We recently upgraded from CB 2010 to 2111 (site version 5.0.9068.1000). After this upgrade, we have noticed that two of the rules we disable by default on all servers, the "Windows Defender Firewall Remote Management" rules (RemoteFwAdmin-RPCSS-In-TCP and RemoteFwAdmin-In-TCP), are being re-enabled automatically by the CM client. We originally thought some patch or defender update had turned it on for some reason. We disabled the rules on the servers, but the next day the rules were re-enabled.
The Windows Defender firewall event log shows this process as the modifying Application: C:\Windows\System32\wbem\WmiPrvSE.exe. I have used sysmon to try and track deeper and didn't get anything more useful than this. When I disable the ccmexec service and disable the FW rules again, they do not get re-enabled until I start the ccm service and almost immediately the rules are enabled again.
We have not changed any of our configurations in CM in relation to Defender in years at this point and we have no policies in any of the "Endpoint Protection" areas except "Antimalware Policies". We monitor firewall status with another tool.
I have searched through the release notes for every upgrade and patch from 2010 to 2111 and I can't find anything that mentions "firewall". Perhaps my search wasn't deep enough though.
My questions are, is this expected behavior now? Is there a way to stop this from happening? Will this break some new functionality if these rules are disabled?
When the rules are re-enabled, they are set to remote address "any". I have not tried limiting the remote addresses to see if when they get enabled they keep the address restriction or not. We never bothered to limit them since disable the rules at server setup time. I'll do that today to see if I can at least mitigate some of the drift from our security policy.