Configures Windows Defender Firewall profile settings, global settings, dynamic keyword addresses, and custom firewall rules through the Firewall CSP. FirewallRules and DynamicKeywords are emitted inside SyncML Atomic blocks as required by Microsoft.

Prerequisites

Requirement	Details
Supported platforms	Windows
Minimum OS version	Windows 10 version 1709 (build 10.0.16299) and later

Policy Structure

The Windows Firewall Policy is organized into six sections:

Section	Type	Description
Domain Profile	Dictionary	Firewall settings applied to domain networks
Private Profile	Dictionary	Firewall settings applied to private networks
Public Profile	Dictionary	Firewall settings applied to public networks
Global Settings	Dictionary	Global Windows Defender Firewall settings
Dynamic Keyword Addresses	Array of dictionaries	Reusable address objects for firewall rules
Firewall Rules	Array of dictionaries	Custom Windows Defender Firewall rules

Network Profile Settings

The Domain Profile, Private Profile, and Public Profile sections share the same set of fields. Configure each independently to control firewall behavior per network type.

Firewall State

Field	Display Name	Type	Default	Description
`enableFirewall`	Enable Firewall	Boolean	`true`	Enable Windows Defender Firewall enforcement for the profile
`defaultInboundAction`	Default Inbound Action	Integer	`1`	Default action for inbound connections: 0 Allow, 1 Block
`defaultOutboundAction`	Default Outbound Action	Integer	`0`	Default action for outbound connections: 0 Allow, 1 Block
`shielded`	Shielded	Boolean	`false`	Block all incoming traffic while firewall is enabled

Stealth & Notifications

Field	Display Name	Type	Default	Description
`disableStealthMode`	Disable Stealth Mode	Boolean	`false`	Disable stealth mode for the profile
`disableStealthModeIpsecSecuredPacketExemption`	Disable Stealth Mode IPsec Exemption	Boolean	`true`	Control whether IPsec-secured unsolicited traffic is exempt from stealth mode
`disableInboundNotifications`	Disable Inbound Notifications	Boolean	`false`	Suppress user notifications when an app is blocked from listening on a port
`disableUnicastResponsesToMulticastBroadcast`	Disable Unicast Responses	Boolean	`false`	Block unicast responses to multicast or broadcast traffic

Logging

Field	Display Name	Type	Default	Description
`enableLogDroppedPackets`	Log Dropped Packets	Boolean	`false`	Log dropped packets
`enableLogIgnoredRules`	Log Ignored Rules	Boolean	`false`	Log events for rules that are not enforced
`enableLogSuccessConnections`	Log Successful Connections	Boolean	`false`	Log successful inbound connections
`logFilePath`	Log File Path	String	`%systemroot%\system32\LogFiles\Firewall\pfirewall.log`	Path for the firewall log file
`logMaxFileSize`	Log Max File Size	Integer	`1024`	Firewall log size in KB (0–4,294,967,295)

Policy Merge

Field	Display Name	Type	Default	Description
`allowLocalPolicyMerge`	Allow Local Policy Merge	Boolean	`true`	Allow locally created firewall rules to merge with managed policy
`allowLocalIpsecPolicyMerge`	Allow Local IPsec Policy Merge	Boolean	`true`	Allow local connection security rules to merge with managed policy
`authAppsAllowUserPrefMerge`	Authorized Apps User Preference Merge	Boolean	`true`	Allow authorized application firewall rules in the local store to merge
`globalPortsAllowUserPrefMerge`	Global Ports User Preference Merge	Boolean	`true`	Allow local global port rules to merge

Global Settings

Global settings apply across all network profiles.

Field	Display Name	Type	Default	Description
`crlCheck`	CRL Check	Integer	—	Certificate revocation list checking: 0 Disabled, 1 Attempted, 2 Required
`disableStatefulFtp`	Disable Stateful FTP	Boolean	`false`	Disable stateful FTP filtering
`enableAuditMode`	Enable Audit Mode	Boolean	`false`	Enable firewall audit mode
`enablePacketQueue`	Enable Packet Queue	Integer	`0`	Packet queue mode bitmask (0–3)
`ipsecExempt`	IPsec Exempt	Integer	`0`	IPsec exemption bitmask (0–15)
`opportunisticallyMatchAuthSetPerKM`	Opportunistic Auth Set Match	Boolean	—	Allow keying modules to ignore only unsupported authentication suites
`presharedKeyEncoding`	Preshared Key Encoding	Integer	`1`	0 None, 1 UTF-8
`saIdleTime`	SA Idle Time	Integer	`300`	Security association idle time in seconds (300–3600)

Dynamic Keyword Addresses

Define reusable address objects that can be referenced by firewall rules via the remoteAddressDynamicKeywords field.

Field	Display Name	Type	Required	Default	Description
`id`	ID	String	Yes	—	GUID identifier. Braces are accepted and will be added if omitted
`operation`	Operation	String	No	`Add`	SyncML node operation: Add or Delete
`addresses`	Addresses	String	No	—	Comma-delimited address tokens. Must be empty when `autoResolve` is `true`
`autoResolve`	Auto Resolve	Boolean	No	`false`	Resolve keyword as an FQDN when Microsoft Defender ATP service is present
`keyword`	Keyword	String	No	—	Keyword alias or FQDN when `autoResolve` is `true`

Firewall Rules

Define custom Windows Defender Firewall rules. Each rule is wrapped in an SyncML Atomic block.

Rule Identity & State

Field	Display Name	Type	Required	Default	Description
`ruleName`	Rule Name	String	Yes	—	Unique firewall rule node name
`operation`	Operation	String	No	`Add`	SyncML node operation: Add (new rules), Replace (existing rules), Delete (remove a rule)
`name`	Friendly Name	String	No	—	Friendly display name for the rule
`description`	Description	String	No	—	Description for the rule
`enabled`	Enabled	Boolean	No	`true`	Enable the rule

Traffic Matching

Field	Display Name	Type	Default	Description
`actionType`	Action	Integer	`1`	0 Block, 1 Allow
`direction`	Direction	String	`OUT`	Traffic direction: IN or OUT
`profiles`	Profiles	Integer	`2147483647`	Profile bitmask: Domain 1, Private 2, Public 4, All 2147483647
`protocol`	Protocol	Integer	—	IP protocol number (0–255). Common: TCP 6, UDP 17, ICMP 1, IPv6-ICMP 58

Ports & Addresses

Field	Display Name	Type	Description
`localPortRanges`	Local Port Ranges	String	Comma-delimited local port ranges. Requires protocol 6 or 17
`remotePortRanges`	Remote Port Ranges	String	Comma-delimited remote port ranges. Requires protocol 6 or 17
`localAddressRanges`	Local Address Ranges	String	Comma-delimited local address tokens
`remoteAddressRanges`	Remote Address Ranges	String	Comma-delimited remote address tokens
`remoteAddressDynamicKeywords`	Remote Address Dynamic Keywords	String	Comma-delimited dynamic keyword GUIDs

Advanced Options

Field	Display Name	Type	Description
`icmpTypesAndCodes`	ICMP Types And Codes	String	ICMP type/code list. Requires protocol 1 or 58. Windows 11 / Server 2022+ only
`interfaceTypes`	Interface Types	String	Comma-delimited values: RemoteAccess, Wireless, Lan, MBB, All
`edgeTraversal`	Edge Traversal	Boolean	Allow edge traversal for inbound traffic
`localUserAuthorizedList`	Local User Authorized List	String	Authorized local users in SDDL format
`policyAppId`	Policy App ID	String	App Control tag. Cannot be combined with `app.serviceName`

Application Matching (`app`)

Field	Display Name	Type	Description
`app.filePath`	File Path	String	Application executable path
`app.fqbn`	FQBN	String	Fully qualified binary name
`app.packageFamilyName`	Package Family Name	String	Microsoft Store app package family name
`app.serviceName`	Service Name	String	Windows service name. Cannot be combined with `policyAppId`

Deployment Behavior

Atomic blocks — FirewallRules and DynamicKeywords are emitted inside SyncML Atomic blocks. Atomic blocks are all-or-nothing: if any setting within the block is unsupported on the target OS version, the entire block fails.
OS version gating — Some fields (e.g., icmpTypesAndCodes) are only supported on Windows 11 / Server 2022 and later. Rules containing unsupported fields should be isolated into separate Atomic blocks to prevent them from causing unrelated rules to fail.
Failure isolation — To maximize deployment reliability, group rules with newer-OS-only fields separately so that a failure does not block deployment of other valid rules.