MSEndpointMgr

Use Compliance Settings to determine if Windows Firewall is enabled

Compliance Settings in ConfigMgr 2012 is a great feature that can be used for a variety of things. It’s used to validate the compliance of certain settings on devices against rules that returns the compliant or non-compliant state. One thing you could use Compliance Settings for is to check the compliance state of the Windows Firewall, if it’s enabled or disabled. Even better, check if the connected profile in Windows Firewall is enabled or disabled.
In this blog post I’ll demonstrate how to make use of Compliance Settings to determine a compliant state if the connected profile of Windows Firewall is enabled. If it’s disabled, we’ll treat it as of non-compliant.

Overview

  • Create a Configuration Item
  • Create a Configuration Baseline
  • Deploy the Configuration Baseline
  • Verify that a device has evaluated the Configuration Baseline

Create a Configuration Item

Configuration Item is used to define a configuration and associated validation criteria to be assessed for compliance on devices. We’ll create a single Configuration Item for the purpose of this scenario, and later associate it with a Configuration Baseline. Before we begin, we need to have the main component for the Configuration Item, and that’s the script below. This script is taken from MSDN, and modified slightly in order to work in this scenario.

Option Explicit
Dim CurrentProfiles
Dim LowerBound
Dim UpperBound
Dim iterate
Dim excludedinterfacesarray
Dim strWFStatus
Const NET_FW_PROFILE2_DOMAIN = 1
Const NET_FW_PROFILE2_PRIVATE = 2
Const NET_FW_PROFILE2_PUBLIC = 4
Const NET_FW_ACTION_BLOCK = 0
Const NET_FW_ACTION_ALLOW = 1
Dim fwPolicy2
Set fwPolicy2 = CreateObject("HNetCfg.FwPolicy2")
CurrentProfiles = fwPolicy2.CurrentProfileTypes
strWFStatus = "False"
If ( CurrentProfiles AND NET_FW_PROFILE2_DOMAIN ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_DOMAIN) = TRUE Then
      strWFStatus = "True"
   End If
End If
If ( CurrentProfiles AND NET_FW_PROFILE2_PRIVATE ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PRIVATE) = TRUE Then
      strWFStatus = "True"
   End If
End If
If ( CurrentProfiles AND NET_FW_PROFILE2_PUBLIC ) Then
   If fwPolicy2.FirewallEnabled(NET_FW_PROFILE2_PUBLIC) = TRUE Then
      strWFStatus = "True"
   End If
End If
WScript.Echo(strWFStatus)

1. Open the ConfigMgr console and go to Assets and Compliance.
2. Expand Compliance Settings, right-click on Configuration Items and click Create Configuration Item.
93_1
3. In the Name field, enter a name that suits the purpose of the Configuration Item and click Next.
93_2
4. On the Supported Platforms page, select the operating system platforms that this Configuration Item will be assessed for compliance on and click Next.
5. Click the New button on the Settings page.
6. In the Create Settings window that appears, make the following selections:

  • Name: Windows Firewall Setting
  • Setting type: Script
  • Data type: String

93_3
7. Click on Add Script in the Discovery script section.
8. In the Edit Discovery Script window, select VBScript as the Script language. In the Script field, paste the script from above and click OK.
93_4
9. Back in the Create Setting window, go to the Compliance Rules tab and click on New.
93_5
10. In the Create Rule window, make the following changes:

  • Name: Windows Firewall Rule
  • Rule type: Value
  • The following values: True
  • Noncompliance severity for reports: Warning

93_6
Click on OK.
11. Back in the Create Setting window, click OK.
12. On the Settings page, click Next.
93_7
13. On the Compliance Rules page, click Next (we’ve already create a rule for this Configuration Item).
14. Click Next on the Summary page.
15. And finally on the Completion page, click Close.

Create a Configuration Baseline

The Configuration Baseline can be described as a container for a single or several Configuration Data (Configuration Item, Configuration Baseline and Software Updates) items. All of the Configuration Data items in the baseline needs to be compliant for the Configuration Baseline to be assessed as compliant. For our scenario to assess the compliance of the Windows Firewall, we’ll add our newly created Configuration Item called Check compliance state of Windows Firewall to a new Configuration Baseline.
1. In the Assets and Compliance node, expand Compliance Settings, right-click on Configuration Baseline and click Create Configuration Baseline.
2. In the Create Configuration Baseline window, make the following changes:

  • Name: Windows Firewall Compliance Check
  • Description: If the connected profile of Windows Firewall is enabled, it’s considered compliant

Click on Add and select Configuration Items.
93_8
3. In the Add Configuration Items window, select the Check compliance state of Windows Firewall and click Add.
93_9
4. Click on OK.
5. Back in the Create Configuration Baseline window, click OK.

Deploy the Configuration Baseline

In order for devices to evaluate the compliance state of a Configuration Baseline, the Configuration Baseline needs to be deployed to a collection. The members of that collection will then during the next Machine Policy Refresh Cycle grab the policy containing the information about this Configuration Baseline. Depending on Client Settings, the Configuration Baseline will be evaluated on the device in according to specified schedule. The default schedule is set to every 7 days. You also have the option to specify a schedule for each Configuration Baseline upon when you deploy it. The default value matches the value specified in the Client Settings.
93_10
1. In the Assets and Compliance node, expand Compliance Settings and select Configuration Baselines.
2. Select the Windows Firewall Compliance Check, right-click and click Deploy.
3. In the Deploy Configuration Baselines window, click on Browse and select a collection that you wish the members of should check the compliance state. Click on OK.
93_11

Verify that a device has evaluated the Configuration Baseline

On a Device, go to Control Panel, System and Security and open the Configuration Manager applet. In the Configurations tab you’ll see what Configuration Baselines the client will evaluate at it’s specific schedule. As shown in the picture below, our Configuration Baseline was evaluated to be Compliant.
93_12
That’s all!

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

4 comments

  • Hi
    This does not work on Windows 10, FW disabled on all profiles, yet the script returns True.

  • Great work!!! Can you also point to the table where this information are stored in CM DB. or any other way to pull out the report

  • Thanks for this – really very useful. A couple of things – once completed – can this list be converted into a report/query and how easy is it to then remediate all the failed ones to true?

Sponsors