MEM CB 2111 is turning on "Windows Defender Firewall Remote Management" rules

Question

We recently upgraded from CB 2010 to 2111 (site version 5.0.9068.1000). After this upgrade, we have noticed that two of the rules we disable by default on all servers, the "Windows Defender Firewall Remote Management" rules (RemoteFwAdmin-RPCSS-In-TCP and RemoteFwAdmin-In-TCP), are being re-enabled automatically by the CM client. We originally thought some patch or defender update had turned it on for some reason. We disabled the rules on the servers, but the next day the rules were re-enabled.

The Windows Defender firewall event log shows this process as the modifying Application: C:\Windows\System32\wbem\WmiPrvSE.exe. I have used sysmon to try and track deeper and didn't get anything more useful than this. When I disable the ccmexec service and disable the FW rules again, they do not get re-enabled until I start the ccm service and almost immediately the rules are enabled again.

We have not changed any of our configurations in CM in relation to Defender in years at this point and we have no policies in any of the "Endpoint Protection" areas except "Antimalware Policies". We monitor firewall status with another tool.

I have searched through the release notes for every upgrade and patch from 2010 to 2111 and I can't find anything that mentions "firewall". Perhaps my search wasn't deep enough though.

My questions are, is this expected behavior now? Is there a way to stop this from happening? Will this break some new functionality if these rules are disabled?

When the rules are re-enabled, they are set to remote address "any". I have not tried limiting the remote addresses to see if when they get enabled they keep the address restriction or not. We never bothered to limit them since disable the rules at server setup time. I'll do that today to see if I can at least mitigate some of the drift from our security policy.

Answer 1

Hi, @Marc Goff

Thank you for posting in Microsoft Q&A forum.

I'm using SCCM 2107 and I checked my clients, the two rules are not enable automatically.
And I'm trying to upgrade my SCCM to the version 2111 to see if it will be enabled.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

It seems another symptom of installing the latest CM client is that the Windows event log sizes are also being reset back to defaults of 32MB. We had seen a number of servers that we had increased various event log sizes be reset and we had a hunch it was the CM client install. Today we had a machine that was managed by CM, but still had an older client. As soon as we upgraded the client, the event log was set back to 32MB. This seems to be a one time thing, not something that keeps getting reset like the Defender firewall management rules.

Anyone have any leads/thoughts on this issue?

Answer 3

Thanks Jason. We don't have a support contract, but that is a great idea to submit feedback.

Digging into the timing a bit more, the event ID 2005 in the "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" that shows the rule being re-enabled happened at 2/4/2022 12:25:00 PM. Looking at the CCM logs, I see the following entries that match that time exactly and do mention the "firewall provider". I examined the c:\windows\ccm\EPAMPolicy.xml as well and didn't see any references to firewalls.

Sending message for schedule 'Machine/{00000000-0000-0000-0000-000000000221}' (Target: 'direct:EndpointProtectionAgent', Name: '')  Scheduler   2/4/2022 12:25:00 PM    8984 (0x2318)
Sending message for schedule 'Machine/{00000000-0000-0000-0000-000000000222}' (Target: 'direct:EndpointProtectionAgent', Name: '')  Scheduler   2/4/2022 12:25:00 PM    9112 (0x2398)
SMSTrigger '0181194000100400' for scheduler 'Machine/{00000000-0000-0000-0000-000000000221}' will fire at 02/04/2022 05:27:00 PM with randomization.    Scheduler   2/4/2022 12:25:00 PM    8984 (0x2318)
Endpoint is triggered by message.   EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Endpoint is triggered by message.   EndpointProtectionAgent 2/4/2022 12:25:00 PM    8984 (0x2318)
This machine is not a workstation, returning false for MDMIsExternallyManaged.  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Not a workstation, this device is SCCM managed. EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy. EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Defender detected   EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Check and enforce EP Deployment state.  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
This machine is not a workstation, returning false for MDMIsExternallyManaged.  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Not a workstation, this device is SCCM managed. EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Endpoint protection workload is NOT migrated to Intune. SCCM will apply policy. EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
EP Client is already installed, will NOT trigger reinstallation.    EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Sending message to external event agent to test and enable notification EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Sending message to endpoint ExternalEventAgent  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
SMSTrigger '0181194000100008' for scheduler 'Machine/{00000000-0000-0000-0000-000000000222}' will fire at 02/05/2022 01:27:00 PM with randomization.    Scheduler   2/4/2022 12:25:00 PM    9112 (0x2398)
CExternalEventEndpoint::HandleMessage.  ExternalEventAgent  2/4/2022 12:25:00 PM    5304 (0x14B8)
Start to execute action for hint TestAndEnableEndpointNotification  ExternalEventAgent  2/4/2022 12:25:00 PM    5304 (0x14B8)
Start to test and renew notification for group: EndpointProtection  ExternalEventAgent  2/4/2022 12:25:00 PM    5304 (0x14B8)
Already registered, skip renew. ExternalEventAgent  2/4/2022 12:25:00 PM    5304 (0x14B8)
CExternalEventEndpoint::HandleMessage finished. ExternalEventAgent  2/4/2022 12:25:00 PM    5304 (0x14B8)
EP Policy Default Client Antimalware Policy
UMS Servers Default Endpoint Protection Policy is already applied.  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Firewall provider is installed. EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Installed firewall provider meet the requirements.  EndpointProtectionAgent 2/4/2022 12:25:00 PM    7368 (0x1CC8)
Termination event received for process 5948 mtrmgr  2/4/2022 12:25:00 PM    3808 (0x0EE0)
Sending message for schedule 'Machine/{00000000-0000-0000-0000-000000000022}' (Target: 'direct:PolicyAgent_PolicyEvaluator', Name: '')  Scheduler   2/4/2022 12:25:01 PM    5304 (0x14B8)
Schedule 'Machine/{00000000-0000-0000-0000-000000000022}' with simple interval trigger (every 15 minutes) next fire will be after 15 minutes (with 0 random delay). Scheduler   2/4/2022 12:25:01 PM    5304 (0x14B8)

Additionally, we are seeing all our 2012R2 server set the RemoteAddress property to "127.0.0.1" and wiping out the addresses we have set. Other OSes are keeping the addresses we specified.

Answer 4

I did send in feedback about this issue, but never heard back from anyone.

Between this sort of thing and the Cortana, "Your Account" and various other client OS type rules they add on servers automatically, it's super frustrating how much Microsoft changes firewall rules in a direction that makes us more insecure with no explanations or ability to control. There should be an easy way to tell a sever OS, don't add any new inbound rules. Would be happy to hear that there is and I just missed it all these years.