diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md index fc9f27f4a5..d94d736b75 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md +++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md @@ -114,44 +114,14 @@ The output contains an extra value compared to the ones described in the previou ## Configure Hyper-V firewall with CSP -You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. To learn how to configure Hyper-V firewall with Microsoft Intune, see [ADD LINK][INT-1]. +You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. -Here's a list of settings that can be used to configure Hyper-v firewall: +To learn more about the CSP options, follow these links: -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]** | This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]** | Enables loopback between this guest and another guest or the host. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]** | This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. | +- [Configure Hyper-V firewall settings][SETTINGS]: to configure the Hyper-V firewall settings +- [Configure Hyper-V firewall rules][RULE]: to configure list of rules controlling traffic through the Hyper-V firewall -The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`: - -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. | - -The following values apply to Hyper-V firewall rules: - -| CSP path | Description | -|--|--| -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Direction][RULE]** | Comma separated list. The rule is enabled based on the traffic direction as following.

- `IN`: the rule applies to inbound traffic.

-`OUT`: the rule applies to outbound traffic.

If not specified the detault is OUT. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[VMCreatorId][RULE]** | This field specifies the VM Creator ID that this rule is applicable to. A `NULL` GUID will result in this rule applying to all VM creators. | -| Protocol

`./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Protocol][RULE]** | `0-255` number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. `*` is the default value.

Valid tokens include:

`*`: indicates any local address. If present, this must be the only token included.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

A valid IPv6 address.

An IPv4 address range in the format of *start address - end address* with no spaces included.

An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalPortRanges][RULE]** | Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemoteAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. `*` is the default value.

Valid tokens include:

`*`: indicates any remote address. If present, this must be the only token included.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.

A valid IPv6 address.

An IPv4 address range in the format of *start address - end address* with no spaces included.

An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemotePortRanges][RULE]** | Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Action][RULE]** | Specifies the action the rule enforces:

0 - Block

1 - Allow | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Enabled][RULE]** | Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Status][RULE]** | Provides information about the specific version of the rule in deployment for monitoring purposes. | -| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Profiles][RULE]** | Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. | +To learn how to configure the firewall with Microsoft Intune, see [Firewall policy for endpoint security][INT-1]. ### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback @@ -162,7 +132,7 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use [CSP-1]: /windows/client-management/mdm/firewall-csp [FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1 -[INT-1]: /windows/client-management/mdm/firewall-csp +[INT-1]: /mem/intune/protect/endpoint-security-firewall-policy [PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting [PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting [PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule @@ -170,9 +140,4 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use [PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile [RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules -[PROFILE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatorid -[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenablefirewall -[EnableLoopback]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenableloopback -[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge -[DefaultOutboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction -[DefaultInboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction +[SETTINGS]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettings