Starting with Windows 10 Fall Creators Update (1709), many people have found some unusual behaviour with the new Windows Defender Security Center (WDSC), and most of these issues appear to be related to firewall policies. The WDSC was introduced in Windows 10 Creators Update (1703), however it appears that changes in more recent versions of may not like legacy Windows Defender Firewall policies. Long story short, if you haven’t upgraded your Windows Defender Firewall policies to based on the “Windows Defender Firewall with Advanced Security” GPO settings, then you appear to be in for a bad time once you hit Windows 10 (1709) or newer.
Starting with our Windows 10 Fall Creators Update (1709) pilot process, we found that the new WDSC was reporting that the firewall was “turned off” on devices, even though it was actually turned on and being correctly configured by existing Domain-profile Group Policy Objects (GPOs). Frustratingly, these policies worked perfectly on all previous versions of Windows, including 1703, so and clicking “Turn On” within the settings didn’t actually fix the issue. During our testing, we also found that the “File and Printer Sharing” option was also listed as turned off in the Network and Sharing Center. Something was clearly making Windows unhappy.
Initially we thought these issues were just UI bugs – because we could see our rules applied correctly in Windows Firewall, GPRESULT, and they worked previously – but then we started to notice certain app and management exceptions weren’t actually working. Then our pilot group started to complain about Internet connectivity issues and other anomalies. But the most unusual symptom we found, and this been confirmed across several other sites, is that GPO-deployed Wi-Fi configurations would randomly stop reconnecting after waking from sleep, and sometimes after reboots – and when they did, we had a very good chance of seeing “limited or no connectivity” messages. Super-weird stuff.
Here’s what I’ve found so far:
- Any GPOs using “legacy” Administrative Templates for Windows Firewall no longer appear to work reliably.
- You need to recreate your GPOs using the Windows Firewall with Advanced Security to make things work reliably from WIndows 10 (1709) and newer.
- You need to allow all the “Windows default” exceptions to get rid of the “turned off” message in WDSC.
- Even with File and Printer Sharing exceptions configured, this will still show as turned off until you add:
- LLMNR-UDP-In
- Echo Request – ICMPv4-In
- NB-Datagram-In
- NB-Name-In
- SMB-In
- NB-Session-In
- And Remote Administration (RPC Endpoint Mapper)
Strangely, the legacy policy setting for “Protect all networks” looks to partly work, as do a few others, but I think we can now call all of those settings deprecated. At this point, I can only recommend that you seriously consider creating new protection states and exceptions via the Advanced Security settings, and save yourself a lot of pain.
Updating to the new policies is probably a smart thing to consider anyway, as the legacy policies do date back to Windows XP and aren’t really supported any longer. Annoyingly, that does mean you have to sacrifice some simplicity: There are some configurations that can be handled by a single “Windows Defender Firewall” setting – i.e. “Protect all network connections”, “Allow inbound remote administration exception” and “Allow inbound file and printer sharing exception”, to name a few – that now take several “Windows Defender Firewall with Advanced Security” rules to accomplish as the replacement… and that’s a pain. In fact, in the case of “remote administration”, you can’t quite accomplish all the same things as the single legacy setting can, even after adding a heap of rules in its place. That is why, even in our site where we were almost entirely using newer firewall policies, we did continue to have couple of legacy rules applied where it made sense… but that was enough for the weirdness to happen at our site, so I don’t recommend these going forward.
To make File and Printer Sharing work with 1709+, you appear to need to scrap any legacy policy settings including domain-profile exceptions or scoping, and replace them with the 7 new inbound rules in an Advanced Security policy. Without this, the Setting/Control-Panel option for “File and Printer Sharing” is actually displayed as “Off”, and some things don’t work the way they should. Similarly, to protect all the network types by default, and help remove the Windows Defender Security Center warning about the firewall being off, we had to replace a single legacy setting with “Domain Profile”, “Private Profile” and “Public Profile” settings where we enable the firewall, etc.
I’ve had a couple of other Schools reach out to me for help, with most asking some form of “have you seen weird stuff with Wi-Fi not reconnecting on 1709?”, but also with questions regarding remote management and app/port exception failures. To date, changing the WDF configuration to use the newer Advanced Security policy settings has been very successful, however some additional tweaking to web filters may also be required (see my other post on that). While weird, it really does appears that recreating existing firewall policies, using the newer policy settings, has the ability to flip on/off settings in the firewall, and appears to make Wi-Fi connectivity more reliable. I just wanted to put this out there, see if others have experienced the same issue, hopefully help some people that are bashing their head against this wall.
Webber Zone 