Advertisement

SCCM ConfigMgr Client How to Create Windows Firewall Outbound Rules Using PowerShell

Don’t disable Windows Firewall in your SCCM labs. Is Windows Firewall disabled in your SCCM / ConfigMgr client machine? Is this because you are lazy¬†to configure or create Inbound and Outbound rules for the applications like SCCM? Ok, I’m also becoming lazy these days for some good reasons ūüôā We can use PowerShell commands to create and enable firewall rules and it’s not complex at all.

In this post, I’m going to give a walk through to create Outbound Windows Firewall rules for SCCM / ConfigMgr 2012 client using PowerShell commands. I’ve already blogged about creating Inbound rules in Windows Firewall. More details¬†How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client. Following are the topic which I’m going to cover in this post.

1. Import the Powershell Security module for Windows Firewall

2. Powershell command to list¬†all the noun commands which has¬†“Firewall” word

3. PowerShell command to Edit/Enable the Outbound Predefined rule in Windows Firewall

4. PowerShell command to create a predefined rule in Windows Firewall

5.  Powershell command to Create Outbound Firewall rule for TCP Port

6.  Powershell command to Create Outbound Firewall rule for UDP Port

7. List of¬†all the noun commands which has¬†“Firewall” word

Each topic is covered with screenshots and respective powershell commands. I’m still learning powershell (taking baby steps) so there could another/better ways to achieve this kind of tasks. All these topics are selected with respect to¬†SCCM 2012 client outbound communication port requirements.

1. Import the Powershell Security module for Windows Firewall.

We need to load the Windows Firewall Module as shown in the command line. Ensure that you run all these following commands with Windows PowerShell ISE as administrator.

PS C:\Windows\system32> Import-Module NetSecurity

2.¬†Powershell command for listing all the noun commands which has “Firewall” word

GCM command will give us a List of all the noun commands which has¬†“Firewall” word. More Detailed Table of available commands at the bottom of the post.

PS C:\Windows\system32> gcm -noun *Firewall*

Powershell WF 1

3. PowerShell command to Edit/Enable the Predefined rule in Windows Firewall

Run the PowerShell command to Edit/Enable the Predefined rule in Windows Firewall for File and Printer Sharing Group.

This is bit tricky as there are two parts of it. When we already have Windows Firewall rules for File and Printer sharing group then we can run the following command to enable those set of rules. Second part is covered in point #4. For SCCM/ConfigMgr 2012 client, we need to enable the Inbound and Outbound Firewall rules for all the predefined ones under File and Printer Sharing group.

Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Direction Outbound | Set-NetFirewallRule -Enabled True -Direction Outbound

All the Firewall Rules related to File and Printer Sharing are disabled 

Powershell WF 10

Run the following Powershell command to LIST and enable already created rules under File and Printer Sharing

LIST Command :- (Get-NetFirewallRule -DisplayGroup “File and Printer Sharing” -Direction Outbound).DisplayName

To Enable :- Get-NetFirewallRule -DisplayGroup “File and Printer Sharing” -Direction Outbound | Set-NetFirewallRule -Enabled True -Direction Outbound

Powershell WF 13

 Rules under File and Printer sharing group has been enabled now

Powershell WF 12

 4. PowerShell command to create a predefined rule in Windows Firewall

When there is no Predefined firewall rules present in the windows Firewall console then we can’t use SET-NetFirewallRule powershell command. Rather we should use New-NetFirewallRule to create a new predefined rule in Windows Firewall console.

Powershell WF 8

Powershell command :- New-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Datagram-Out)” -group “File and Printer Sharing” -Enabled True -Protocol udp -RemotePort 138 -Direction Outbound

Powershell WF 14

File and Printer Sharing (NB-Datagram-Out) rule has been created. Result screenshot after running the above mentioned Powershell command.

Powershell WF 15

5.  Powershell command to Create Outbound Firewall rule for TCP Port

Run the following Powershell command to create Outbound Firewall rule for TCP Port 80 HTT communicationon

Powershell CMD : – New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol TCP -RemotePort 80 -DisplayName “HTTP Communication”

Powershell WF

Run the following command to create Outbound Firewall rule for Client Notification TCP Port 10123
PS C:\Windows\system32> New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol TCP -RemotePort 10123 -DiplayName “Client Notification TCP Port”
Name : {42455662-3830-407c-9d1c-ee74b0313a73}
DisplayName : Client Notification TCP Port
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local

Powershell WF 2

Powershell WF 3

6.  Powershell command to Create Outbound Firewall rule for UDP Port 

When you use Network access protection and Wake on Lan then you need to open following UDP ports as well
  • Outbound: UDP¬†67¬†and UDP¬†68¬†for DHCP
  • Outbound: TCP¬†80/443¬†for IPsec
  • Outbound: UDP Port¬†25536
  • Outbound: UDP Port¬†9
PS C:\Windows\system32> New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol UDP -RemotePort 67,68,25536,9 -DisplayName “aNetwork Access point UDP Ports”¬†

Powershell WF 4

7. List of¬†all the noun commands which has “Firewall” word

CommandType Name ModuleName
Function Copy-NetFirewallRule NetSecurity
Function Disable-NetFirewallRule NetSecurity
Function Enable-NetFirewallRule NetSecurity
Function Get-NetFirewallAddressFilter NetSecurity
Function Get-NetFirewallApplicationFilter NetSecurity
Function Get-NetFirewallInterfaceFilter NetSecurity
Function Get-NetFirewallInterfaceTypeFilter NetSecurity
Function Get-NetFirewallPortFilter NetSecurity
Function Get-NetFirewallProfile NetSecurity
Function Get-NetFirewallRule NetSecurity
Function Get-NetFirewallSecurityFilter NetSecurity
Function Get-NetFirewallServiceFilter NetSecurity
Function Get-NetFirewallSetting NetSecurity
Function New-NetFirewallRule NetSecurity
Function Remove-NetFirewallRule NetSecurity
Function Rename-NetFirewallRule NetSecurity
Function Set-NetFirewallAddressFilter NetSecurity
Function Set-NetFirewallApplicationFilter NetSecurity
Function Set-NetFirewallInterfaceFilter NetSecurity
Function Set-NetFirewallInterfaceTypeFilter NetSecurity
Function Set-NetFirewallPortFilter NetSecurity
Function Set-NetFirewallProfile NetSecurity
Function Set-NetFirewallRule NetSecurity
Function Set-NetFirewallSecurityFilter NetSecurity
Function Set-NetFirewallServiceFilter NetSecurity
Function Set-NetFirewallSetting NetSecurity
Function Show-NetFirewallRule NetSecurity
Function Show-NetFirewallRule NetSecurity

 

 

About Author 

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 13 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

    Find more about me on:
  • googleplus
  • twitter
  • facebook
  • linkedin
  • youtube
Posted in: ConfigMgr (SCCM), PowerShell, SCCM, SCCM 2012

4 Comments

  1. dexterposh says:

    Nice Post Anoop !
    Glad to see more PowerShell creeping into your posts ūüėČ

Leave a Comment and Contact Anoop