Since the 1st of February, we have observed a new behaviour within an On-Prem AD and Windows 10. (After Patch Tuesday 31st Jan).
For any GPO defined with setting:
Computer Configuration/Policies/Windows settings/Security Settings/Windows Defender Firewall with Advanced Security
Regardless of state for the windows firewall, these GPO policies will persist.
I.e, even if the firewall is disabled via the GUI. Windows will keep applying any rules defined via GPO's.
Is this a bug or a feature?
Removing any mis-configured rules in this scenario can be difficult.
Any GPO rule can be found using Get-NetFirewallRule, the Name field will be a GUID and the DisplayName will be a user recongisable string.
They will have PolicyStoreSourceType GroupPolicy.
Remove-NetFirewallRule will not work with these rules.
Such that, I created a new policy to block some UDP traffic. The wizard had a target port input, but somehow lost that value. Thus it started to block all outgoing UDP traffic.
As a result, the AD server could not be reached to refresh the disabled GPO.
Resolution - To remove a Windows firewall rule from this scenario, the "Name" variable from the Get-NetFirewallRule needs to be removed from HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall
I.e: Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules" -Name "{BC5EF541-FE5D-48C9-B941-1CAFA967471C}"
Then reboot the machine to take effect.
In my situation, I was fortunate enough that I could still open a PS-Session onto the affected machines.
Additionally - In a scenario where a AD server can't be reached. What tools can a sysadmin use to nuke out a policy without talking to the AD?