Firewall settings

The Firewall settings enforce Windows Defender Firewall rules that block unauthorized access to the network, which reduces the risk of network security threats across all endpoints. This policy supports Windows 10+ version 1709 and later.

What is Windows Defender Firewall?

Windows Defender Firewall is a security application that filters network data transmissions to and from a Windows system and blocks harmful connections and the programs that initiate those connections.

How the firewall works

The firewall uses a predefined set of rules for both types (inbound/outbound) of network traffic. You can add a program to the lists of allowed programs that allows that program to connect through the firewall. The policy workflow is as follows:
  1. Enable the Configure firewall settings check box.
  2. Configure Global settings for the firewall policy.
  3. Configure how the firewall behaves when endpoints are connected to a domain, private, or public network.
  4. Configure custom firewall rules for the network that you selected in the policy.

Configuring firewall settings

A firewall configuration is a collection of profiles or rules. You apply these profiles or rules on the computer to determine the permissions for all inbound and outbound connections for specific ports. Windows uses profiles to connect to the internet or network. Windows uses the following profiles:
  • Domain: The domain profile applies to networks where the host system can authenticate to a domain controller.
  • Private: The private profile is a user-assigned profile that is used to designate private or home networks.
  • Public: The public profile (default profile) is used to designate public networks such as wifi hotspots at coffee shops, airports, and other locations.

The following table describes the firewall settings that you can configure for Windows 10+ devices.

Table 1. Firewall settings
Policy setting Description Supported devices
Configure firewall settings If enabled, you can configure global settings, network settings, and custom firewall rules on traffic to and from your Windows endpoints. Windows 10+ Professional, Education, Enterprise
Global settings
Disable file transfer protocol If enabled, this option sets how the firewall handles FTP traffic.

If you select No, the firewall tracks all FTP traffic. If you select Yes, the firewall does not inspect FTP traffic.

Windows 10+ Professional, Education, Enterprise
Security association idle time before deletion Set the maximum amount of time (in seconds) the device waits before deleting idle security associations. Range is 300 - 3600 seconds.

Security associations are an agreement between two peers or endpoints. These agreements contain all the information required to securely exchange data.

Windows 10+ Professional, Education, Enterprise
Pre-shared key encoding Select the type of encoding used for the pre-shared key.

A pre-shared key (PSK) is a secret key that is shared between two devices (for example, a client and a server) that are connected by a secured channel. The PSK is used by the server to authenticate the client. A PSK might be used in environments where it is not possible to use client certificates for mutual authentication.

Windows 10+ Professional, Education, Enterprise
IPsec exemptions Select the traffic that is exempt from performing IPsec.

IPsec is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. Internet Protocol Security (IPsec) is a set of security protocols used to transfer IP packets confidentially across the Internet. IPsec is mandatory for all IPv6 implementations and optional for IPv4.

  • Exempt neighbor discover IPv6 ICMP-type codes
  • Exempt ICMP
  • Exempt router discover IPv6 ICMP-type codes
  • Exempt both IPv4 and IPv6 DHCP traffic
Windows 10+ Professional, Education, Enterprise
Certificate revocation list verification Select how to enforce the certificate revocation list verification.
  • Disable CRL verification (default): Disables the CRL checking.
  • Fail CRL verification on revoked certificate only: CRL checking is attempted and certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
  • Fail CRL check on any error encountered: CRL checking is required and certificate validation fails if any error is encountered during CRL processing.
Windows 10+ Professional, Education, Enterprise
Enable opportunistically match authentication set per keying module Sets how key modules ignore authentication suites. Enabling this option forces key modules to ignore only the authentication suites they do not support. Disabling this option forces key modules to ignore the entire authentication set if they do not support all the authentication suites in the set. Windows 10+ Professional, Education, Enterprise
Packet queuing Select how packet queuing works on the device. This setting allows you to ensure proper scaling.

This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Using this option ensures that packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:

  • Disabled queueing: All queuing is disabled.
  • Queue inbound encrypted packets: Inbound encrypted packets are be queued.
  • Queue only after packet encryption: Packets are queued after decryption is performed for forwarding.
Windows 10+ Professional, Education, Enterprise
  • Configure domain (workplace) network
  • Configure private (non-discoverable) network
  • Configure public (discoverable) network
  • Enable stealth mode: If this option is enabled, the device is set in stealth mode.

    Stealth mode helps prevent malicious users from gaining information about network devices and services. When enabled, stealth mode blocks outgoing ICMP unreachable and TCP reset messages from ports without an app actively listening on that port.

  • Disable IPsec secured packet exemption with stealth mode: If enabled, this option sets how the firewall handles unsolicited traffic secured by IPsec.

    If this option is not enabled, the firewall allows unsolicited network traffic secured by IPsec.

    This setting only applies when you enable Stealth Mode.

  • Enable shielded: If this option is enabled and the firewall is enabled, the server must block all incoming traffic regardless of other policy settings. The default value is to clear the check box.
  • Disable unicast responses to multicast broadcasts: If enabled, this option sets the behavior for the responses to multicast or broadcast network traffic.

    If you disable this option, the firewall blocks all responses to multicast or broadcast network traffic.

  • Disable inbound notifications: If enabled, this option sets the notification behavior for the firewall. The firewall might notifications to the user when it blocks a new app

    If this option is disabled (check box is clear), the firewall does not send any notifications.

  • Block outbound connections: If enabled, the firewall blocks outbound connections. The firewall blocks all outbound traffic unless explicitly specified otherwise
  • Block inbound connections: If enabled, the firewall blocks all inbound connections. The firewall blocks all inbound traffic unless explicitly specified otherwise.
  • Enforce authorized application firewall rules from the local store: If you select Yes, authorized application firewall rules in the local store are applied because they are recognized and enforced by the firewall.
  • Enforce Defender firewall rules from the local store: If you select Yes, firewall rules in the local store are applied because they are recognized and enforced by the firewall.
  • Enforce global port Defender firewall rules from the local store: If you select Yes, global port firewall rules in the local store are applied because they are recognized and enforced by the firewall.
  • Enforce IPsec rules from the local store: If you select Yes, connection security rules from the local store are applied, regardless of schema or connection security rule versions.
Windows 10+ Professional, Education, Enterprise
Configure firewall rules A list of rules controlling traffic through the Windows Firewall. To add a rule, click the Add (+) icon in the right corner of this section.
  • Rule name: A unique alphanumeric identifier for the rule. The rule name cannot include a forward slash (/).
  • Rule description: A description of the rule.
  • Traffic direction: The rule is enabled based on traffic direction.
    • Outbound (default): The rule applies to outbound traffic.
    • Inbound: The rule applies to inbound traffic.
  • Block traffic: The rule blocks traffic based on the option used in the Traffic direction setting. By default, this option allows all traffic.
  • Network types: The type of network (domain, private, or public) that applies to the rule. If no network type is selected, the default is all types of networks.
  • Application configurations: The rules that control connections for an app, program, or service.
    • All (default): The rule applies to all apps, programs, or services.
    • Package family name: The unique name of the Microsoft Store app. For more information on how to obtain the package family name, see Examples of obtaining Windows app IDs manually.
    • File path: The full file path of the app. For example: C:\Windows\System\Notepad.exe
    • Windows service: The service name that is used when a service, not an app, is sending or receiving traffic.
  • IP address configuration - local address: The local IP addresses that apply to the rule:
    • Any address
    • Specific addresses: A comma-separated list of local addresses that are covered by the rule.
      • A valid IPv6 address.
      • An IPv4 address range in the format of "start address-end address" with no spaces included. For example: 24.194.231.8-24.194.231.12
      • An IPv6 address range in the format of "start address-end address" with no spaces included. For example: 2001:0DB8:ABCD:0012:0000:0000:0000:0000-2001:0DB8:ABCD:0012:FFFF:FFFF:FFFF:FFF
  • IP address configuration - remote address: The remote IP addresses that apply to the rule:
    • Any address
    • Specific addresses: A comma-separated list of tokens that specify the remote addresses that are covered by the rule.
      • "Defaultgateway"
      • "DHCP"
      • "DNS"
      • "WINS"
      • "Intranet" (This token is supported on Windows 10+ version 1809 and later.)
      • "RmtIntranet" (This token is supported on Windows 10+ version 1809 and later.)
      • "Internet" (This token is supported on Windows 10+ version 1809 and later.)
      • "Ply2Renders" (This token is supported on Windows 10+ version 1809 and later.)
      • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
      • A valid IPv6 address.
      • An IPv4 address range in the format of "start address-end address" with no spaces included. For example: 24.194.231.8-24.194.231.12
      • An IPv6 address range in the format of "start address-end address" with no spaces included. For example: 2001:0DB8:ABCD:0012:0000:0000:0000:0000-2001:0DB8:ABCD:0012:FFFF:FFFF:FFFF:FFF
  • Protocols and ports: The local and remote protocols or ports that apply to the rule.
    • Any (default): Any port or protocol applies to the rule.
    • TCP: (Transmission Control Protocol) A communication protocol used in the Internet and in any network that follows the Internet Engineering Task Force (IETF) standards for internetwork protocol. TCP provides a reliable host-to-host protocol in packet-switched communication networks and in interconnected systems of such networks.
      • All ports
      • Specific ports: A comma-separated list of port ranges.
    • UDP: (User Datagram Protocol) An Internet protocol that provides unreliable, connectionless datagram service. It enables an application program on one machine or process to send a datagram to an application program on another machine or process.
      • All ports
      • Specific ports: A comma-separated list of port ranges.
    • Custom port: A comma-separated list of port numbers. Valid values are 0 - 255.
  • Interface types: The type of network connection that applies to the rule.
    • Remote access
    • Wireless
    • LAN
  • Authorized users: The list of authorized local users for this rule. The list is a string in the Security Descriptor Definition Language (SDDL) format. For more information on SDDL, see https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format.
Windows 10+ Professional, Education, Enterprise