How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr Client Configuration Manager ConfigMgr. Creating Windows Firewall Rules for SCCM or ConfigMgr clients is pretty straightforward.
I was trying to deploy a client in my lab, and I don’t want to disable Windows Firewall to get SCCM 2012 client to work.
Normally, I used to disable Windows Firewall in the LAB environment to have easy life ;). In this case, the SCCM 2012 client push was not working because Firewall was getting in between.
Create Windows Firewall Inbound Rules
The documentation provided in Technet for creating Windows Firewall Rule Settings is excellent. More details TechNet documentation. However, I felt like this kind of post would be very helpful for newbies.
This will help them create and master Inbound rules in Windows Firewall settings.
I’ve another post which talks “How to Create Windows Firewall Outbound Rules Using PowerShell for SCCM ConfigMgr 2012 Client.”
We’ll learn how to create Inbound Windows Firewall Rules for SCCM (ConfigMgr) clients through this post. SCCM client uses components like WMI, RPC End Point Mapper, Remote Control, ICMP for wakeup lan & File, and Printer Sharing to communicate with SCCM site servers.
These connections/communications are blocked by Windows Firewall (by default), so we need to specifically open the required ports and applications, whichever is needed.
This step-by-step guide (not very specific to SCCM/ConfigMgr) will help anyone create an Inbound Windows Firewall rule(s). We can create windows Firewall inbound Rule with different rule types like Program, Port, Predefined, and custom. I’ll cover the guide to creating Outbound Rules in Windows Firewall in the next post.
How to Create Windows Firewall Inbound Rules for SCCM
In this post, I’m going to cover the following step-by-step guides. I’ve not covered all the Firewall rules required for all the features of SCCM 2012. However, I tried to cover one example each with all scenarios.
- How to Create “WMI” Inbound Windows Firewall Rule for SCCM ConfigMgr 2012 client push?
- How to Create “File and Printer Sharing” Inbound Firewall Rule for SCCM ConfigMgr client?
- How to Configure Windows Firewall to “Allow ICMP or Ping Response”?
- How do we create an inbound “custom port TCP or UDP in Windows Firewall?
How to Create WMI Inbound Windows Firewall Rule for SCCM ConfigMgr 2012 client push?
- Type WF from the command prompt to launch Windows Firewall with Advanced Security
2. On the Windows Firewall with Advanced Security page, Right-click on Inbound Rules and click on the new rule.
3. On the Rule Type page, Select the Predefined Rule Creation option and from the drop-down list, select the Windows Management Instrumentation (WMI) rule and click NEXT
4. On the Predefined Rules page, we need to select all the rules of WMI Inbound connections, which we need to enable for Client push and other SCCM ConfigMgr related activities, then Click NEXT.
Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In), Windows Management Instrumentation (DCOM-In), Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In), and Windows Management Instrumentation (DCOM-In) are the rules which we’re going to create.
5. On the Action page Select Allow the Connection option in the WMI inbound rule and click FINISH
How to Create File and Printer Sharing Inbound Windows Firewall Rule for SCCM ConfigMgr client?
- On the Windows Firewall with Advanced Security page, Right-click on Inbound Rules and click on the new rule.
2. On the Rule Type page, Select the Predefined Rule Creation option and from the drop-down list, select the File and Printer Sharing rule and click NEXT
3. On the Predefined Rules page, we need to select all the rules of File and Printer Sharing Inbound connections, which we need to enable Client push and other SCCM ConfigMgr related activities, then Click NEXT.
4. On the Action page Select Allow the Connection option inbound rule page and click FINISH.
How to Configure Windows Firewall to Allow ICMP or Ping Response?
Note : When you're running SCCM /ConfigMgr 2012 R2 and above then you don't need to create this inbound Windows Firewall rule for Wakeup Proxy at SCCM Client side.
- On the Windows Firewall and Advanced Security page, Right-click on Inbound Rules and click on the new rule.
2. On the Rule Type page, Select Rule Type as Custom, then click Next.
3. On the PROGRAM page, Select All Programs and click NEXT.
4. On the Protocols and Ports page, click the drop-down for Protocol type, select ICMPv4, and click the Customize button.
5. In the Customize ICMP Settings dialog box, we need to click on Specific ICMP types, select Echo-Request, and click OK.
And on the Inbound Wizard page, click NEXT.
6. On the SCOPE page, we need to select Any IP Address under the session “which local IP addresses does this rule apply to” and Any IP Address under the session “which remote IP addresses does this rule apply to”
7. We need to select Allow the connection and click on the action page.
8. On the Profile page, select all the profiles (Domain, Private and Public); however, to wake up a proxy, you would require only Domain and hit NEXT.
9. On the Name page, Select a suitable name for the Inbound rule and then click FINISH.
How do we create an inbound custom port TCP or UDP in Windows Firewall?
From the ConfigMgr SCCM client perspective, we need to create Inbound rules for the following ports TCP Port 2701 for Remote Control and TCP port 135 for Remote Assistance + Remote Desktop.
- On the Windows Firewall and Advanced Security page, Right-click on Inbound Rules and click on the new rule.
2. On the Rule Type page, Select Rule Type as Port, then click Next.
3. On the Protocol and Ports page, we must specify the protocols and ports to which this rule applies. Select TCP or UDP protocol depending upon your requirements. After that, type in the local ports, then click next.
4. On the Action page Select Allow the connection and click NEXT.
5. On the profile page, select all the required profiles as per your requirements. I’ve selected all the available three profiles and then clicked NEXT.
6. On the Name page, Select a suitable name for the Inbound rule and then click FINISH.
Following are the Name of Inbound rules which I’ve created for SCCM ConfigMgr.
| Name | Group | Profile | Enabled | Action |
|---|---|---|---|---|
| ICMP Wake-up proxy communication | All | Yes | Allow | |
| RPC End Point Mapper | All | Yes | Allow | |
| Configuration Manager remote control | All | Yes | Allow | |
| Windows Management Instrumentation (ASync-In) | Windows Management Instrumentation (WMI) | Private, Public | Yes | Allow |
| Windows Management Instrumentation (WMI-In) | Windows Management Instrumentation (WMI) | Private, Public | Yes | Allow |
| Windows Management Instrumentation (DCOM-In) | Windows Management Instrumentation (WMI) | Private, Public | Yes | Allow |
| Windows Management Instrumentation (ASync-In) | Windows Management Instrumentation (WMI) | Domain | Yes | Allow |
| Windows Management Instrumentation (WMI-In) | Windows Management Instrumentation (WMI) | Domain | Yes | Allow |
| Windows Management Instrumentation (DCOM-In) | Windows Management Instrumentation (WMI) | Domain | Yes | Allow |
| File and Printer Sharing (LLMNR-UDP-In) | File and Printer Sharing | All | Yes | Allow |
| File and Printer Sharing (Echo Request – ICMPv6-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (Echo Request – ICMPv4-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (Spooler Service – RPC-EPMAP) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (Spooler Service – RPC) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (NB-Datagram-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (NB-Name-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (SMB-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (NB-Session-In) | File and Printer Sharing | Private, Public | Yes | Allow |
| File and Printer Sharing (Echo Request – ICMPv6-In) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (Echo Request – ICMPv4-In) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (Spooler Service – RPC-EPMAP) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (Spooler Service – RPC) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (NB-Datagram-In) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (NB-Name-In) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (SMB-In) | File and Printer Sharing | Domain | Yes | Allow |
| File and Printer Sharing (NB-Session-In) | File and Printer Sharing | Domain | Yes | Allow |
Resources
SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hi,
So you are opening WMI, File print and sharing, RDP,…on the Public profile of the firewall, that means your clients are vulnerable when outside the corporate network.
Isn’t it a security risk to allow all these for laptops of roaming users?
Some of the ports are required only when you use client push. If you don’t client push, you don’t need to open those ports file print etc..
There has to be a more minimal set of rules to allow Client Push but disable other unsafe rules.
Excellent site, by the way!
This article should be called “How to ensure that you get hacked”
No one should be exposing all these ports to the public profile, you’re just asking to get compromised.
OK. We also ask MS to remove this information from their docs as well.