How to Configure Windows Firewall via Group Policy
Deploy and manage Windows Firewall settings across multiple PCs using Group Policy. Create inbound/outbound rules, configure profiles, and enforce settings domain-wide.
Group Policy lets you configure Windows Firewall identically across all PCs in a domain — or locally via gpedit.msc on a single machine. No manual configuration on each PC.
Open Firewall GPO Settings
Domain: Group Policy Management Console → create or edit a GPO → Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
Local: gpedit.msc → same path
Configure Firewall Profiles via GPO
Right-click Windows Defender Firewall with Advanced Security → Properties
Three profile tabs — Domain, Private, Public:
- Firewall state: On (recommended)
- Inbound connections: Block (default)
- Outbound connections: Allow (default)
- Display a notification: No (reduces user interruptions)
# Verify firewall profile settings via PowerShell
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
Create an Inbound Rule via GPO
Inbound Rules → right-click → New Rule
Port rule example (allow RDP from management subnet only):
- Rule Type: Custom
- Program: All programs
- Protocol: TCP, Local port: 3389
- Scope: Remote IP → add
192.168.1.0/24 - Action: Allow
- Profile: Domain
- Name: "Allow RDP from Management"
Create Rules via PowerShell and Deploy
# Create rule locally (can also be scripted via GPO startup script)
New-NetFirewallRule -DisplayName "Allow HTTPS Outbound" `
-Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow `
-Profile Domain,Private
# Block an application via GPO startup script
New-NetFirewallRule -DisplayName "Block Torrent App" `
-Direction Outbound `
-Program "C:\Program Files\uTorrent\uTorrent.exe" `
-Action Block -Profile Any
# Export rules for import via GPO
netsh advfirewall export "C:\NETLOGON\firewall-policy.wfw"
Import Firewall Policy via GPO Startup Script
- Place
firewall-policy.wfwin SYSVOL or NETLOGON share - GPO → Computer Configuration → Windows Settings → Scripts (Startup)
- Add script:
netsh advfirewall import "\\domain\NETLOGON\firewall-policy.wfw"
Block All Inbound Except Specified (Lockdown Mode)
# Set all profiles to block inbound
Set-NetFirewallProfile -Profile Domain,Private,Public `
-DefaultInboundAction Block -Enabled True
# Then add only needed allow rules
New-NetFirewallRule -DisplayName "Allow DNS" `
-Direction Inbound -Protocol UDP -LocalPort 53 -Action Allow
New-NetFirewallRule -DisplayName "Allow ICMP" `
-Direction Inbound -Protocol ICMPv4 -Action Allow
Audit Firewall Events via GPO
Enable firewall logging through GPO:
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Filtering Platform Packet Drop → Success and Failure
# View blocked connection events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5152} -MaxEvents 20 |
Select-Object TimeCreated, Message
Verify GPO Firewall Rules Applied
# Check which rules came from GPO
Get-NetFirewallRule | Where-Object {$_.PolicyStoreSourceType -eq 'GroupPolicy'} |
Select-Object DisplayName, Direction, Action, Enabled
# Force GPO refresh
gpupdate /force
🛡️ Перевір безпеку свого ПК
Хочеш знати чи немає витоків даних, зайвих служб або підозрілих програм на твоєму ПК?
→ AuditShield — аудит Windows по 22 напрямках за 10 хвилин. HTML-звіт з оцінкою ризику. Є безкоштовне демо.
Summary
Use GPO Windows Defender Firewall with Advanced Security node to deploy rules domain-wide. Set profiles to block inbound by default and add explicit allow rules for needed services. Use startup scripts to import complex rule sets via netsh advfirewall import. Verify applied rules with Get-NetFirewallRule | Where-Object {$_.PolicyStoreSourceType -eq 'GroupPolicy'}.