From ae0633f0b1e1f4e9ff4b056f5436b55b146db32f Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 8 Nov 2023 17:47:57 -0500
Subject: [PATCH 01/16] Port from word doc
---
.../network-security/windows-firewall/TOC.yml | 2 +
.../windows-firewall/hyper-v-firewall.md | 96 +++++++++++++++++++
2 files changed, 98 insertions(+)
create mode 100644 windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
index 6057d602da..a216ae58ee 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
+++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
@@ -148,6 +148,8 @@ items:
href: assign-security-group-filters-to-the-gpo.md
- name: Change rules from request to require mode
href: Change-Rules-From-Request-To-Require-Mode.Md
+ - name: Configure Hyper-V firewall
+ href: hyper-v-firewall.md
- name: Configure authentication methods
href: Configure-authentication-methods.md
- name: Configure data protection (Quick Mode) settings
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
new file mode 100644
index 0000000000..71ed4ba1de
--- /dev/null
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -0,0 +1,96 @@
+---
+title: Hyper-V firewall
+description: Learn how
+ms.topic: how-to
+ms.date: 11/08/2023
+---
+
+# Configure Hyper-V firewall rules
+
+Hyper-V Firewall is a new network firewall solution introduced with Windows 11 22H2. This firewall solution enables filtering inbound and outbound traffic to/from containers that are being hosted by Windows, including the Windows Subsystem for Linux (WSL).
+
+## Manage locally from PowerShell
+
+Follow the steps below to manage Hyper-V firewall locally on your machine via the command line.
+
+### Get the VMCreatorId GUID
+
+Hyper-V firewall rules are enabled per VMCreatorId. First you need to obtain this, which you can do by running:
+
+```powershell
+Get-NetFirewallHyperVVMCreator
+```
+
+This will output a VmCreatorId. Please note that these are unique, and so the one shown below is exclusive to WSL.
+
+```powershell
+VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
+FriendlyName : WSL
+```
+
+### Firewall Settings
+
+Hyper-V Firewall has settings that apply in general to a VMCreatorId. To see these you can use the [Get-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervvmsetting?view=windowsserver2022-ps) commandlet. For example, you can get the policies affecting WSL with the command below:
+
+```powershell
+Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
+```
+
+This will output these values:
+
+1. Enabled (True/False) - if Hyper-V Firewall is enabled for WSL VMs
+2. DefaultInboundAction, DefaultOutboundAction - these are default rule policies as applied to packets entering or leaving the WSL container. These are the defaults (which can be configured more specifically later)
+3. LoopbackEnabled - this tracks if loopback traffic between the host and the container is allowed (without requiring any special Hyper-V Firewall rules). WSL enables this by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host
+4. AllowHostPolicyMerge - this setting determines how Windows Host Firewall Enterprise Settings (GP), Hyper-V Firewall Enterprise Settings (MDM), Windows Host Firewall Enterprise Settings (MDM), local Hyper-V Firewall settings, and local Host Firewall settings interact
+
+ a. This setting is detailed with Set-NetFirewallHyperVVMSetting: [Set-NetFirewallHyperVVMSetting (NetSecurity) | Microsoft Learn](https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps)
+
+> [!NOTE]
+> `-PolicyStore ActiveStore` returns the *applied* settings.
+
+You can set specific settings using the [Set-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) command. For example, the command below sets the default inbound connection to Allow:
+
+```powershell
+Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow
+```
+
+### Firewall Rules
+
+Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules please use the [Get-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervrule?view=windowsserver2022-ps ) commandlet. For example, to view firewall rules that only pertain to WSL you can use the command below:
+
+```powershell
+Get-NetFirewallHyperVRule -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
+```
+
+And to set specific rules you can use the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet.
+
+For example, you can create an inbound rule to allow TCP traffic to the Windows Subsystem for Linux (WSL) on port 80 with this PowerShell command:
+
+```powershell
+New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" -Protocol TCP -LocalPorts 80
+```
+
+### Targeting Hyper-V firewall rules and settings to specific profiles
+
+Hyper-V firewall rules and settings can be targeted to the Firewall profile of the networks that are connected. These are the same Firewall Profiles that the Windows Firewall targets (Public Profile, Private Profile, Domain Profile). This has similar policy options as the above Hyper-V firewall PowerShell commandlets, but are just applied to specific profiles for the connected Windows Host network adapter.
+
+You can view these settings per profile with this command:
+
+```powershell
+Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
+```
+
+> [!NOTE]
+> `-PolicyStore ActiveStore` returns the *applied* settings.
+
+The values here are the same as above, with one additional one:
+
+- AllowLocalFirewallRules: This setting determines how Enterprise (MDM) Hyper-V Firewall Rules interact with locally defined Hyper-V Firewall Rules. If this is set to True, then Windows will apply both the Hyper-V Firewall Rules from Enterprise Policies and the locally defined Hyper-V Firewall Rules. If this is set to False, then the locally defined Hyper-V Firewall rules are not applied, and only the Hyper-V Firewall Rules pushed by the Enterprise Policies are applied.
+
+You can set these settings per profile using the [Set-NetFirewallHyperVProfile]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervprofile?view=windowsserver2022-ps) commandlet.
+
+You can set rules per profile using the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet with the `-Profile` option.
+
+## Manage from Intune
+
+You can also manage these settings online via Intune.
From 15f4b7f836466047ec852f1b7f0bd2a0e6e4b7f3 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 09:37:59 -0500
Subject: [PATCH 02/16] adjust/format content and Acrolinx
---
.../network-security/windows-firewall/TOC.yml | 4 +-
.../windows-firewall/hyper-v-firewall.md | 84 ++++++++++++-------
2 files changed, 54 insertions(+), 34 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
index a216ae58ee..165242f099 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
+++ b/windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
@@ -148,14 +148,14 @@ items:
href: assign-security-group-filters-to-the-gpo.md
- name: Change rules from request to require mode
href: Change-Rules-From-Request-To-Require-Mode.Md
- - name: Configure Hyper-V firewall
- href: hyper-v-firewall.md
- name: Configure authentication methods
href: Configure-authentication-methods.md
- name: Configure data protection (Quick Mode) settings
href: configure-data-protection-quick-mode-settings.md
- name: Configure Group Policy to autoenroll and deploy certificates
href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
+ - name: Configure Hyper-V firewall
+ href: hyper-v-firewall.md
- name: Configure key exchange (main mode) settings
href: configure-key-exchange-main-mode-settings.md
- name: Configure the rules to require encryption
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 71ed4ba1de..045970b469 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -7,48 +7,51 @@ ms.date: 11/08/2023
# Configure Hyper-V firewall rules
-Hyper-V Firewall is a new network firewall solution introduced with Windows 11 22H2. This firewall solution enables filtering inbound and outbound traffic to/from containers that are being hosted by Windows, including the Windows Subsystem for Linux (WSL).
+Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).
-## Manage locally from PowerShell
+## Configure with PowerShell
-Follow the steps below to manage Hyper-V firewall locally on your machine via the command line.
+This section describes the steps to manage Hyper-V firewall using PowerShell.
-### Get the VMCreatorId GUID
+### Obtain the VMCreatorId GUID
-Hyper-V firewall rules are enabled per VMCreatorId. First you need to obtain this, which you can do by running:
+Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:
```powershell
Get-NetFirewallHyperVVMCreator
```
-This will output a VmCreatorId. Please note that these are unique, and so the one shown below is exclusive to WSL.
+The output contains a VmCreatorId object, which has *unique identifier* (GUID) and *friendly name* properties. For example, the following output shows WSL:
```powershell
+PS C:\> Get-NetFirewallHyperVVMCreator
VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL
```
-### Firewall Settings
+### Verify Hyper-V firewall settings
-Hyper-V Firewall has settings that apply in general to a VMCreatorId. To see these you can use the [Get-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervvmsetting?view=windowsserver2022-ps) commandlet. For example, you can get the policies affecting WSL with the command below:
+Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:
```powershell
-Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
+Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
```
-This will output these values:
-
-1. Enabled (True/False) - if Hyper-V Firewall is enabled for WSL VMs
-2. DefaultInboundAction, DefaultOutboundAction - these are default rule policies as applied to packets entering or leaving the WSL container. These are the defaults (which can be configured more specifically later)
-3. LoopbackEnabled - this tracks if loopback traffic between the host and the container is allowed (without requiring any special Hyper-V Firewall rules). WSL enables this by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host
-4. AllowHostPolicyMerge - this setting determines how Windows Host Firewall Enterprise Settings (GP), Hyper-V Firewall Enterprise Settings (MDM), Windows Host Firewall Enterprise Settings (MDM), local Hyper-V Firewall settings, and local Host Firewall settings interact
-
- a. This setting is detailed with Set-NetFirewallHyperVVMSetting: [Set-NetFirewallHyperVVMSetting (NetSecurity) | Microsoft Learn](https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps)
-
> [!NOTE]
> `-PolicyStore ActiveStore` returns the *applied* settings.
-You can set specific settings using the [Set-NetFirewallHyperVVMSetting]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervvmsetting?view=windowsserver2022-ps) command. For example, the command below sets the default inbound connection to Allow:
+The output contains the following values:
+
+| Value | Description |
+|--|--|
+| `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. |
+| `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. |
+| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. |
+| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.
This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. |
+
+### Configure Hyper-V firewall settings
+
+To configure Hyper-V firewall, use the [Set-NetFirewallHyperVVMSetting][PS-2] command. For example, the following command sets the default inbound connection to *Allow*:
```powershell
Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow
@@ -56,25 +59,31 @@ Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -D
### Firewall Rules
-Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules please use the [Get-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/get-netfirewallhypervrule?view=windowsserver2022-ps ) commandlet. For example, to view firewall rules that only pertain to WSL you can use the command below:
+Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the [Get-NetFirewallHyperVRule][PS-3] cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command:
```powershell
-Get-NetFirewallHyperVRule -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}"
+Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
```
-And to set specific rules you can use the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet.
+To configure specific rules, use the [Set-NetFirewallHyperVRule][PS-4] cmdlet.
-For example, you can create an inbound rule to allow TCP traffic to the Windows Subsystem for Linux (WSL) on port 80 with this PowerShell command:
+For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:
```powershell
-New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId "{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}" -Protocol TCP -LocalPorts 80
+New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80
```
-### Targeting Hyper-V firewall rules and settings to specific profiles
+### Target Hyper-V firewall rules and settings to specific profiles
-Hyper-V firewall rules and settings can be targeted to the Firewall profile of the networks that are connected. These are the same Firewall Profiles that the Windows Firewall targets (Public Profile, Private Profile, Domain Profile). This has similar policy options as the above Hyper-V firewall PowerShell commandlets, but are just applied to specific profiles for the connected Windows Host network adapter.
+Hyper-V firewall rules and settings can be targeted to the *Firewall profiles*, which are based on the type of network the device is connected to:
-You can view these settings per profile with this command:
+- Public profile
+- Private profile
+- Domain profile
+
+The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter.
+
+To view the settings per profile, use the following command:
```powershell
Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
@@ -83,14 +92,25 @@ Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
> [!NOTE]
> `-PolicyStore ActiveStore` returns the *applied* settings.
-The values here are the same as above, with one additional one:
+The output contains an extra value compared to the ones described in the previous section:
-- AllowLocalFirewallRules: This setting determines how Enterprise (MDM) Hyper-V Firewall Rules interact with locally defined Hyper-V Firewall Rules. If this is set to True, then Windows will apply both the Hyper-V Firewall Rules from Enterprise Policies and the locally defined Hyper-V Firewall Rules. If this is set to False, then the locally defined Hyper-V Firewall rules are not applied, and only the Hyper-V Firewall Rules pushed by the Enterprise Policies are applied.
+| Value | Description |
+|--|--|
+| `AllowLocalFirewallRules` (True/False)| This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules:
- if the value is *True*, both the enterprise Hyper-V firewall rules and the locally defined rules are applied
- if the value is *False*, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied. |
-You can set these settings per profile using the [Set-NetFirewallHyperVProfile]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervprofile?view=windowsserver2022-ps) commandlet.
-
-You can set rules per profile using the [Set-NetFirewallHyperVRule]( https://learn.microsoft.com/powershell/module/netsecurity/set-netfirewallhypervrule?view=windowsserver2022-ps) commandlet with the `-Profile` option.
+> [!NOTE]
+> To configure these **settings** per profile, use the [Set-NetFirewallHyperVProfile][PS-5] cmdlet.
+>
+> To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option.
## Manage from Intune
You can also manage these settings online via Intune.
+
+
+
+[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
+[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
+[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
+[PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule
+[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile
From 0c7ab1acd7a3fbb7065af449d746f263d92e4912 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 10:19:45 -0500
Subject: [PATCH 03/16] added example with links to CSP - for review
---
.../windows-firewall/hyper-v-firewall.md | 25 +++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 045970b469..33408db506 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -103,9 +103,26 @@ The output contains an extra value compared to the ones described in the previou
>
> To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option.
-## Manage from Intune
+## Configure with Configuration Service Provider (CSP)
-You can also manage these settings online via Intune.
+You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune.
+
+Here's a list of settings that can be used to configure Hyper-v firewall:
+
+| | Path |
+|--|--|
+| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/`[AllowHostPolicyMerge]
+| **GPO** | Not available |
+
+| | Path |
+|--|--|
+| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[AllowLocalPolicyMerge]
+| **GPO** | Not available |
+
+| | Path |
+|--|--|
+| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[EnableFirewall]
+| **GPO** | Not available |
@@ -114,3 +131,7 @@ You can also manage these settings online via Intune.
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
[PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule
[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile
+[CSP-1]: /windows/client-management/mdm/firewall-csp
+[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge
+[AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge
+[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall
\ No newline at end of file
From a44d7eb72f9ca5462c174d383de64d2a8f0ab3c1 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 11:48:02 -0500
Subject: [PATCH 04/16] porting from second doc
---
.../windows-firewall/hyper-v-firewall.md | 68 +++++++++++++------
1 file changed, 48 insertions(+), 20 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 33408db506..095663bbb9 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -1,19 +1,22 @@
---
title: Hyper-V firewall
-description: Learn how
+description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
ms.topic: how-to
ms.date: 11/08/2023
+appliesto:
+- ✅ Windows 11
---
-# Configure Hyper-V firewall rules
+# Configure Hyper-V firewall
-Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).
+Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).\
+This article describes how to configure Hyper-V firewall rules and settings using PowerShell, configuration service provider (CSP), or group policy (GPO).
-## Configure with PowerShell
+## Configure Hyper-V firewall with PowerShell
This section describes the steps to manage Hyper-V firewall using PowerShell.
-### Obtain the VMCreatorId GUID
+### Obtain the WSL GUID
Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId, use the cmdlet:
@@ -21,7 +24,7 @@ Hyper-V firewall rules are enabled per *VMCreatorId*. To obtain the VMCreatorId,
Get-NetFirewallHyperVVMCreator
```
-The output contains a VmCreatorId object, which has *unique identifier* (GUID) and *friendly name* properties. For example, the following output shows WSL:
+The output contains a VmCreator object type, which has unique identifier `VMCreatorId` and `friendly name` properties. For example, the following output shows the properties of WSL:
```powershell
PS C:\> Get-NetFirewallHyperVVMCreator
@@ -29,6 +32,9 @@ VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL
```
+> [!NOTE]
+> The WSL VMCreatorId is `{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}`.
+
### Verify Hyper-V firewall settings
Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the [Get-NetFirewallHyperVVMSetting][PS-1] cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:
@@ -103,29 +109,51 @@ The output contains an extra value compared to the ones described in the previou
>
> To configure these **rules** per profile using the [Set-NetFirewallHyperVRule][PS-4] cmdlet with the `-Profile` option.
-## Configure with Configuration Service Provider (CSP)
+## Configure Hyper-V firewall with CSP
You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune.
Here's a list of settings that can be used to configure Hyper-v firewall:
-| | Path |
-|--|--|
-| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/`[AllowHostPolicyMerge]
-| **GPO** | Not available |
+|Value name|Description|Values|
+|-|-|-|
+|EnableLoopback
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\EnableLoopback`|Enables loopback between this guest and another guest or the host.|[True,False]|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`[AllowHostPolicyMerge]|Enables Hyper-V firewall to use applicable host firewall settings and rules.|[True,False]|
-| | Path |
-|--|--|
-| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[AllowLocalPolicyMerge]
-| **GPO** | Not available |
+The following values apply to Hyper-V firewall profile settings: (Public, Private, Domain)
-| | Path |
-|--|--|
-| **CSP** | `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/`[EnableFirewall]
-| **GPO** | Not available |
+|Value name|Description|Values|
+|---|---|---|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[EnableFirewall]|Enables Hyper-V firewall rules for this profile.|[True, False]|
+|DefaultOutboundAction
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultOutboundAction`|The default action for outbound traffic that is applied if no rules match the traffic.|0 (allow)
1 (block)|
+|DefaultInboundAction
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultInboundAction`|The default action for inbound traffic that is applied if no rules match the traffic.|0 (allow)
1 (block)|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[AllowLocalPolicyMerge]|||
-
+The following values apply to Hyper-V firewall rules:
+|Value name|Description|Values|
+|---|---|---|
+|Name
`HyperVFirewallRules\\Name`|Friendly name of the rule|String|
+|Priority
`HyperVFirewallRules\\Priority`|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|int|
+|Direction
`HyperVFirewallRules\\Direction`|Comma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic.
If not specified the detault is OUT.|String|
+|VMCreatorId
`HyperVFirewallRules\\VMCreatorId`|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
Can be filled in automatically from earlier profile?|String (GUID)|
+|Protocol
`HyperVFirewallRules\\Protocol`|0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.|Int|
+|LocalAddressRanges
`HyperVFirewallRules\\LocalAddressRanges`|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|String|
+|LocalPortRanges
`HyperVFirewallRules\\LocalPortRanges`|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|String|
+|RemoteAddressRanges
`HyperVFirewallRules\\RemoteAddressRanges`|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|String|
+|RemotePortRanges
`HyperVFirewallRules\\RemotePortRanges`|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|String|
+|Action
`HyperVFirewallRules\\Action`|Specifies the action the rule enforces:
0 - Block
1 - Allow|Int|
+|Enabled
`HyperVFirewallRules\\Enabled`|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|Boolean|
+|Status
`HyperVFirewallRules\\Status`|Provides information about the specific version of the rule in deployment for monitoring purposes.|String|
+|Profiles
`HyperVFirewallRules\\Profiles`|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|Int|
+
+### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback
+
+To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use the category **Security and Privacy > Microsoft Defender Firewall and network protection**.
+
+
+
+[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
From f73601ec2586b994cd7da3fe4be26ddc18d85407 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:09:52 -0500
Subject: [PATCH 05/16] updates
---
.../windows-firewall/hyper-v-firewall.md | 58 +++++++++----------
1 file changed, 29 insertions(+), 29 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 095663bbb9..142d3c1824 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -111,41 +111,41 @@ The output contains an extra value compared to the ones described in the previou
## Configure Hyper-V firewall with CSP
-You can configure Hyper-V firewall using the [Firewall CSP][CSP-1]. For example, with an MDM solution like Microsoft Intune.
+You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. To learn how to configure Hyper-V firewall with Microsoft Intune, see [ADD LINK][INT-1].
Here's a list of settings that can be used to configure Hyper-v firewall:
-|Value name|Description|Values|
-|-|-|-|
-|EnableLoopback
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\EnableLoopback`|Enables loopback between this guest and another guest or the host.|[True,False]|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`[AllowHostPolicyMerge]|Enables Hyper-V firewall to use applicable host firewall settings and rules.|[True,False]|
+|Value name|Description|
+|-|-|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|Enables Hyper-V firewall to use applicable host firewall settings and rules.|
-The following values apply to Hyper-V firewall profile settings: (Public, Private, Domain)
+The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`:
-|Value name|Description|Values|
-|---|---|---|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[EnableFirewall]|Enables Hyper-V firewall rules for this profile.|[True, False]|
-|DefaultOutboundAction
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultOutboundAction`|The default action for outbound traffic that is applied if no rules match the traffic.|0 (allow)
1 (block)|
-|DefaultInboundAction
`{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}\HyperVVMSettings\\DefaultInboundAction`|The default action for inbound traffic that is applied if no rules match the traffic.|0 (allow)
1 (block)|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/DomainProfile/`[AllowLocalPolicyMerge]|||
+|Value name|Description|
+|---|---|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall]**|Enables Hyper-V firewall rules for this profile.|[True, False]|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction]**|The default action for outbound traffic that is applied if no rules match the traffic.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction]**|The default action for inbound traffic that is applied if no rules match the traffic.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge]**|||
The following values apply to Hyper-V firewall rules:
-|Value name|Description|Values|
-|---|---|---|
-|Name
`HyperVFirewallRules\\Name`|Friendly name of the rule|String|
-|Priority
`HyperVFirewallRules\\Priority`|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|int|
-|Direction
`HyperVFirewallRules\\Direction`|Comma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
OUT - the rule applies to outbound traffic.
If not specified the detault is OUT.|String|
-|VMCreatorId
`HyperVFirewallRules\\VMCreatorId`|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
Can be filled in automatically from earlier profile?|String (GUID)|
-|Protocol
`HyperVFirewallRules\\Protocol`|0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.|Int|
-|LocalAddressRanges
`HyperVFirewallRules\\LocalAddressRanges`|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|String|
-|LocalPortRanges
`HyperVFirewallRules\\LocalPortRanges`|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|String|
-|RemoteAddressRanges
`HyperVFirewallRules\\RemoteAddressRanges`|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|String|
-|RemotePortRanges
`HyperVFirewallRules\\RemotePortRanges`|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|String|
-|Action
`HyperVFirewallRules\\Action`|Specifies the action the rule enforces:
0 - Block
1 - Allow|Int|
-|Enabled
`HyperVFirewallRules\\Enabled`|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|Boolean|
-|Status
`HyperVFirewallRules\\Status`|Provides information about the specific version of the rule in deployment for monitoring purposes.|String|
-|Profiles
`HyperVFirewallRules\\Profiles`|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|Int|
+|Value name|Description|
+|---|---|
+|`HyperVFirewallRules\/`**[Name]**|Friendly name of the rule|
+|`HyperVFirewallRules\/`**[Priority]**|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|
+|`HyperVFirewallRules\/`**[Direction]**|Comma separated list. The rule is enabled based on the traffic direction as following.
`IN` - the rule applies to inbound traffic.
`OUT` - the rule applies to outbound traffic.
If not specified the detault is OUT.|
+|`HyperVFirewallRules\/`**[VMCreatorId]**|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
Can be filled in automatically from earlier profile?|
+|Protocol
`HyperVFirewallRules\/`**[Protocol]**|0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.|
+|`HyperVFirewallRules\/`**[LocalAddressRanges]**|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|
+|`HyperVFirewallRules\/`**[LocalPortRanges]**|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|
+|`HyperVFirewallRules\/`**[RemoteAddressRanges]**|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|
+|`HyperVFirewallRules\/`**[RemotePortRanges]**|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|
+|`HyperVFirewallRules\/`**[Action]**|Specifies the action the rule enforces:
0 - Block
1 - Allow|
+|`HyperVFirewallRules\/`**[Enabled]**|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|
+|`HyperVFirewallRules\/`**[Status]**|Provides information about the specific version of the rule in deployment for monitoring purposes.|
+|`HyperVFirewallRules\/`**[Profiles]**|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|
### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback
@@ -153,7 +153,6 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
-[CSP-1]: /windows/client-management/mdm/policy-csp-authentication#enablepasswordlessexperience
[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
@@ -162,4 +161,5 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
[CSP-1]: /windows/client-management/mdm/firewall-csp
[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge
[AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge
-[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall
\ No newline at end of file
+[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall
+[INT-1]: /windows/client-management/mdm/firewall-csp
From 0901fd0901e616270b6b9ae077781fadc57c1d96 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:44:36 -0500
Subject: [PATCH 06/16] updates
---
.../windows-firewall/hyper-v-firewall.md | 62 +++++++++++--------
1 file changed, 37 insertions(+), 25 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 142d3c1824..3349d03222 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -28,7 +28,7 @@ The output contains a VmCreator object type, which has unique identifier `VMCrea
```powershell
PS C:\> Get-NetFirewallHyperVVMCreator
-VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
+VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL
```
@@ -117,35 +117,39 @@ Here's a list of settings that can be used to configure Hyper-v firewall:
|Value name|Description|
|-|-|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]**|This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles.|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|Enables Hyper-V firewall to use applicable host firewall settings and rules.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`:
|Value name|Description|
|---|---|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall]**|Enables Hyper-V firewall rules for this profile.|[True, False]|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction]**|The default action for outbound traffic that is applied if no rules match the traffic.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction]**|The default action for inbound traffic that is applied if no rules match the traffic.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge]**|||
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|[True, False]|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|||
The following values apply to Hyper-V firewall rules:
-|Value name|Description|
-|---|---|
-|`HyperVFirewallRules\/`**[Name]**|Friendly name of the rule|
-|`HyperVFirewallRules\/`**[Priority]**|Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one.|
-|`HyperVFirewallRules\/`**[Direction]**|Comma separated list. The rule is enabled based on the traffic direction as following.
`IN` - the rule applies to inbound traffic.
`OUT` - the rule applies to outbound traffic.
If not specified the detault is OUT.|
-|`HyperVFirewallRules\/`**[VMCreatorId]**|This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.
Can be filled in automatically from earlier profile?|
-|Protocol
`HyperVFirewallRules\/`**[Protocol]**|0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.|
-|`HyperVFirewallRules\/`**[LocalAddressRanges]**|Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|
-|`HyperVFirewallRules\/`**[LocalPortRanges]**|Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|
-|`HyperVFirewallRules\/`**[RemoteAddressRanges]**|Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.|
-|`HyperVFirewallRules\/`**[RemotePortRanges]**|Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, 100-120,200,300-320. If not specified the default is All.|
-|`HyperVFirewallRules\/`**[Action]**|Specifies the action the rule enforces:
0 - Block
1 - Allow|
-|`HyperVFirewallRules\/`**[Enabled]**|Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default.|
-|`HyperVFirewallRules\/`**[Status]**|Provides information about the specific version of the rule in deployment for monitoring purposes.|
-|`HyperVFirewallRules\/`**[Profiles]**|Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All.|
+| Value name | Description |
+|--|--|
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Direction][RULE]** | Comma separated list. The rule is enabled based on the traffic direction as following.
- `IN`: the rule applies to inbound traffic.
-`OUT`: the rule applies to outbound traffic.
If not specified the detault is OUT. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[VMCreatorId][RULE]** | This field specifies the VM Creator ID that this rule is applicable to. A `NULL` GUID will result in this rule applying to all VM creators. |
+| Protocol
`./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Protocol][RULE]** | `0-255` number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. `*` is the default value.
Valid tokens include:
`*`: indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.
A valid IPv6 address.
An IPv4 address range in the format of *start address - end address* with no spaces included.
An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalPortRanges][RULE]** | Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemoteAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. `*` is the default value.
Valid tokens include:
`*`: indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.
A valid IPv6 address.
An IPv4 address range in the format of *start address - end address* with no spaces included.
An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemotePortRanges][RULE]** | Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Action][RULE]** | Specifies the action the rule enforces:
0 - Block
1 - Allow |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Enabled][RULE]** | Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Status][RULE]** | Provides information about the specific version of the rule in deployment for monitoring purposes. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Profiles][RULE]** | Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. |
### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback
@@ -153,13 +157,21 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
+
+[CSP-1]: /windows/client-management/mdm/firewall-csp
+
+[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
+[INT-1]: /windows/client-management/mdm/firewall-csp
[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
[PS-4]: /powershell/module/netsecurity/set-netfirewallhypervrule
[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile
-[CSP-1]: /windows/client-management/mdm/firewall-csp
+
+[RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules
+[PROFILE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatorid
+[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenablefirewall
+[EnableLoopback]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenableloopback
[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge
-[AllowLocalPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileallowlocalpolicymerge
-[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddomainprofileenablefirewall
-[INT-1]: /windows/client-management/mdm/firewall-csp
+[DefaultOutboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction
+[DefaultInboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction
From 1fdbed091df5f457d473db3c0803e60f26534f6b Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:46:44 -0500
Subject: [PATCH 07/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 3349d03222..beef0bc4fe 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -123,11 +123,11 @@ Here's a list of settings that can be used to configure Hyper-v firewall:
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
-The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`:
+The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*:
|Value name|Description|
|---|---|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|[True, False]|
+|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.|
@@ -157,7 +157,6 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
-
[CSP-1]: /windows/client-management/mdm/firewall-csp
[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
From 3de1df9ac8b9ceee6ba9b2c40956f957f57a2c83 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:46:59 -0500
Subject: [PATCH 08/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index beef0bc4fe..c1e0c81cdf 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -131,7 +131,6 @@ The following values apply to Hyper-V firewall profile settings: *Public*, *Priv
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.|
|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|||
The following values apply to Hyper-V firewall rules:
From a291793a02bda1d0ffc9572fe367f5f5ef5a75fb Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:48:18 -0500
Subject: [PATCH 09/16] updates
---
.../windows-firewall/hyper-v-firewall.md | 28 +++++++++----------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index c1e0c81cdf..dd4aed1ae8 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -115,26 +115,26 @@ You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example
Here's a list of settings that can be used to configure Hyper-v firewall:
-|Value name|Description|
-|-|-|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]**|This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]**|Enables loopback between this guest and another guest or the host.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]**|This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]**|This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.|
+| CSP path | Description |
+|--|--|
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]** | This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]** | Enables loopback between this guest and another guest or the host. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]** | This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*:
-|Value name|Description|
-|---|---|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]**|Enables Hyper-V firewall rules for this profile.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]**|This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.|[True, False]|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]**|The default action for outbound traffic that is applied if no rules match the traffic.|
-|`./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]**|The default action for inbound traffic that is applied if no rules match the traffic.|
+| CSP path | Description |
+|--|--|
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | [True, False] |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. |
The following values apply to Hyper-V firewall rules:
-| Value name | Description |
+| CSP path | Description |
|--|--|
| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. |
| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. |
From 3a797fe367975f0f1e7bf28e00c46fc450358930 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:51:29 -0500
Subject: [PATCH 10/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index dd4aed1ae8..92d3e26ea4 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -123,7 +123,7 @@ Here's a list of settings that can be used to configure Hyper-v firewall:
| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
-The following values apply to Hyper-V firewall profile settings: *Public*, *Private*, *Domain*:
+The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`:
| CSP path | Description |
|--|--|
From 6b625b3a1e45893e1dd7b5503d86b6155479a9f1 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:57:20 -0500
Subject: [PATCH 11/16] added disclaimer
---
.../network-security/windows-firewall/hyper-v-firewall.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 92d3e26ea4..52c2fc7fd6 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -10,7 +10,10 @@ appliesto:
# Configure Hyper-V firewall
Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).\
-This article describes how to configure Hyper-V firewall rules and settings using PowerShell, configuration service provider (CSP), or group policy (GPO).
+This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP).
+
+> [!IMPORTANT]
+> The configuration oh Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.
## Configure Hyper-V firewall with PowerShell
From c8f54ff00987daf7c0ec9f7d77b8d197be5a97df Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:04:46 -0500
Subject: [PATCH 12/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 52c2fc7fd6..a5937ee74c 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -131,7 +131,7 @@ The following values apply to Hyper-V firewall profile settings: `Public`, `Priv
| CSP path | Description |
|--|--|
| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. | [True, False] |
+| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. |
| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. |
| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. |
From 9e4863b0d0301c3fdfc5efef17bb3f833d799183 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 13:05:07 -0500
Subject: [PATCH 13/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index a5937ee74c..fc9f27f4a5 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -13,7 +13,7 @@ Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall sol
This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP).
> [!IMPORTANT]
-> The configuration oh Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.
+> The configuration of Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.
## Configure Hyper-V firewall with PowerShell
From 232deb63e9d9dd343bb6fd42d6881a053267ab35 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 14:55:23 -0500
Subject: [PATCH 14/16] updates
---
.../windows-firewall/hyper-v-firewall.md | 49 +++----------------
1 file changed, 7 insertions(+), 42 deletions(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index fc9f27f4a5..d94d736b75 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -114,44 +114,14 @@ The output contains an extra value compared to the ones described in the previou
## Configure Hyper-V firewall with CSP
-You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune. To learn how to configure Hyper-V firewall with Microsoft Intune, see [ADD LINK][INT-1].
+You can configure Hyper-V firewall using the [Firewall CSP][CSP-1], for example with an MDM solution like Microsoft Intune.
-Here's a list of settings that can be used to configure Hyper-v firewall:
+To learn more about the CSP options, follow these links:
-| CSP path | Description |
-|--|--|
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableFirewall]** | This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[EnableLoopback]** | Enables loopback between this guest and another guest or the host. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[AllowHostPolicyMerge]** | This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings are applied to Hyper-V Firewall. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultInboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}/`**[DefaultOutboundAction]** | This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree. |
+- [Configure Hyper-V firewall settings][SETTINGS]: to configure the Hyper-V firewall settings
+- [Configure Hyper-V firewall rules][RULE]: to configure list of rules controlling traffic through the Hyper-V firewall
-The following values apply to Hyper-V firewall profile settings: `Public`, `Private`, `Domain`:
-
-| CSP path | Description |
-|--|--|
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[EnableFirewall][PROFILE]** | Enables Hyper-V firewall rules for this profile. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[AllowLocalPolicyMerge][PROFILE]** | This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultOutboundAction][PROFILE]** | The default action for outbound traffic that is applied if no rules match the traffic. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}//`**[DefaultInboundAction][PROFILE]** | The default action for inbound traffic that is applied if no rules match the traffic. |
-
-The following values apply to Hyper-V firewall rules:
-
-| CSP path | Description |
-|--|--|
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Name][RULE]** | Friendly name of the rule. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Priority][RULE]** | Specifies the ordering of rule enforcement. If not specified, block rules are ordered ahead of allow rules. A lower priority rule is evaluated before a higher priority one. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Direction][RULE]** | Comma separated list. The rule is enabled based on the traffic direction as following.
- `IN`: the rule applies to inbound traffic.
-`OUT`: the rule applies to outbound traffic.
If not specified the detault is OUT. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[VMCreatorId][RULE]** | This field specifies the VM Creator ID that this rule is applicable to. A `NULL` GUID will result in this rule applying to all VM creators. |
-| Protocol
`./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Protocol][RULE]** | `0-255` number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. `*` is the default value.
Valid tokens include:
`*`: indicates any local address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.
A valid IPv6 address.
An IPv4 address range in the format of *start address - end address* with no spaces included.
An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[LocalPortRanges][RULE]** | Comma Separated list of ranges specifying the local port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemoteAddressRanges][RULE]** | Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. `*` is the default value.
Valid tokens include:
`*`: indicates any remote address. If present, this must be the only token included.
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to `255.255.255.255`.
A valid IPv6 address.
An IPv4 address range in the format of *start address - end address* with no spaces included.
An IPv6 address range in the format of *start address - end address* with no spaces included. If not specified the default is All. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[RemotePortRanges][RULE]** | Comma Separated list of ranges specifying the remote port of the traffic covered by this rule. For example, `100-120,200,300-320`. If not specified the default is All. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Action][RULE]** | Specifies the action the rule enforces:
0 - Block
1 - Allow |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Enabled][RULE]** | Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Status][RULE]** | Provides information about the specific version of the rule in deployment for monitoring purposes. |
-| `./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules//`**[Profiles][RULE]** | Specifies the profiles to which the rule belongs: Domain, Private, Public. See [FW_PROFILE_TYPE](/openspecs/windows_protocols/ms-fasp/7704e238-174d-4a5e-b809-5f3787dd8acc) for the bitmasks that are used to identify profile types. If not specified, the default is All. |
+To learn how to configure the firewall with Microsoft Intune, see [Firewall policy for endpoint security][INT-1].
### :::image type="icon" source="../../../images/icons/feedback.svg" border="false"::: Provide feedback
@@ -162,7 +132,7 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
[CSP-1]: /windows/client-management/mdm/firewall-csp
[FHUB]: feedback-hub://?tabid=2&newFeedback=true&feedbackType=1
-[INT-1]: /windows/client-management/mdm/firewall-csp
+[INT-1]: /mem/intune/protect/endpoint-security-firewall-policy
[PS-1]: /powershell/module/netsecurity/get-netfirewallhypervvmsetting
[PS-2]: /powershell/module/netsecurity/set-netfirewallhypervvmsetting
[PS-3]: /powershell/module/netsecurity/get-netfirewallhypervrule
@@ -170,9 +140,4 @@ To provide feedback for Hyper-V firewall, open [**Feedback Hub**][FHUB] and use
[PS-5]: /powershell/module/netsecurity/set-netfirewallhypervprofile
[RULE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervfirewallrules
-[PROFILE]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatorid
-[EnableFirewall]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenablefirewall
-[EnableLoopback]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridenableloopback
-[AllowHostPolicyMerge]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge
-[DefaultOutboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultoutboundaction
-[DefaultInboundAction]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettingsvmcreatoriddefaultinboundaction
+[SETTINGS]: /windows/client-management/mdm/firewall-csp#mdmstorehypervvmsettings
From f80fbed9af14e264be10e6940b811aca5bb2c669 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 14:57:24 -0500
Subject: [PATCH 15/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index d94d736b75..83bc11858a 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -3,6 +3,9 @@ title: Hyper-V firewall
description: Learn how to configure Hyper-V firewall rules and settings using PowerShell or Configuration Service Provider (CSP).
ms.topic: how-to
ms.date: 11/08/2023
+author: paolomatarazzo
+ms.author: paoloma
+ms.topic: article
appliesto:
- ✅ Windows 11
---
From adc1527abbe9d541ea0e3c6cb1c09027ca6a8526 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 9 Nov 2023 15:01:28 -0500
Subject: [PATCH 16/16] updates
---
.../network-security/windows-firewall/hyper-v-firewall.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
index 83bc11858a..534ffb359d 100644
--- a/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
+++ b/windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
@@ -5,7 +5,6 @@ ms.topic: how-to
ms.date: 11/08/2023
author: paolomatarazzo
ms.author: paoloma
-ms.topic: article
appliesto:
- ✅ Windows 11
---