Skip to main content

Windows Firewall Policy

Overview

The Windows Firewall Policy configures Windows Defender Firewall profile settings, global settings, dynamic keyword addresses, and custom firewall rules through the Firewall CSP. On each apply, previously deployed rules and keywords are removed, then the configured rules and keywords are added.

Requirements

Supported Platforms

Windows

Minimum System Requirements

Windows 10 version 1709 (10.0.16299) and later

Ownership

Company-owned devices


Policy Configuration

Domain Profile

Firewall settings applied to domain networks.

Field

Description

Type

Default

Enable Firewall

Enable Windows Defender Firewall enforcement for the profile.

Boolean

true

Default Inbound Action

Default action for inbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

1

Default Outbound Action

Default action for outbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

0

Allow Local IPsec Policy Merge

Allow local connection security rules to merge with managed policy.

Boolean

true

Allow Local Policy Merge

Allow locally created firewall rules to merge with managed policy.

Boolean

true

Authorized Apps User Preference Merge

Allow authorized application firewall rules in the local store to merge.

Boolean

true

Disable Inbound Notifications

Suppress user notifications when an app is blocked from listening on a port.

Boolean

false

Disable Stealth Mode

Disable stealth mode for the profile.

Boolean

false

Disable Stealth Mode IPsec Exemption

Control whether IPsec-secured unsolicited traffic is exempt from stealth mode.

Boolean

true

Disable Unicast Responses

Block unicast responses to multicast or broadcast traffic.

Boolean

false

Log Dropped Packets

Log dropped packets.

Boolean

false

Log Ignored Rules

Log events for rules that are not enforced.

Boolean

false

Log Successful Connections

Log successful inbound connections.

Boolean

false

Global Ports User Preference Merge

Allow local global port rules to merge.

Boolean

true

Log File Path

Path for the firewall log file.

String

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

Log Max File Size

Firewall log size in KB.

Integer (0–4294967295)

1024

Shielded

Block all incoming traffic while firewall is enabled.

Boolean

false


Private Profile

Firewall settings applied to private networks.

Field

Description

Type

Default

Enable Firewall

Enable Windows Defender Firewall enforcement for the profile.

Boolean

true

Default Inbound Action

Default action for inbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

1

Default Outbound Action

Default action for outbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

0

Allow Local IPsec Policy Merge

Allow local connection security rules to merge with managed policy.

Boolean

true

Allow Local Policy Merge

Allow locally created firewall rules to merge with managed policy.

Boolean

true

Authorized Apps User Preference Merge

Allow authorized application firewall rules in the local store to merge.

Boolean

true

Disable Inbound Notifications

Suppress user notifications when an app is blocked from listening on a port.

Boolean

false

Disable Stealth Mode

Disable stealth mode for the profile.

Boolean

false

Disable Stealth Mode IPsec Exemption

Control whether IPsec-secured unsolicited traffic is exempt from stealth mode.

Boolean

true

Disable Unicast Responses

Block unicast responses to multicast or broadcast traffic.

Boolean

false

Log Dropped Packets

Log dropped packets.

Boolean

false

Log Ignored Rules

Log events for rules that are not enforced.

Boolean

false

Log Successful Connections

Log successful inbound connections.

Boolean

false

Global Ports User Preference Merge

Allow local global port rules to merge.

Boolean

true

Log File Path

Path for the firewall log file.

String

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

Log Max File Size

Firewall log size in KB.

Integer (0–4294967295)

1024

Shielded

Block all incoming traffic while firewall is enabled.

Boolean

false


Public Profile

Firewall settings applied to public networks.

Field

Description

Type

Default

Enable Firewall

Enable Windows Defender Firewall enforcement for the profile.

Boolean

true

Default Inbound Action

Default action for inbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

1

Default Outbound Action

Default action for outbound connections: 0 Allow, 1 Block.

Integer (0 or 1)

0

Allow Local IPsec Policy Merge

Allow local connection security rules to merge with managed policy.

Boolean

true

Allow Local Policy Merge

Allow locally created firewall rules to merge with managed policy.

Boolean

true

Authorized Apps User Preference Merge

Allow authorized application firewall rules in the local store to merge.

Boolean

true

Disable Inbound Notifications

Suppress user notifications when an app is blocked from listening on a port.

Boolean

false

Disable Stealth Mode

Disable stealth mode for the profile.

Boolean

false

Disable Stealth Mode IPsec Exemption

Control whether IPsec-secured unsolicited traffic is exempt from stealth mode.

Boolean

true

Disable Unicast Responses

Block unicast responses to multicast or broadcast traffic.

Boolean

false

Log Dropped Packets

Log dropped packets.

Boolean

false

Log Ignored Rules

Log events for rules that are not enforced.

Boolean

false

Log Successful Connections

Log successful inbound connections.

Boolean

false

Global Ports User Preference Merge

Allow local global port rules to merge.

Boolean

true

Log File Path

Path for the firewall log file.

String

%systemroot%\system32\LogFiles\Firewall\pfirewall.log

Log Max File Size

Firewall log size in KB.

Integer (0–4294967295)

1024

Shielded

Block all incoming traffic while firewall is enabled.

Boolean

false


Global Settings

Global Windows Defender Firewall settings.

Field

Description

Type

Default

CRL Check

Certificate revocation list checking: 0 Disabled, 1 Attempted, 2 Required.

Integer (0, 1, or 2)

Disable Stateful FTP

Disable stateful FTP filtering.

Boolean

false

Enable Audit Mode

Enable firewall audit mode.

Boolean

false

Enable Packet Queue

Packet queue mode bitmask.

Integer (0–3)

0

IPsec Exempt

IPsec exemption bitmask.

Integer (0–15)

0

Opportunistic Auth Set Match

Allow keying modules to ignore only unsupported authentication suites.

Boolean

Preshared Key Encoding

0 None, 1 UTF-8.

Integer (0 or 1)

1

SA Idle Time

Security association idle time in seconds.

Integer (300–3600)

300


Dynamic Keyword Addresses

Dynamic keyword address objects for use in firewall rule remoteAddressDynamicKeywords.

Field

Description

Type

Required

ID

GUID identifier. Braces are accepted and will be added if omitted.

String

Yes

Addresses

Comma-delimited address tokens. Must be empty when Auto Resolve is true.

String

No

Auto Resolve

Resolve keyword as an FQDN when Microsoft Defender Advanced Threat Protection service is present.

Boolean (default: false)

No

Keyword

Keyword alias or FQDN when Auto Resolve is true.

String

No


Firewall Rules

Custom Windows Defender Firewall rules. Each rule is wrapped in an Atomic block.

Field

Description

Type

Default

Rule Name

Unique firewall rule node name.

String (required)

Friendly Name

Friendly display name for the rule.

String

Description

Description for the rule.

String

Action

0 Block, 1 Allow.

Integer (0 or 1)

1

Direction

Traffic direction: in or out.

String

out

Enabled

Enable the rule.

Boolean

true

Profiles

Profile bitmask: Domain 1, Private 2, Public 4, All 2147483647.

Integer

2147483647

Protocol

IP protocol number. TCP 6, UDP 17, ICMP 1, IPv6-ICMP 58.

Integer (0–255)

Local Port Ranges

Comma-delimited local port ranges. Requires protocol 6 or 17.

String

Remote Port Ranges

Comma-delimited remote port ranges. Requires protocol 6 or 17.

String

Local Address Ranges

Comma-delimited local address tokens.

String

Remote Address Ranges

Comma-delimited remote address tokens.

String

Remote Address Dynamic Keywords

Comma-delimited dynamic keyword GUIDs.

String

ICMP Types And Codes

ICMP type/code list. Requires protocol 1 or 58. Supported on Windows 11 / Server 2022 and later.

String

Interface Types

Comma-delimited values: RemoteAccess, Wireless, Lan, MBB, All.

String

Edge Traversal

Allow edge traversal for inbound traffic.

Boolean

Local User Authorized List

Authorized local users in SDDL format.

String

Policy App ID

App Control tag. Cannot be combined with App > Service Name.

String

App (sub-fields of Firewall Rules)

Application or service match conditions.

Field

Description

Type

File Path

Application executable path.

String

FQBN

Fully qualified binary name.

String

Package Family Name

Microsoft Store app package family name.

String

Service Name

Windows service name. Cannot be combined with Policy App ID.

String


Notes

  • On each policy apply, all previously deployed firewall rules and dynamic keyword addresses are removed, then the currently configured rules and keywords are re-added. This ensures the device always reflects the exact set of rules defined in the policy.

  • The three network profiles (Domain, Private, Public) share the same set of configurable fields but apply independently based on the network type the device is connected to.

  • Dynamic Keyword Addresses allow you to define reusable address objects that can be referenced by GUID in the remoteAddressDynamicKeywords field of firewall rules, enabling centralized address management.

  • When Auto Resolve is enabled on a dynamic keyword address, the Addresses field must be left empty — the system will resolve the FQDN automatically via Microsoft Defender ATP.

  • The Shielded setting blocks all incoming traffic regardless of other rules and should be used with caution (e.g., during active incident response).

Did this answer your question?