From 78e45e6be2ec66eb81a51a0782d4d36f09df79de Mon Sep 17 00:00:00 2001 From: Lee Yan Date: Mon, 2 Dec 2024 16:29:55 -0800 Subject: [PATCH 1/8] Update policy-csp-controlpolicyconflict.md --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 863938353d..62f0079893 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). As a result, it is recommended that the same settings should not be configured in both GPO and MDM policies unless the settings are under the control of MDMWinsOverGP. Otherwise, there will be a race condition and no guarantee which one wins. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. From d36c9e8cb867bedd1bee39a886cfbe896d4a6647 Mon Sep 17 00:00:00 2001 From: Markus Sarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 4 Dec 2024 09:38:18 +0100 Subject: [PATCH 2/8] Learn Editor: Update configure-with-command-line.md --- .../windows-firewall/configure-with-command-line.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md index 61084f5184..85561cf109 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line.md @@ -32,19 +32,19 @@ netsh.exe advfirewall set allprofiles state on ### Control Windows Firewall behavior The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall console. -The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. +The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and disallows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting. # [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell) ```powershell -Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log +Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen False -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` # [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd) ```cmd netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound -netsh advfirewall set allprofiles settings inboundusernotification enable +netsh advfirewall set allprofiles settings inboundusernotification disable netsh advfirewall set allprofiles settings unicastresponsetomulticast enable netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` From 732a9871f6f0269ff49d683b1318051e7d262beb Mon Sep 17 00:00:00 2001 From: Markus Sarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 4 Dec 2024 09:55:19 +0100 Subject: [PATCH 4/8] Learn Editor: Update rules.md --- .../network-security/windows-firewall/rules.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 3daf29314e..2d6c97aa0d 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -30,19 +30,21 @@ When first installed, network applications and services issue a *listen call* sp :::row::: :::column span="2"::: - If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: + If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: + +- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic +- If the user isn't a local admin and they are prompted, block rules are created, no matter what option they chose. - - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created +To avoid this, **disable** the notification prompt. This can be done using [PowerShell or command prompt](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or in the Windows Firewall with Advanced Security console on the 'Customize Settings' tab of each profile. + In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked. + :::column-end::: :::column span="2"::: :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false"::: :::column-end::: :::row-end::: -In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked. - > [!NOTE] > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from non-Microsoft software should be determined by trusted app developers, the user, or the admin on behalf of the user. From 5b958c6c0b8e0a6288d1d5bb81db7702a24e9857 Mon Sep 17 00:00:00 2001 From: Markus Sarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 4 Dec 2024 10:09:15 +0100 Subject: [PATCH 6/8] Update rules.md Correcting the description for non-admin users and adding information how to avoid the block rules being created. --- .../network-security/windows-firewall/rules.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 2d6c97aa0d..97ae8e2f47 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -36,8 +36,6 @@ When first installed, network applications and services issue a *listen call* sp - If the user isn't a local admin and they are prompted, block rules are created, no matter what option they chose. To avoid this, **disable** the notification prompt. This can be done using [PowerShell or command prompt](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or in the Windows Firewall with Advanced Security console on the 'Customize Settings' tab of each profile. - - In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked. :::column-end::: :::column span="2"::: @@ -45,6 +43,8 @@ To avoid this, **disable** the notification prompt. This can be done using [Powe :::column-end::: :::row-end::: +In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked. + > [!NOTE] > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from non-Microsoft software should be determined by trusted app developers, the user, or the admin on behalf of the user. From ed9d46c9fb1d059ed927c06e9540267fa8ac091c Mon Sep 17 00:00:00 2001 From: Markus Sarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 4 Dec 2024 13:35:12 +0100 Subject: [PATCH 7/8] Update windows/security/operating-system-security/network-security/windows-firewall/rules.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../network-security/windows-firewall/rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index 97ae8e2f47..c8d1b08b14 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -33,7 +33,7 @@ When first installed, network applications and services issue a *listen call* sp If there's no active application or administrator-defined allow rule(s), a dialog box prompts the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network: - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic -- If the user isn't a local admin and they are prompted, block rules are created, no matter what option they chose. +- If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected To avoid this, **disable** the notification prompt. This can be done using [PowerShell or command prompt](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or in the Windows Firewall with Advanced Security console on the 'Customize Settings' tab of each profile. From 89c95ececa7f7ab08f81b141288344ed6510b0cd Mon Sep 17 00:00:00 2001 From: Markus Sarcletti <56821677+msarcletti@users.noreply.github.com> Date: Wed, 4 Dec 2024 13:35:37 +0100 Subject: [PATCH 8/8] Update windows/security/operating-system-security/network-security/windows-firewall/rules.md Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> --- .../network-security/windows-firewall/rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/network-security/windows-firewall/rules.md b/windows/security/operating-system-security/network-security/windows-firewall/rules.md index c8d1b08b14..64b6580098 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/rules.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/rules.md @@ -35,7 +35,7 @@ When first installed, network applications and services issue a *listen call* sp - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - If the user isn't a local admin and they are prompted, block rules are created. It doesn't matter what option is selected -To avoid this, **disable** the notification prompt. This can be done using [PowerShell or command prompt](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or in the Windows Firewall with Advanced Security console on the 'Customize Settings' tab of each profile. +To disable the notification prompt, you can use the [command line](/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line) or the **Windows Firewall with Advanced Security** console :::column-end::: :::column span="2":::