deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 2777: Firewall CSP updated

Browse Source
This commit is contained in:
Maricia Alforque
2017-08-21 17:34:32 +00:00
parent 585d6eb43a
commit 82dd21e5b6
4 changed files with 286 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
windows/client-management/mdm/firewall-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/18/2017
---
# Firewall CSP
@ -33,35 +33,45 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="global"></a>**MdmStore/Global**
<p style="margin-left: 20px">Interior node.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
<p style="margin-left: 20px">Supported operations are Get. </p>
<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p style="margin-left: 20px">Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
<p style="margin-left: 20px">Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
<p style="margin-left: 20px">Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Data type is bool. Supported operations are Add, Get, Replace, and Delete. </p>
<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 300.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/PresharedKeyEncoding**
<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/en-us/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 1.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/en-us/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:</p>
<ul>
<li>0 disables CRL checking</li>
<li>1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.</li>
<li>2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing</li>
</ul>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
<p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
@ -72,12 +82,20 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:</p>
<ul>
<li>0x00 indicates that all queuing is to be disabled</li>
<li>0x01 specifies that inbound encrypted packets are to be queued</li>
<li>0x02 specifies that packets are to be queued after decryption is performed for forwarding</li>
</ul>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
@ -89,58 +107,79 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="enablefirewall"></a>**/EnableFirewall**
<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="shielded"></a>**/Shielded**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Get and Replace.</p>
<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p style="margin-left: 20px">Default value is 0 (allow).</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p style="margin-left: 20px">Default value is 1 (block).</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="firewallrules"></a>**FirewallRules**
<p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.</p>
<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
<p style="margin-left: 20px">Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
<p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
@ -150,6 +189,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>FQBN</li>
<li>ServiceName</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
@ -170,14 +210,17 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
<p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
<p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
<p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
@ -189,6 +232,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
<p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
<p style="margin-left: 20px">Specifies the action for the rule.</p>
@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.</p>
<li>0 - Block</li>
<li>1 - Allow</li>
</ul>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified, the default is allow.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.</p>
<li>OUT - the rule applies to outbound traffic.</li>
<li>If not specified, the default is IN.</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>
<li>Wireless</li>
<li>Lan</li>
<li>MobileBroadband</li>
<li>All</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
<p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
@ -274,10 +317,6 @@ If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
<p style="margin-left: 20px">Name of the rule.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

325
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/18/2017
---
# Firewall CSP
@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>Root node for the Firewall configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
@ -67,7 +68,6 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
@ -88,7 +88,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
<Description>Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
<DFFormat>
<int />
</DFFormat>
@ -109,7 +109,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
<Description>Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
<DFFormat>
<int />
</DFFormat>
@ -130,8 +130,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</Description>
<DefaultValue>FALSE</DefaultValue>
<Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -152,8 +155,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>300</DefaultValue>
<Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -174,8 +180,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>1</DefaultValue>
<Description>Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -196,8 +205,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -218,8 +230,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -282,8 +296,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<Description>This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -304,8 +320,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
<DFFormat>
<int />
</DFFormat>
@ -346,10 +365,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -368,10 +389,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -391,9 +414,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -412,10 +436,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -434,10 +460,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -456,10 +484,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -478,10 +508,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -500,10 +532,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -522,10 +556,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -544,8 +580,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -566,8 +604,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -588,10 +628,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -630,10 +672,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -652,10 +696,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -675,9 +721,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -696,10 +743,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -718,10 +767,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -740,10 +791,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -762,10 +815,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -784,10 +839,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -806,10 +863,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -828,8 +887,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -850,8 +911,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -872,10 +935,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -914,10 +979,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -936,10 +1003,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -959,9 +1028,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -980,10 +1050,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1002,10 +1074,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1024,10 +1098,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1046,10 +1122,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1068,10 +1146,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1090,10 +1170,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1112,8 +1194,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1134,8 +1218,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1156,10 +1242,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1200,6 +1288,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</Description>
<DFFormat>
@ -1349,7 +1438,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</Description>
<Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1373,7 +1462,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1397,7 +1486,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description> Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
<Description> Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1428,7 +1517,7 @@ Valid tokens include:
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1466,7 +1555,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1509,8 +1598,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
@ -1534,12 +1621,10 @@ If not specified - a new rule is disabled by default.</Description>
<NodeName>Profiles</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</Description>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1560,13 +1645,7 @@ If not specified - a new rule is disabled by default.</Description>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the action for the rule.
BLOCK - block the connection.
ALLOW - allow the connection.
If not specified the default action is BLOCK.</Description>
<Description>Specifies the action for the rule.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1584,11 +1663,10 @@ If not specified the default action is BLOCK.</Description>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Specifies the action the rule enforces:
0 - Block
1 - Allow</Description>
@ -1611,11 +1689,10 @@ If not specified the default action is BLOCK.</Description>
<NodeName>Direction</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>IN</DefaultValue>
<Description>Comma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
@ -1640,11 +1717,10 @@ If not specified the detault is IN.</Description>
<NodeName>InterfaceTypes</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>All</DefaultValue>
<Description>String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
If more than one interface type is specified, the strings must be separated by a comma.</Description>
<DFFormat>
@ -1661,30 +1737,6 @@ If not specified the detault is IN.</Description>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IcmpTypesAndCodes</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EdgeTraversal</NodeName>
<DFProperties>
@ -1760,31 +1812,6 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FriendlyName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the friendly name of the rule.
The string must not contain the "|" character.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>

BIN
windows/client-management/mdm/images/provisioning-csp-firewall.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 95 KiB

After

Width:  |  Height:  |  Size: 93 KiB

10
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1368,6 +1368,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top">Updated the CSP and DDF topics. Here are the changes:
<ul>
<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.</li>
<li>Changed some data types from integer to bool.</li>
<li>Updated the list of supported operations for some settings.</li>
<li>Added default values.</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>