deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

adjust/format content and Acrolinx

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-11-09 09:37:59 -05:00
parent ae0633f0b1
commit 15f4b7f836
2 changed files with 54 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
View File

@ -148,14 +148,14 @@ items:
href: assign-security-group-filters-to-the-gpo.md
- name: Change rules from request to require mode
href: Change-Rules-From-Request-To-Require-Mode.Md
- name: Configure Hyper-V firewall
href: hyper-v-firewall.md
- name: Configure authentication methods
href: Configure-authentication-methods.md
- name: Configure data protection (Quick Mode) settings
href: configure-data-protection-quick-mode-settings.md
- name: Configure Group Policy to autoenroll and deploy certificates
href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
- name: Configure Hyper-V firewall
href: hyper-v-firewall.md
- name: Configure key exchange (main mode) settings
href: configure-key-exchange-main-mode-settings.md
- name: Configure the rules to require encryption

84
windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
View File

@ -7,48 +7,51 @@ ms.date: 11/08/2023
# Configure Hyper-V firewall rules
Hyper-V Firewall is a new network firewall solution introduced with Windows 11 22H2. This firewall solution enables filtering inbound and outbound traffic to/from containers that are being hosted by Windows, including the Windows Subsystem for Linux (WSL).
Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).
## Manage locally from PowerShell
## Configure with PowerShell
Follow the steps below to manage Hyper-V firewall locally on your machine via the command line.
This section describes the steps to manage Hyper-V firewall using PowerShell.
### Get the VMCreatorId GUID
### Obtain the VMCreatorId GUID
Hyper-V firewall rules are enabled per VMCreatorId. First you need to obtain this, which you can do by running:
Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:
```powershell
Get-NetFirewallHyperVVMCreator
```
This will output a VmCreatorId. Please note that these are unique, and so the one shown below is exclusive to WSL.
The output contains a VmCreatorId object, which has *unique identifier* (GUID) and *friendly name* properties. For example, the following output shows WSL:
```powershell
PS C:\> Get-NetFirewallHyperVVMCreator
VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL
```
### Firewall Settings
### Verify Hyper-V firewall settings
Hyper-V Firewall has settings that apply in general to a VMCreatorId. To see these you can use the [Get-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervvmsetting?view=windowsserver2022-ps) commandlet. For example, you can get the policies affecting WSL with the command below:
Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:
```powershell
Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
```
This will output these values:
1. Enabled (True/False) - if Hyper-V Firewall is enabled for WSL VMs
2. DefaultInboundAction, DefaultOutboundAction - these are default rule policies as applied to packets entering or leaving the WSL container. These are the defaults (which can be configured more specifically later)
3. LoopbackEnabled - this tracks if loopback traffic between the host and the container is allowed (without requiring any special Hyper-V Firewall rules). WSL enables this by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host
4. AllowHostPolicyMerge - this setting determines how Windows Host Firewall Enterprise Settings (GP), Hyper-V Firewall Enterprise Settings (MDM), Windows Host Firewall Enterprise Settings (MDM), local Hyper-V Firewall settings, and local Host Firewall settings interact
a. This setting is detailed with Set-NetFirewallHyperVVMSetting: [Set-NetFirewallHyperVVMSetting (NetSecurity) | Microsoft Learn](https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps)
> [!NOTE]
> `-PolicyStore ActiveStore` returns the *applied* settings.
You can set specific settings using the [Set-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) command. For example, the command below sets the default inbound connection to Allow:
The output contains the following values:
| Value | Description |
|--|--|
| `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. |
| `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. |
| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. |
| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.<br>This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. |
### Configure Hyper-V firewall settings
To configure Hyper-V firewall, use the [Set-NetFirewallHyperVVMSetting][PS-2] command. For example, the following command sets the default inbound connection to *Allow*:
```powershell
Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow
@ -56,25 +59,31 @@ Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -D
### Firewall Rules
Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules please use the [Get-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervrule?view=windowsserver2022-ps ) commandlet. For example, to view firewall rules that only pertain to WSL you can use the command below:
Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the [Get-NetFirewallHyperVRule][PS-3] cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command:
```powershell
Get-NetFirewallHyperVRule -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
```
And to set specific rules you can use the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet.
To configure specific rules, use the [Set-NetFirewallHyperVRule][PS-4] cmdlet.
For example, you can create an inbound rule to allow TCP traffic to the Windows Subsystem for Linux (WSL) on port 80 with this PowerShell command:
For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:
```powershell
New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" -Protocol TCP -LocalPorts 80
New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80
```
### Targeting Hyper-V firewall rules and settings to specific profiles
### Target Hyper-V firewall rules and settings to specific profiles
Hyper-V firewall rules and settings can be targeted to the Firewall profile of the networks that are connected. These are the same Firewall Profiles that the Windows Firewall targets (Public Profile, Private Profile, Domain Profile). This has similar policy options as the above Hyper-V firewall PowerShell commandlets, but are just applied to specific profiles for the connected Windows Host network adapter.
Hyper-V firewall rules and settings can be targeted to the *Firewall profiles*, which are based on the type of network the device is connected to:
You can view these settings per profile with this command:
- Public profile
- Private profile
- Domain profile
The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter.
To view the settings per profile, use the following command:
```powershell
Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
@ -83,14 +92,25 @@ Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
> [!NOTE]
> `-PolicyStore ActiveStore` returns the *applied* settings.
The values here are the same as above, with one additional one:
The output contains an extra value compared to the ones described in the previous section:
- AllowLocalFirewallRules: This setting determines how Enterprise (MDM) Hyper-V Firewall Rules interact with locally defined Hyper-V Firewall Rules. If this is set to True, then Windows will apply both the Hyper-V Firewall Rules from Enterprise Policies and the locally defined Hyper-V Firewall Rules. If this is set to False, then the locally defined Hyper-V Firewall rules are not applied, and only the Hyper-V Firewall Rules pushed by the Enterprise Policies are applied.
| Value | Description |
|--|--|
| `AllowLocalFirewallRules` (True/False)| This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules:<br>- if the value is *True*, both the enterprise Hyper-V firewall rules and the locally defined rules are applied<br>- if the value is *False*, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied. |
You can set these settings per profile using the [Set-NetFirewallHyperVProfile]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervprofile?view=windowsserver2022-ps) commandlet.
You can set rules per profile using the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet with the `-Profile` option.
> [!NOTE]
> To configure these **settings** per profile, use the [Set-NetFirewallHyperVProfile][PS-5] cmdlet.
>
> To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option.
## Manage from Intune
You can also manage these settings online via Intune.
<!-- links -->
[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
[PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule
[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile