Firewall CSP blocks WNS communication

Question

Firewall CSP blocks WNS communication

Doodoogama 0

We deployed a firewall CSP with following config:

DefaultInboundAction,DefaultOutboundAction Block
DisableInboundNotifications, DisableOutboundNotifications False

Once applied, device is unable to receive any WNS notification. WNS comm completely stopped. We have to allowlist WpnService in both inbound and outbound rules.

Have several questions:

OMADMClient and other MDM-related services are by-default allowlisted. (could see them in firewall rules UI), is there any reasons critical service like WNS is not allowlisted by-default?
In order for WNS to perform properly, is it sufficient to just allowlist WpnService? we noticed there's also a user-lvl WNS service (WpnUserService_randomId)
- how OMADMClient interacts with WpnService? (interprocess?)
  - WpnUserService unique id changes every time during user signon. does Firewall CSP take wildcard?

Thanks

1 answer

Your answer

Answer 1

Crystal-MSFT 53,991 Microsoft External Staff

@Doodoogama, Thanks for posting in Q&A.

For WNS Traffic, you can add the list of approved WNS FQDNs or VIPs to their exemption list to allow the WNS traffic to pass through the firewall. Here is a link with more details:

https://learn.microsoft.com/en-us/windows/apps/design/shell/tiles-and-notifications/firewall-allowlist-config

For the reason why the WNS is not allowed by default, this is not mentioned in official article. You can feedback to windows to see if it can be added into the default allow list in the future.

Hope the above information can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Doodoogama 0 Reputation points

2023-07-26T20:18:36.04+00:00

Hi @Crystal-MSFT Thanks for the prompt answer. our scenario is not on network lvl firewall but the windows defender firewall itself, before traffic reaching network.

the windows firewall rules are not based on source or destination but instead based on the clients initiating/receiving traffic.

Please take a look at the firewall CSP we used https://learn.microsoft.com/en-us/windows/client-management/mdm/firewall-csp#mdmstorefirewallrulesfirewallrulenameappservicename

the allowlist is based on servicename. e.g. the screenshot is for default rules on OMA-DM client. however, you could see wpnservice is not in default rules.
Crystal-MSFT 53,991 Reputation points Microsoft External Staff

2023-07-27T06:29:01.64+00:00

@Doodoogama, Thanks for the reply. Yes, the WNS service is not in the allow list. You can feedback in the following to see if we can add it into the default allow list in the future:

https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472

Share via

Firewall CSP blocks WNS communication

1 answer

Your answer