Configure Hyper-V firewall
Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).
This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP).
Important
The configuration of Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.
Configure Hyper-V firewall with PowerShell
This section describes the steps to manage Hyper-V firewall using PowerShell.
Obtain the WSL GUID
Hyper-V firewall rules are enabled per VMCreatorId. To obtain the VMCreatorId, use the cmdlet:
Get-NetFirewallHyperVVMCreator
The output contains a VmCreator object type, which has unique identifier VMCreatorId and friendly name properties. For example, the following output shows the properties of WSL:
PS C:\> Get-NetFirewallHyperVVMCreator
VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL
Note
The WSL VMCreatorId is {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}.
Verify Hyper-V firewall settings
Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the Get-NetFirewallHyperVVMSetting cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:
Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
Note
-PolicyStore ActiveStore returns the applied settings.
The output contains the following values:
| Value | Description |
|---|---|
Enabled (True/False) |
True if Hyper-V Firewall is enabled for WSL VMs. |
DefaultInboundAction, DefaultOutboundAction |
These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. |
LoopbackEnabled |
Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. |
AllowHostPolicyMerge |
Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact. This setting is detailed with the Set-NetFirewallHyperVVMSetting cmdlet. |
Configure Hyper-V firewall settings
To configure Hyper-V firewall, use the Set-NetFirewallHyperVVMSetting command. For example, the following command sets the default inbound connection to Allow:
Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow
Firewall Rules
Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the Get-NetFirewallHyperVRule cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command:
Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'
To configure specific rules, use the Set-NetFirewallHyperVRule cmdlet.
For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:
New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80
Target Hyper-V firewall rules and settings to specific profiles
Hyper-V firewall rules and settings can be targeted to the Firewall profiles, which are based on the type of network the device is connected to:
- Public profile
- Private profile
- Domain profile
The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter.
To view the settings per profile, use the following command:
Get-NetFirewallHyperVProfile -PolicyStore ActiveStore
Note
-PolicyStore ActiveStore returns the applied settings.
The output contains an extra value compared to the ones described in the previous section:
| Value | Description |
|---|---|
AllowLocalFirewallRules (True/False) |
This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules: - if the value is True, both the enterprise Hyper-V firewall rules and the locally defined rules are applied - if the value is False, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied. |
Note
To configure these settings per profile, use the Set-NetFirewallHyperVProfile cmdlet.
To configure these rules per profile using the Set-NetFirewallHyperVRule cmdlet with the -Profile option.
Configure Hyper-V firewall with CSP
You can configure Hyper-V firewall using the Firewall CSP, for example with an MDM solution like Microsoft Intune.
To learn more about the CSP options, follow these links:
- Configure Hyper-V firewall settings: to configure the Hyper-V firewall settings
- Configure Hyper-V firewall rules: to configure list of rules controlling traffic through the Hyper-V firewall
To learn how to configure the firewall with Microsoft Intune, see Firewall policy for endpoint security.
Provide feedback
To provide feedback for Hyper-V firewall, open Feedback Hub and use the category Security and Privacy > Microsoft Defender Firewall and network protection.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for