SSDP, NetBIOS, LLMNR, and UPnP™ network protocols. Enable lets computers discover and be discovered. Disable does not let computers discover and be discovered. Recommended value: Enable for Private profile Required operating system: Windows Vista or later versions
Performance Logs and Alerts	This policy setting configures remote management of the Performance Logs and Alerts service. This setting uses RPC. Enable lets the Performance Logs and Alerts service be managed remotely. Disable does not let the service be managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Remote Administration	This policy setting allows remote administration of the computer. Enable lets the computer be administered remotely. Disable does not let the computer be administered remotely. Recommended value: Disable Required operating system: Windows Vista
Remote Assistance	This policy setting configures whether users of managed computers can request remote assistance from other users on the network. This setting uses SSDP, PNRP, Teredo, and UPnP network protocols. Enable lets users request remote assistance. Disable does not let users request remote assistance. Recommended value: Enable for Domain and Private profiles Required operating system: Windows XP or later versions
Remote Desktop	This policy setting configures access to the desktop from a remote computer. Enable lets the desktop be accessed remotely. Disable does not let the desktop be accessed remotely. Recommended value: Disable Required operating system: Windows XP or later versions
Remote Event Log Management	This policy setting configures remote viewing and management of the client event log. This setting uses Named Pipes and RPC. Enable lets the client event log be viewed and managed remotely. Disable does not let the client event log be viewed and managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Remote Scheduled Tasks Management	This policy setting configures remote management of the task scheduling service. This setting uses RPC. Enable lets the task scheduling service be managed remotely. Disable does not let the task scheduling service be managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Remote Service Management	This policy setting configures remote management of local services on clients. This setting uses Named Pipes and RPC. Enable lets local services be managed remotely. Disable does not let local services be managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Remote Volume Management	This policy setting configures remote software and hardware disk volume management. This setting uses RPC. Enable lets disk volumes be managed remotely. Disable does not let disk volumes be managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Routing and Remote Access	This policy setting configures whether clients can have incoming VPN and remote access connections. Enable lets clients have incoming VPN and remote access connections. Disable does not let clients have incoming VPN and remote access connections. Recommended value: Disable Required operating system: Windows Vista or later versions
Secure Socket Tunneling Protocol	This policy setting configures incoming VPN connections to clients by using Secure Socket Tunneling Protocol (SSTP). This setting uses HTTPS. Enable configures incoming VPN connections to use SSTP. Disable does not configure incoming VPN connections to use SSTP. Recommended value: Disable Required operating system: Windows Vista or later versions
SNMP Trap	This policy setting configures whether SNMP Trap service traffic is received by managed computers. Enable lets clients receive SNMP Trap service traffic. Disable does not let clients receive SNMP Trap service traffic. Recommended value: Disable Required operating system: Windows Vista or later versions
UPnP Framework	This policy setting configures the UPnP Framework service on managed computers. Enable lets clients discover and use UPnP certified devices. Disable does not let clients discover or use UPnP certified devices. Recommended value: Disable Required operating system: Windows XP
Windows Collaboration Computer Name Registration Service	This policy setting configures whether managed computers can find and communicate with other computers by using the Peer Name Resolution Protocol. This setting uses SSDP and PNRP. Enable lets clients use Peer Name Resolution Service. Disable does not let clients use Peer Name Resolution Service. Recommended value: Disable Required operating system: Windows Vista or later versions
Windows Media Player	This policy setting configures whether users can receive streaming media over UDP. Enable lets users receive streaming media over UDP. Disable does not let users receive streaming media over UDP. Recommended value: Disable Required operating system: Windows Vista or later versions
Windows Media Player Network Sharing Service	This policy setting configures whether users can share media over a network. This setting uses SSDP, qWave, and UPnP network protocols. Enable lets users share media over a network. Disable does not let users share media over a network. Recommended value: Disable Required operating system: Windows Vista or later versions
Windows Media Player Network Sharing Service (Internet)	This policy setting configures whether users can share out home media over the Internet. Enable lets users share media over the Internet. Disable does not let users share media over the Internet. Recommended value: Disable Required operating system: Windows 7
Windows Meeting Space	This policy setting configures whether clients can collaborate over a network to share documents, programs, or the desktop with other people. This setting uses DFSR and P2P. Enable lets clients collaborate. Disable does not let clients collaborate. Recommended value: Disable Required operating system: Windows Vista
Windows Peer to Peer Collaboration Foundation	This policy setting configures various peer-to-peer programs and technologies. This setting uses SSDP and PNRP. Enable lets peer-to-peer programs and technologies connect. Disable does not let peer-to-peer programs and technologies connect. Recommended value: Disable Required operating system: Windows Vista or later versions
Windows Remote Management	This policy setting configures remote management of the client by using WS-Management, a Web services-based protocol for remote management of operating systems and devices. Enable lets the client be managed remotely. Disable does not let the client be managed remotely. Recommended value: Disable Required operating system: Windows Vista or later versions
Windows Virtual PC	This policy setting configures whether one or more virtual machines, each with its own operating system, can be run and communicate with other computers from a single computer. Enable lets virtual machines communicate with other computers. Disable does not let virtual machines communicate with other computers. Recommended value: Enable for all profiles Required operating system: Windows 7
Wireless Portable Devices	This policy setting configures the transfer of media from a network-enabled camera or media device to managed computers by using the Media Transfer Protocol (MTP). This setting uses SSDP and UPnP network protocols. Enable lets media be transferred by using MTP. Disable does not let media be transferred by using MTP. Recommended value: Disable Required operating system: Windows Vista or later versions

See Also

• Policy Settings Reference

• Create a Policy

• Edit a Policy