SCCM ConfigMgr Client How to Create Windows Firewall Outbound Rules Using PowerShell. Don’t disable Windows Firewall in your SCCM labs.
Is Windows Firewall disabled in your SCCM / ConfigMgr client machine? Is this because you are lazy to configure or create Inbound and Outbound rules for the applications like SCCM?
OK, I’m also becoming lazy these days for some good reasons š We can use PowerShell commands to create and enable firewall rules, and it’s not complex at all.
SCCM ConfigMgr Client How to Create Windows Firewall
In this post, I will give a walk-through to create Outbound Windows Firewall rules for SCCM / ConfigMgr 2012 client using PowerShell commands.
I’ve already blogged about creating Inbound rules in Windows Firewall. More detailsĀ on How to Create Windows Firewall Inbound Rules for SCCM ConfigMgr 2012 Client. Following are the topic that I’m going to cover in this post.
1. Import the Powershell Security module for Windows Firewall
2. Powershell command to list all the noun commands which has “Firewall” word
3. PowerShell command to Edit/Enable the Outbound Predefined rule in Windows Firewall
4. PowerShell command to create a predefined rule in Windows Firewall
5. Powershell command to Create Outbound Firewall rule for TCP Port
6. Powershell command to Create Outbound Firewall rule for UDP Port
7. List of all the noun commands which has “Firewall” word
Each topic is covered with screenshots and respective PowerShell commands. I’m still learning PowerShell (taking baby steps), so there could be other/better ways to achieve this task. All these topics are selected forĀ SCCM 2012 client outbound communication port requirements. SCCM ConfigMgr Client How to Create Windows Firewall Outbound Rules Using PowerShell?
1. Import the Powershell Security module for Windows Firewall.
We need to load the Windows Firewall Module as shown in the command line. Ensure that you run all these following commands with Windows PowerShell ISE as administrator.
PS C:\Windows\system32> Import-Module NetSecurity
2. Powershell command for listing all the noun commands which has “Firewall” word
GCM command will give us a List of all the noun commands which has “Firewall” word. More Detailed Table of available commands at the bottom of the post.
PS C:\Windows\system32> gcm -noun *Firewall*
3. PowerShell command to Edit/Enable the Predefined rule in Windows Firewall
Run the PowerShell command to Edit/Enable the Predefined rule in Windows Firewall for File and Printer Sharing Group.
This is a bit tricky as there are two parts to it. When we already have Windows Firewall rules for the File and Printer sharing group, we can run the following command to enable those rules. The second part is covered in point #4. For SCCM/ConfigMgr 2012 client, we need to allow theĀ Inbound and Outbound Firewall rules for all the predefined ones under File and Printer Sharing group.
Get-NetFirewallRule -DisplayGroup "File and Printer Sharing" -Direction Outbound | Set-NetFirewallRule -Enabled True -Direction Outbound
All the Firewall Rules related to File and Printer Sharing are disabled
Run the following Powershell command to LIST and enable already created rules under File and Printer Sharing
LIST Command:- (Get-NetFirewallRule -DisplayGroup “File and Printer Sharing” -Direction Outbound).DisplayName
To Enable:- Get-NetFirewallRule -DisplayGroup “File and Printer Sharing” -Direction Outbound | Set-NetFirewallRule -Enabled True -Direction Outbound
Ā Rules under the File and Printer sharing group has been enabled now
4. PowerShell command to create a predefined rule in Windows Firewall
When there are no Predefined firewall rules present in the Windows Firewall console, then we can’t use the SET-NetFirewallRule PowerShell command. Rather we should use New-NetFirewallRule to create a new predefined rule in Windows Firewall console.
Powershell command:- New-NetFirewallRule -DisplayName “File and Printer Sharing (NB-Datagram-Out)” -group “File and Printer Sharing” -Enabled True -Protocol udp -RemotePort 138 -Direction Outbound
File and Printer Sharing (NB-Datagram-Out) rule has been created. Result screenshot after running the Powershell as mentioned above command.
5. Powershell command to Create Outbound Firewall rule for TCP Port
Run the following Powershell command to create Outbound Firewall rule for TCP Port 80 HTT communicationon
Powershell CMD : – New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol TCP -RemotePort 80 -DisplayName “HTTP Communication”
Run the following command to create Outbound Firewall rule for Client Notification TCP Port 10123
PS C:\Windows\system32> New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol TCP -RemotePort 10123 -DiplayName “Client Notification TCP Port”Name : {42455662-3830-407c-9d1c-ee74b0313a73}
DisplayName : Client Notification TCP Port
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus: OK
Status: The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
6. Powershell command to Create Outbound Firewall rule for UDP Port
When you use Network access protection and Wake on Lan then you need to open following UDP ports as well
- Outbound: UDP 67 and UDP 68 for DHCP
- Outbound: TCP 80/443 for IPsec
- Outbound: UDP Port 25536
- Outbound: UDP Port 9
PS C:\Windows\system32> New-NetFirewallRule -direction outbound -InterfaceType Any -Protocol UDP -RemotePort 67,68,25536,9 -DisplayName “aNetwork Access point UDP Ports”
7. List of all the noun commands which has “Firewall” word
| CommandType | Name | ModuleName |
|---|---|---|
| Function | Copy-NetFirewallRule | NetSecurity |
| Function | Disable-NetFirewallRule | NetSecurity |
| Function | Enable-NetFirewallRule | NetSecurity |
| Function | Get-NetFirewallAddressFilter | NetSecurity |
| Function | Get-NetFirewallApplicationFilter | NetSecurity |
| Function | Get-NetFirewallInterfaceFilter | NetSecurity |
| Function | Get-NetFirewallInterfaceTypeFilter | NetSecurity |
| Function | Get-NetFirewallPortFilter | NetSecurity |
| Function | Get-NetFirewallProfile | NetSecurity |
| Function | Get-NetFirewallRule | NetSecurity |
| Function | Get-NetFirewallSecurityFilter | NetSecurity |
| Function | Get-NetFirewallServiceFilter | NetSecurity |
| Function | Get-NetFirewallSetting | NetSecurity |
| Function | New-NetFirewallRule | NetSecurity |
| Function | Remove-NetFirewallRule | NetSecurity |
| Function | Rename-NetFirewallRule | NetSecurity |
| Function | Set-NetFirewallAddressFilter | NetSecurity |
| Function | Set-NetFirewallApplicationFilter | NetSecurity |
| Function | Set-NetFirewallInterfaceFilter | NetSecurity |
| Function | Set-NetFirewallInterfaceTypeFilter | NetSecurity |
| Function | Set-NetFirewallPortFilter | NetSecurity |
| Function | Set-NetFirewallProfile | NetSecurity |
| Function | Set-NetFirewallRule | NetSecurity |
| Function | Set-NetFirewallSecurityFilter | NetSecurity |
| Function | Set-NetFirewallServiceFilter | NetSecurity |
| Function | Set-NetFirewallSetting | NetSecurity |
| Function | Show-NetFirewallRule | NetSecurity |
| Function | Show-NetFirewallRule | NetSecurity |
Author
AnoopĀ isĀ Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Nice Post Anoop !
Glad to see more PowerShell creeping into your posts š
Thank you Deepak ! You’re my inspiration in powershell !