Endpoint Insights

Compliance Setting- Detect if Firewall is Off

Topics: Endpoint Insights

IT professionals need to troubleshoot all sorts of issues. Oftentimes, while I’m troubleshooting a problem, I’ll turn off the local firewall to ensure that it isn’t causing the problem. If I can’t remember if I’ve turned it back on, how do I detect if the firewall is off? System Center Configuration Manager (SCCM) Compliance Setting to the rescue!

Let’s face it. Turning the firewall off is an easy trouble-shooting measure. If the problem goes away after it’s turned off then you know you must open the network ports. If the problem, however, doesn’t go away, I’ve gotten into the habit of keeping the firewall disabled until the problem is completely solved. I do this partly to ensure that the firewall isn’t causing other problems. At the end of the day, unfortunately, I sometimes forget to turn the firewall back on again. Using SCCM Compliance Setting assures me that all firewalls are enabled.

SCCM Compliance Setting

SCCM Compliance Setting is the feature/node name for Configuration Item (CI)/Configuration Baseline (CB). You can use CI/CB to detect settings, and in SCCM Current Branch you can even remediate settings.

If you ever find yourself in a similar situation to me, simply create a Compliance Setting. It’s a quick way to determine which firewalls are turned off. If you like, you can also enable them as part of the CI or, in older versions of SCCM, you can enable the firewalls by using a deployment.

How to Detect If the Firewall Is Off

In this post I will show you how to create a CI in SCCM Current Branch in order to detect if the firewall is off.

Detect If the Firewall Is Off - Windows Defender Firewall

In the above screenshot, you can see three firewall policies. One firewall is enabled and two are not.

How can you determine if the firewall is disabled for the Domain profile? You need to look in the registry. The firewall policies are stored under:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicy

Detect If the Firewall Is Off - Registry Editor

After locating the policies, review the registry keys. All three policy nodes (purple arrows) are listed under the FirewallPolicy registry key.

Domain Networks = DomainProfile registry node.

Private Networks = StandardProfile registry node.

Guest or Public Networks = PublicProfile registry node.

Additionally, you can see that the DomainProfile registry node is expanded and there are two registry keys listed. The two registry keys are DisableNotifications and EnableFirewall. Based on the registry key name it is clear that EnableFirewall (red arrows) shows the firewall state using a Boolean value.

This makes detecting whether or not the firewall is off easy. All I need to do is check the registry key value to see if the value is True or False (1 or 0).

Create a New Configuration Item

Detect If the Firewall Is Off - Create Configuration Item

Start by opening the SCCM console, select the Assets and Compliance node and then expand Overview | Compliance Settings | Configuration Items. Click on the Create Configuration Item button.

Detect If the Firewall Is Off - CI Name

Give the Configuration Item a name. Click Next.

Detect If the Firewall Is Off - Supported Platforms

Select all supported operating systems. Click Next.

Detect If the Firewall Is Off - Settings

Click New…

Detect If the Firewall Is Off - Create Setting

Enter a name and then click Browse…

Detect If the Firewall Is Off - Browse Registry

Navigate the registry to:
HKEY_Local_MachineSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile

Select the value EnableFirewall.

Select the checkbox for This registry value must satisfy the following rule if present:

In the text box, enter the number 1.

Click OK.

Detect If the Firewall Is Off - Compliance Rules Tab

Choose the Compliance Rules tab.

Detect If the Firewall Is Off - EnableFirewall Equals 1

Select EnableFirewall Equals 1 and then click on Edit…

Detect If the Firewall Is Off - Edit Rule

Set Noncompliance severity for reports to Critical. Click OK. Notice that I’m NOT remediating the registry key. Why? There will be times when I want the firewall disabled for longer periods of time and I don’t want it enabled without my knowledge.

Detect If the Firewall Is Off - Compliance Rules - OK

Click OK.

Detect If the Firewall Is Off - Compliance Rules - Next

Click Next.

Detect If the Firewall Is Off - Summary

Click Next.

Detect If the Firewall Is Off - Completion

Click Close.

Next, I’ll create the Configuration Baseline.

Create the Configuration Baseline

Detect If the Firewall Is Off - Create Configuration Baseline

Start by opening the SCCM console. Select the Assets and Compliance node, and then expand Overview | Compliance Settings | Configuration Baselines. Click on the Create Configuration Baseline button.

Detect If the Firewall Is Off - Add

Give the Configuration Baseline a name. Click Add and then select Configuration Items.

Detect If the Firewall Is Off - Add Configuration Items

Add the Configuration Item that was previously created. Click OK.

Detect If the Firewall Is Off - OK

Click OK.

Now that the baseline is created, it can be deployed to client systems.

Deploying the Configuration Baseline

Detect If the Firewall Is Off - Deploy

In the SCCM console, select the Assets and Compliance node. Next, expand Overview | Compliance Settings | Configuration Baselines. Select the newly created baseline and then click on Deploy from the ribbon.

Detect If the Firewall Is Off - Deploy Configuration Baselines

Select the collection. I would recommend deploying this baseline to the All Desktop and Server Clients collection.

Set a simple schedule for 1 Days. Click OK.

Now that the baseline is deployed, you can start reporting on the results.

Reporting on Firewall Status

After the baseline is evaluated on a system, you can check the status of the baseline by using the built-in SSRS compliance reports.

The compliance reports can be found within the Compliance and Settings Management reporting category.

Detect If the Firewall Is Off - Compliance Report

Above is the report, Compliance history of a configuration baseline. Here I can see that I have a mix of compliant and non-compliant computers.

If you have any questions about how to create a compliance setting in order to detect if the firewall is off, please feel free to contact me @GarthMJ.

Back to Top