diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 863938353d..62f0079893 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md index 61084f5184..85561cf109 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md @@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on ### Control Windows Firewall behavior The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console. -The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. +The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. # [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) ```powershell -Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log +Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) ```cmd netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound -netsh advfirewall set allprofiles settings inboundusernotification enable +netsh advfirewall set allprofiles settings inboundusernotification disable netsh advfirewall set allprofiles settings unicastresponsetomulticast enable netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 3daf29314e..64b6580098 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -30,11 +30,13 @@ When first installed, network applications and services issue a *listen call* sp :::row::: :::column span="2"::: - If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: - - - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created + If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: + +- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic +- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected +To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console + :::column-end::: :::column span="2"::: :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::