Home / server / Questions / 1166329
Accepted
FedaykinWolf
Asked: 2024-10-09 00:28:30 +0800 CST

OU / GPO and Windows Defender Firewall - settings not permanent

  • 772

I'm setting up an OU GPO for firewall and other settings for CIS SCA recommendations. I've run into a problem with the Firewall Settings. The PC's in the OU are getting all GPO configurations just as you would expect, and everything is working fine; However, After an unknown amount of time, a couple hours or next day, on the Domain Controller the OU's GPO settings for "Windows Defender Firewall with Advanced Security Settings" are back to defaults, as if I had changed nothing - all other GPO setting are set as I had and staying.

So, the problem is with the domain controller, not the client included in the OU.

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security

Settings: State:

  • Turning on all 3 (Domain, Private, Public Firewall)
  • Block incoming (default)
  • Allow outgoing (default)

Settings:

  • Display notification = No
  • Rule Merging: Apply local firewall rules = No
  • Apply local connecton security rules = No

Logging

  • %SystemRoot%\System32\logfiles\firewall\domainfw.log (privatefw.log, and publicfw.log repectively)
  • SizeLimit 16,384
  • Log Dropped packets = Yes
  • Log successful connections

Note* Firewall are successfully writing to all 3 files.

  • Windows Server 2019, PC's are Dell Wyse ThinClients Windows 10 Enterprise LTSC
  • NO other GPOs are there save Default Domain and Default Domain Controllers...

I'm stuck, any one seen this before or has suggestions?

Thank you for your time,

active-directory

2 Answers

  1. Dell Wyse ThinClients Windows 10 Enterprise LTSC are configured to use Microsoft Unified Write Filter by default, make sure it's not on.

    Such overlay is like deepfreeze, and will revert back any change done to the operating system.

    Events related to overlay consumption are sent by UWF kernel mode components and are logged in the Windows Logs\System event log.

    Make sure the service is not up and running, desactivate it in worst case to test out;

    uwfmgr.exe filter disable

    • 0
  2. Best Answer

    I found the answer, if you configure

    1. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security

    2. then Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Defender Firewall

    Step 2) will change step 1).... Silly Microsoft, Silly me

    thanks for all your help everyone.

    • 0