Overview
The Windows Firewall Policy configures Windows Defender Firewall profile settings, global settings, dynamic keyword addresses, and custom firewall rules through the Firewall CSP. On each apply, previously deployed rules and keywords are removed, then the configured rules and keywords are added.
Requirements
Supported Platforms | Windows |
Minimum System Requirements | Windows 10 version 1709 (10.0.16299) and later |
Ownership | Company-owned devices |
Policy Configuration
Domain Profile
Firewall settings applied to domain networks.
Field | Description | Type | Default |
Enable Firewall | Enable Windows Defender Firewall enforcement for the profile. | Boolean |
|
Default Inbound Action | Default action for inbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Default Outbound Action | Default action for outbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Allow Local IPsec Policy Merge | Allow local connection security rules to merge with managed policy. | Boolean |
|
Allow Local Policy Merge | Allow locally created firewall rules to merge with managed policy. | Boolean |
|
Authorized Apps User Preference Merge | Allow authorized application firewall rules in the local store to merge. | Boolean |
|
Disable Inbound Notifications | Suppress user notifications when an app is blocked from listening on a port. | Boolean |
|
Disable Stealth Mode | Disable stealth mode for the profile. | Boolean |
|
Disable Stealth Mode IPsec Exemption | Control whether IPsec-secured unsolicited traffic is exempt from stealth mode. | Boolean |
|
Disable Unicast Responses | Block unicast responses to multicast or broadcast traffic. | Boolean |
|
Log Dropped Packets | Log dropped packets. | Boolean |
|
Log Ignored Rules | Log events for rules that are not enforced. | Boolean |
|
Log Successful Connections | Log successful inbound connections. | Boolean |
|
Global Ports User Preference Merge | Allow local global port rules to merge. | Boolean |
|
Log File Path | Path for the firewall log file. | String |
|
Log Max File Size | Firewall log size in KB. | Integer (0–4294967295) |
|
Shielded | Block all incoming traffic while firewall is enabled. | Boolean |
|
Private Profile
Firewall settings applied to private networks.
Field | Description | Type | Default |
Enable Firewall | Enable Windows Defender Firewall enforcement for the profile. | Boolean |
|
Default Inbound Action | Default action for inbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Default Outbound Action | Default action for outbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Allow Local IPsec Policy Merge | Allow local connection security rules to merge with managed policy. | Boolean |
|
Allow Local Policy Merge | Allow locally created firewall rules to merge with managed policy. | Boolean |
|
Authorized Apps User Preference Merge | Allow authorized application firewall rules in the local store to merge. | Boolean |
|
Disable Inbound Notifications | Suppress user notifications when an app is blocked from listening on a port. | Boolean |
|
Disable Stealth Mode | Disable stealth mode for the profile. | Boolean |
|
Disable Stealth Mode IPsec Exemption | Control whether IPsec-secured unsolicited traffic is exempt from stealth mode. | Boolean |
|
Disable Unicast Responses | Block unicast responses to multicast or broadcast traffic. | Boolean |
|
Log Dropped Packets | Log dropped packets. | Boolean |
|
Log Ignored Rules | Log events for rules that are not enforced. | Boolean |
|
Log Successful Connections | Log successful inbound connections. | Boolean |
|
Global Ports User Preference Merge | Allow local global port rules to merge. | Boolean |
|
Log File Path | Path for the firewall log file. | String |
|
Log Max File Size | Firewall log size in KB. | Integer (0–4294967295) |
|
Shielded | Block all incoming traffic while firewall is enabled. | Boolean |
|
Public Profile
Firewall settings applied to public networks.
Field | Description | Type | Default |
Enable Firewall | Enable Windows Defender Firewall enforcement for the profile. | Boolean |
|
Default Inbound Action | Default action for inbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Default Outbound Action | Default action for outbound connections: 0 Allow, 1 Block. | Integer (0 or 1) |
|
Allow Local IPsec Policy Merge | Allow local connection security rules to merge with managed policy. | Boolean |
|
Allow Local Policy Merge | Allow locally created firewall rules to merge with managed policy. | Boolean |
|
Authorized Apps User Preference Merge | Allow authorized application firewall rules in the local store to merge. | Boolean |
|
Disable Inbound Notifications | Suppress user notifications when an app is blocked from listening on a port. | Boolean |
|
Disable Stealth Mode | Disable stealth mode for the profile. | Boolean |
|
Disable Stealth Mode IPsec Exemption | Control whether IPsec-secured unsolicited traffic is exempt from stealth mode. | Boolean |
|
Disable Unicast Responses | Block unicast responses to multicast or broadcast traffic. | Boolean |
|
Log Dropped Packets | Log dropped packets. | Boolean |
|
Log Ignored Rules | Log events for rules that are not enforced. | Boolean |
|
Log Successful Connections | Log successful inbound connections. | Boolean |
|
Global Ports User Preference Merge | Allow local global port rules to merge. | Boolean |
|
Log File Path | Path for the firewall log file. | String |
|
Log Max File Size | Firewall log size in KB. | Integer (0–4294967295) |
|
Shielded | Block all incoming traffic while firewall is enabled. | Boolean |
|
Global Settings
Global Windows Defender Firewall settings.
Field | Description | Type | Default |
CRL Check | Certificate revocation list checking: 0 Disabled, 1 Attempted, 2 Required. | Integer (0, 1, or 2) | — |
Disable Stateful FTP | Disable stateful FTP filtering. | Boolean |
|
Enable Audit Mode | Enable firewall audit mode. | Boolean |
|
Enable Packet Queue | Packet queue mode bitmask. | Integer (0–3) |
|
IPsec Exempt | IPsec exemption bitmask. | Integer (0–15) |
|
Opportunistic Auth Set Match | Allow keying modules to ignore only unsupported authentication suites. | Boolean | — |
Preshared Key Encoding | 0 None, 1 UTF-8. | Integer (0 or 1) |
|
SA Idle Time | Security association idle time in seconds. | Integer (300–3600) |
|
Dynamic Keyword Addresses
Dynamic keyword address objects for use in firewall rule remoteAddressDynamicKeywords.
Field | Description | Type | Required |
ID | GUID identifier. Braces are accepted and will be added if omitted. | String | Yes |
Addresses | Comma-delimited address tokens. Must be empty when Auto Resolve is true. | String | No |
Auto Resolve | Resolve keyword as an FQDN when Microsoft Defender Advanced Threat Protection service is present. | Boolean (default: | No |
Keyword | Keyword alias or FQDN when Auto Resolve is true. | String | No |
Firewall Rules
Custom Windows Defender Firewall rules. Each rule is wrapped in an Atomic block.
Field | Description | Type | Default |
Rule Name | Unique firewall rule node name. | String (required) | — |
Friendly Name | Friendly display name for the rule. | String | — |
Description | Description for the rule. | String | — |
Action | 0 Block, 1 Allow. | Integer (0 or 1) |
|
Direction | Traffic direction: | String |
|
Enabled | Enable the rule. | Boolean |
|
Profiles | Profile bitmask: Domain 1, Private 2, Public 4, All 2147483647. | Integer |
|
Protocol | IP protocol number. TCP 6, UDP 17, ICMP 1, IPv6-ICMP 58. | Integer (0–255) | — |
Local Port Ranges | Comma-delimited local port ranges. Requires protocol 6 or 17. | String | — |
Remote Port Ranges | Comma-delimited remote port ranges. Requires protocol 6 or 17. | String | — |
Local Address Ranges | Comma-delimited local address tokens. | String | — |
Remote Address Ranges | Comma-delimited remote address tokens. | String | — |
Remote Address Dynamic Keywords | Comma-delimited dynamic keyword GUIDs. | String | — |
ICMP Types And Codes | ICMP type/code list. Requires protocol 1 or 58. Supported on Windows 11 / Server 2022 and later. | String | — |
Interface Types | Comma-delimited values: RemoteAccess, Wireless, Lan, MBB, All. | String | — |
Edge Traversal | Allow edge traversal for inbound traffic. | Boolean | — |
Local User Authorized List | Authorized local users in SDDL format. | String | — |
Policy App ID | App Control tag. Cannot be combined with App > Service Name. | String | — |
App (sub-fields of Firewall Rules)
Application or service match conditions.
Field | Description | Type |
File Path | Application executable path. | String |
FQBN | Fully qualified binary name. | String |
Package Family Name | Microsoft Store app package family name. | String |
Service Name | Windows service name. Cannot be combined with Policy App ID. | String |
Notes
On each policy apply, all previously deployed firewall rules and dynamic keyword addresses are removed, then the currently configured rules and keywords are re-added. This ensures the device always reflects the exact set of rules defined in the policy.
The three network profiles (Domain, Private, Public) share the same set of configurable fields but apply independently based on the network type the device is connected to.
Dynamic Keyword Addresses allow you to define reusable address objects that can be referenced by GUID in the
remoteAddressDynamicKeywordsfield of firewall rules, enabling centralized address management.When Auto Resolve is enabled on a dynamic keyword address, the Addresses field must be left empty — the system will resolve the FQDN automatically via Microsoft Defender ATP.
The Shielded setting blocks all incoming traffic regardless of other rules and should be used with caution (e.g., during active incident response).
