9

When I run Get-NetFirewallProfile I see that the Domain profile Enabled is set to True. However, when I go to Control Panel > Windows Firewall the Domain profile is turned off by the GPO. Also, in Windows Firewall with Advanced Settings, the Firewall state is "Off".

I'm not sure why the powershell output is different than the GUI. Please help!

Thanks, aB

AlexB
  • 91
  • 1
  • 4
  • Could you please supply some more information? What network profile is associated with active network connection? Which network profiles does the GPO touch. What is the output of `Get-NetFirewallProfile | select Name, Enabled`? – Jan Chrbolka Jun 26 '15 at 01:47
  • 1
    Just tested it here at W2012 server with GPO, confirmed. Probably a bug. `Enabled` is true, control panel says GPO-disabled. – Vesper Jun 26 '15 at 07:36
  • Did a tad of research, it says there's an [`Open-NetGPO`](https://technet.microsoft.com/en-us/library/jj554879%28v=wps.620%29.aspx) cmdlet that you can use to retrieve GPOs, including the resultant policy set, but I can't make it work in my environment. Maybe there's more requirements than just having a WS2012 to run the cmdlet. If you will be able to retrieve the RSOP object, feed it to `Get-NetFirewallProfile -GPOsession $rsop` and check results. – Vesper Jun 26 '15 at 08:01
  • 3
    In newer PowerShell versions (tested on v5.1+) you can specify the store; i.e.: `Get-NetfirewallProfile -PolicyStore ActiveStore` will show you the current, active, merged info, as shown in the GUI. – techie007 Jul 16 '19 at 13:28
  • 1
    @techie007 Nice find! You would think "ActiveStore" would be the default. I spent over an hour trying to figure out why these did not match. Also, the fact that -PolicyStore isn't an enumeration, so you can't TAB through possible values, is infuriating. – Brain2000 Sep 25 '20 at 06:27

1 Answers1

2

According to this article: https://social.technet.microsoft.com/Forums/windowsserver/en-US/4d8678e2-5653-4fd2-b275-62e0e7008ff9/conflicting-display-of-windows-firewall-setting-from-gui-and-netsh-advfirewall?forum=winserverGP

There are 2 stores for this setting, a local and a Group Policy store. A resulting firewall state is calculated based on these 2.

The answer from Elytis Cheng:

Windows Firewall has mutliple configuration stores. One is for Group Policy and one is for local. The policy that is actually applied is a result of a merge of these stores (how they are merged depends on what options are set in Group Policy). In Group Policy, the firewall was enabled for the domain profile. However, in the local store, the firewall was disabled for the domain profile. The merge result meant that the firewall was on. This is shown correctly by the Control Panel (which shows the active policy, not policy from a specific store). At the time, the Windows Firewall with Advanced Security snap-in connected to the local computer was showing the local store.

The final piece is netsh. netsh firewall show allprofiles shows the configuration in the local store.

Erik Oppedijk
  • 3,496
  • 4
  • 31
  • 42