--- title: Firewall DDF file description: View the XML file containing the device description framework (DDF) for the Firewall configuration service provider. ms.date: 01/18/2024 --- # Firewall DDF file The following XML file contains the device description framework (DDF) for the Firewall configuration service provider. ```xml ]> 1.2 Firewall ./Vendor/MSFT Root node for the Firewall configuration service provider. 10.0.16299 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;0xCF; MdmStore Global PolicyVersionSupported Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build. CurrentProfiles Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law. DisableStatefulFtp false This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win. false Stateful FTP enabled true Stateful FTP disabled SaIdleTime 300 This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. [300-3600] PresharedKeyEncoding 1 Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. 0 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key is not encoded. Instead, it is kept in its wide-character format. This symbolic constant has a value of 0. 1 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1. IPsecExempt 0x0 This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. 0x0 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions. 0x1 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec. 0x2 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec. 0x4 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec. 0x8 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec. CRLcheck This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. 0 Disables CRL checking 1 Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. 2 Means that checking is required and that certificate validation fails if any error is encountered during CRL processing PolicyVersion This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law. BinaryVersionSupported This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201. OpportunisticallyMatchAuthSetPerKM This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. false FALSE true TRUE EnablePacketQueue 0x0 This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding. 0x0 Indicates that all queuing is to be disabled 0x1 Specifies that inbound encrypted packets are to be queued 0x2 Specifies that packets are to be queued after decryption is performed for forwarding DomainProfile EnableFirewall true This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Disable Firewall true Enable Firewall DisableStealthMode false This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Use Stealth Mode true Disable Stealth Mode Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall Shielded false This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. false Shielding Off true Shielding On Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall DisableUnicastResponsesToMulticastBroadcast false This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Unicast Responses Not Blocked true Unicast Responses Blocked Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall EnableLogDroppedPackets false This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Dropped Packets true Enable Logging Of Dropped Packets Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall EnableLogSuccessConnections false This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Successful Connections true Enable Logging Of Successful Connections Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall EnableLogIgnoredRules false This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Ignored Rules true Enable Logging Of Ignored Rules Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall LogMaxFileSize 1024 This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 [0-4294967295] Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall LogFilePath %systemroot%\system32\LogFiles\Firewall\pfirewall.log This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall DisableInboundNotifications false This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Firewall May Display Notification true Firewall Must Not Display Notification Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall AuthAppsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false AuthAppsAllowUserPrefMerge Off true AuthAppsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall GlobalPortsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false GlobalPortsAllowUserPrefMerge Off true GlobalPortsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall AllowLocalIpsecPolicyMerge true This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. false AllowLocalIpsecPolicyMerge Off true AllowLocalIpsecPolicyMerge On Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall DefaultOutboundAction 0 This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall DefaultInboundAction 1 This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall DisableStealthModeIpsecSecuredPacketExemption true This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. false FALSE true TRUE Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall true Enable Firewall PrivateProfile EnableFirewall true This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Disable Firewall true Enable Firewall DisableStealthMode false This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Use Stealth Mode true Disable Stealth Mode Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall Shielded false This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. false Shielding Off true Shielding On Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall DisableUnicastResponsesToMulticastBroadcast false This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Unicast Responses Not Blocked true Unicast Responses Blocked Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall EnableLogDroppedPackets false This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Dropped Packets true Enable Logging Of Dropped Packets Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall EnableLogSuccessConnections false This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Successful Connections true Enable Logging Of Successful Connections Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall EnableLogIgnoredRules false This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Ignored Rules true Enable Logging Of Ignored Rules Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall LogMaxFileSize 1024 This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 [0-4294967295] Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall LogFilePath %systemroot%\system32\LogFiles\Firewall\pfirewall.log This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall DisableInboundNotifications false This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Firewall May Display Notification true Firewall Must Not Display Notification Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall AuthAppsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false AuthAppsAllowUserPrefMerge Off true AuthAppsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall GlobalPortsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false GlobalPortsAllowUserPrefMerge Off true GlobalPortsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall AllowLocalIpsecPolicyMerge true This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. false AllowLocalIpsecPolicyMerge Off true AllowLocalIpsecPolicyMerge On Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall DefaultOutboundAction 0 This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall DefaultInboundAction 1 This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall DisableStealthModeIpsecSecuredPacketExemption true This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. false FALSE true TRUE Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall true Enable Firewall PublicProfile EnableFirewall true This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Disable Firewall true Enable Firewall DisableStealthMode false This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Use Stealth Mode true Disable Stealth Mode Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall Shielded false This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. false Shielding Off true Shielding On Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall DisableUnicastResponsesToMulticastBroadcast false This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Unicast Responses Not Blocked true Unicast Responses Blocked Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall EnableLogDroppedPackets false This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Dropped Packets true Enable Logging Of Dropped Packets Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall EnableLogSuccessConnections false This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Successful Connections true Enable Logging Of Successful Connections Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall EnableLogIgnoredRules false This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule is not enforced for any reason. The merge law for this option is to let "on" values win. 10.0.22621 1.0 false Disable Logging Of Ignored Rules true Enable Logging Of Ignored Rules Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall LogMaxFileSize 1024 This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 [0-4294967295] Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall LogFilePath %systemroot%\system32\LogFiles\Firewall\pfirewall.log This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured, otherwise the MdmStore value wins if it is configured, otherwise the local store value is used. 10.0.22621 1.0 Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall DisableInboundNotifications false This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false Firewall May Display Notification true Firewall Must Not Display Notification Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall AuthAppsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false AuthAppsAllowUserPrefMerge Off true AuthAppsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall GlobalPortsAllowUserPrefMerge true This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. false GlobalPortsAllowUserPrefMerge Off true GlobalPortsAllowUserPrefMerge On Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall AllowLocalIpsecPolicyMerge true This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. false AllowLocalIpsecPolicyMerge Off true AllowLocalIpsecPolicyMerge On Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall DefaultOutboundAction 0 This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall DefaultInboundAction 1 This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall DisableStealthModeIpsecSecuredPacketExemption true This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used. false FALSE true TRUE Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall true Enable Firewall HyperVVMSettings Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis. 10.0.22621 1.0 VM Creator ID that these settings apply to. Valid format is a GUID VMCreatorId \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} EnableFirewall true This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. false Disable Hyper-V Firewall true Enable Hyper-V Firewall DefaultOutboundAction 0 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall true Enable Hyper-V Firewall DefaultInboundAction 1 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall true Enable Hyper-V Firewall EnableLoopback false This value is an on/off switch for loopback traffic. This determines if this VM is able to send/receive loopback traffic to other VMs or the host. false Disable loopback true Enable loopback AllowHostPolicyMerge true This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. 10.0.25398, 10.0.22621.2352 1.0 false AllowHostPolicyMerge Off true AllowHostPolicyMerge On DomainProfile 10.0.25398, 10.0.22621.2352 1.0 EnableFirewall true This value is an on/off switch for the Hyper-V Firewall enforcement. false Disable Firewall true Enable Firewall DefaultOutboundAction 0 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall true Enable Hyper-V Firewall DefaultInboundAction 1 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall true Enable Hyper-V Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall true Enable Hyper-V Firewall PrivateProfile 10.0.25398, 10.0.22621.2352 1.0 EnableFirewall true This value is an on/off switch for the Hyper-V Firewall enforcement. false Disable Firewall true Enable Firewall DefaultOutboundAction 0 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall true Enable Hyper-V Firewall DefaultInboundAction 1 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall true Enable Hyper-V Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall true Enable Hyper-V Firewall PublicProfile 10.0.25398, 10.0.22621.2352 1.0 EnableFirewall true This value is an on/off switch for the Hyper-V Firewall enforcement. false Disable Hyper-V Firewall true Enable Hyper-V Firewall DefaultOutboundAction 0 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. 0 Allow Outbound By Default 1 Block Outbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall true Enable Hyper-V Firewall DefaultInboundAction 1 This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. 0 Allow Inbound By Default 1 Block Inbound By Default Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall true Enable Hyper-V Firewall AllowLocalPolicyMerge true This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. false AllowLocalPolicyMerge Off true AllowLocalPolicyMerge On Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall true Enable Hyper-V Firewall FirewallRules A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). FirewallRuleName ^[^|/]*$ App Rules that control connections for an app, program or service. Specified based on the intersection of the following nodes. PackageFamilyName FilePath FQBN ServiceName PackageFamilyName PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application. FilePath FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe. Fqbn Fully Qualified Binary Name ServiceName This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic. Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. [0-255] LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). ^[0-9,-]+$ RemotePortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). ^[0-9,-]+$ IcmpTypesAndCodes String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP). 10.0.20348 1.0 LocalAddressRanges Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. RemoteAddressRanges Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: "*" indicates any remote address. If present, this must be the only token included. "Defaultgateway" "DHCP" "DNS" "WINS" "Intranet" "RemoteCorpNetwork" "Internet" "PlayToRenderers" "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. RemoteAddressDynamicKeywords Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule. 10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706 1.0 \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} Description Specifies the description of the rule. Enabled Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. 0 Disabled 1 Enabled Profiles Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. 0x1 FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains. 0x2 FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD. 0x4 FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted. 0x7FFFFFFF FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets. 0x80000000 FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it cannot be combined with other flags. Action Specifies the action for the rule. Type 1 Specifies the action the rule enforces: 0 - Block 1 - Allow 0 Block 1 Allow Direction OUT The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. If not specified the detault is OUT. IN The rule applies to inbound traffic. OUT The rule applies to outbound traffic. InterfaceTypes All String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All". If more than one interface type is specified, the strings must be separated by a comma. RemoteAccess RemoteAccess Wireless Wireless Lan Lan MBB MobileBroadband All All EdgeTraversal Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. 0 Disabled 1 Enabled LocalUserAuthorizedList Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.. PolicyAppId Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. 10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880 1.1 ^[A-Za-z0-9_.:/]+$ Status Provides information about the specific verrsion of the rule in deployment for monitoring purposes. Name Specifies the friendly name of the firewall rule. HyperVFirewallRules A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed. 10.0.22621 1.0 Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). FirewallRuleName ^[^|/]*$ Priority This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. [0-65535] Direction OUT The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. If not specified the detault is OUT. IN The rule applies to inbound traffic. OUT The rule applies to outbound traffic. VMCreatorId This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators. \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} Protocol 0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All. [0-255] LocalAddressRanges Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. LocalPortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. ^[0-9,-]+$ RemoteAddressRanges Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: "*" indicates any remote address. If present, this must be the only token included. A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All. RemotePortRanges Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. ^[0-9,-]+$ Action 1 Specifies the action the rule enforces: 0 - Block 1 - Allow 0 Block 1 Allow Enabled Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. 0 Disabled 1 Enabled Status Provides information about the specific version of the rule in deployment for monitoring purposes. Profiles Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All. 10.0.25398, 10.0.22621.2352 1.0 0x1 FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains. 0x2 FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they are in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD. 0x4 FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator are not trusted. 0x7FFFFFFF FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets. Name Specifies the friendly name of the Hyper-V Firewall rule. DynamicKeywords 10.0.22000, 10.0.19044.1706, 10.0.19043.1706, 10.0.19042.1706 1.0 Addresses A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully-qualified domain names which will be autoresolved in the presence of the Microsoft Defender Advanced Threat Protection Service. A unique GUID string identifier for this dynamic keyword address. Id \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} Keyword A String reprsenting keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string. Addresses Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value should not be set if AutoResolve is true. Valid tokens include: A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. A valid IPv6 address. An IPv4 address range in the format of "start address - end address" with no spaces included. An IPv6 address range in the format of "start address - end address" with no spaces included. Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve false AutoResolve False AutoResolve false If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present. false AutoResolve False true AutoResolve True ``` ## Related articles [Firewall configuration service provider reference](firewall-csp.md)