Szerkesztés

Megosztás a következőn keresztül:


Firewall CSP

The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network.

Note

Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.

Atomic blocks are "all or nothing." If a firewall rule or firewall setting in an Atomic block fails to be applied, the entire Atomic block fails to be applied.

If an Atomic block contains a firewall rule or firewall setting that is not supported on a particular Windows OS version, the entire Atomic block fails to be applied on that Windows version. For example, firewall rules with IcmpTypesAndCodes are only supported on Windows 11, applying an Atomic block that contains a rule with IcmpTypesAndCodes on Windows 10 fails.

For detailed information on some of the fields below, see [MS-FASP]: Firewall and Advanced Security Protocol documentation.

The following list shows the Firewall configuration service provider nodes:

MdmStore

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore

Interior node.

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/DomainProfile

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalIpsecPolicyMerge

This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalIpsecPolicyMerge Off.
true (Default) AllowLocalIpsecPolicyMerge On.

MdmStore/DomainProfile/AllowLocalPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.

MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AuthAppsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AuthAppsAllowUserPrefMerge Off.
true (Default) AuthAppsAllowUserPrefMerge On.

MdmStore/DomainProfile/DefaultInboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.

MdmStore/DomainProfile/DefaultOutboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.

Example:

<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
    <!-- Block Outbound by default -->
    <Add>
      <CmdID>2010</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultOutboundAction</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
        </Meta>
        <Data>1</Data>
      </Item>
    </Add>
<Final/>
</SyncBody>
</SyncML>

MdmStore/DomainProfile/DisableInboundNotifications

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableInboundNotifications

This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Firewall May Display Notification.
true Firewall Must Not Display Notification.

MdmStore/DomainProfile/DisableStealthMode

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthMode

This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [EnableFirewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Use Stealth Mode.
true Disable Stealth Mode.

MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableStealthModeIpsecSecuredPacketExemption

This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false FALSE.
true (Default) TRUE.

MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableUnicastResponsesToMulticastBroadcast

This value is used as an on/off switch. If it's true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Unicast Responses Not Blocked.
true Unicast Responses Blocked.

MdmStore/DomainProfile/EnableFirewall

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall

This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true

Allowed values:

Value Description
false Disable Firewall.
true (Default) Enable Firewall.

MdmStore/DomainProfile/EnableLogDroppedPackets

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogDroppedPackets

This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Dropped Packets.
true Enable Logging Of Dropped Packets.

MdmStore/DomainProfile/EnableLogIgnoredRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogIgnoredRules

This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule isn't enforced for any reason. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Ignored Rules.
true Enable Logging Of Ignored Rules.

MdmStore/DomainProfile/EnableLogSuccessConnections

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableLogSuccessConnections

This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Successful Connections.
true Enable Logging Of Successful Connections.

MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/GlobalPortsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false GlobalPortsAllowUserPrefMerge Off.
true (Default) GlobalPortsAllowUserPrefMerge On.

MdmStore/DomainProfile/LogFilePath

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogFilePath

This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get, Replace
Default Value %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/DomainProfile/LogMaxFileSize

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/LogMaxFileSize

This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 1024
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/DomainProfile/Shielded

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/DomainProfile/Shielded

This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Shielding Off.
true Shielding On.

MdmStore/DynamicKeywords

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/DynamicKeywords/Addresses

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses

A list of dynamic keyword addresses for use within firewall rules. Dynamic keyword addresses can either be a simple alias object or fully qualified domain names which will be auto-resolved in the presence of the Microsoft Defender Advanced Threat Protection Service.

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/DynamicKeywords/Addresses/{Id}
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}

A unique GUID string identifier for this dynamic keyword address.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
MdmStore/DynamicKeywords/Addresses/{Id}/Addresses
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Addresses

Consists of one or more comma-delimited tokens specifying the addresses covered by this keyword. This value shouldn't be set if AutoResolve is true.

Valid tokens include:

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

A valid IPv6 address.

An IPv4 address range in the format of "start address - end address" with no spaces included.

An IPv6 address range in the format of "start address - end address" with no spaces included.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
Dependency [AutoResolve False] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/[Id]/AutoResolve
Dependency Allowed Value: false
Dependency Allowed Value Type: ENUM
MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/AutoResolve

If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a fully qualified domain name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get
Default Value false

Allowed values:

Value Description
false (Default) AutoResolve False.
true AutoResolve True.
MdmStore/DynamicKeywords/Addresses/{Id}/Keyword
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/DynamicKeywords/Addresses/{Id}/Keyword

A String representing keyword. If the AutoResolve value is true, this should be a Fully Qualified Domain name (wildcards accepted, for example "contoso.com" or "*.contoso.com"). If the AutoResolve value is false, then this can be any identifier string.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get

MdmStore/FirewallRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules

A list of rules controlling traffic through the Windows Firewall. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/FirewallRules/{FirewallRuleName}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}

Unique alpha numeric identifier for the rule. The rule name mustn't include a forward slash (/).

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: ^[^|/]*$
MdmStore/FirewallRules/{FirewallRuleName}/Action
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action

Specifies the action for the rule.

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/FirewallRules/{FirewallRuleName}/Action/Type
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Action/Type

Specifies the action the rule enforces:

0 - Block 1 - Allow.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1

Allowed values:

Value Description
0 Block.
1 (Default) Allow.
MdmStore/FirewallRules/{FirewallRuleName}/App
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App

Rules that control connections for an app, program or service.

Specified based on the intersection of the following nodes.

PackageFamilyName.

FilePath.

FQBN.

ServiceName.

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/FilePath

FilePath - This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/Fqbn

Fully Qualified Binary Name.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/PackageFamilyName

PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/App/ServiceName

This is a service name, and is used in cases when a service, not an application, must be sending or receiving traffic.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/Description
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Description

Specifies the description of the rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/Direction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Direction

The rule is enabled based on the traffic direction as following.

IN - the rule applies to inbound traffic.

OUT - the rule applies to outbound traffic.

If not specified the default is OUT.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get, Replace
Default Value OUT

Allowed values:

Value Description
IN The rule applies to inbound traffic.
OUT (Default) The rule applies to outbound traffic.
MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/EdgeTraversal

Indicates whether edge traversal is enabled or disabled for this rule.

The EdgeTraversal property indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.

New rules have the EdgeTraversal property disabled by default.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
0 Disabled.
1 Enabled.
MdmStore/FirewallRules/{FirewallRuleName}/Enabled
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Enabled

Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.

If not specified - a new rule is disabled by default.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace

Allowed values:

Value Description
0 Disabled.
1 Enabled.
MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.20348] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/IcmpTypesAndCodes

String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma.

To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code.

The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid.

When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP).

If not specified, the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/InterfaceTypes

String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MBB", and "All".

If more than one interface type is specified, the strings must be separated by a comma.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Default Value All

Allowed values:

Value Description
RemoteAccess RemoteAccess.
Wireless Wireless.
Lan Lan.
MBB MobileBroadband.
All (Default) All.
MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalAddressRanges

Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

Valid tokens include:

"*" indicates any local address. If present, this must be the only token included.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

A valid IPv6 address.

An IPv4 address range in the format of "start address - end address" with no spaces included.

An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalPortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.

When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[0-9,-]+$
MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/LocalUserAuthorizedList

Specifies the list of authorized local users for the app container.

This is a string in Security Descriptor Definition Language (SDDL) format.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values <SDDL>
MdmStore/FirewallRules/{FirewallRuleName}/Name
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Name

Specifies the friendly name of the firewall rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 22H2 with KB5025297 [10.0.19045.2913] and later
✅ Windows 11, version 21H2 with KB5025298 [10.0.22000.1880] and later
✅ Windows 11, version 22H2 with KB5025305 [10.0.22621.1635] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/PolicyAppId

Specifies one App Control tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ""., and "_". A PolicyAppId and ServiceName can't be specified in the same rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[A-Za-z0-9_.:/]+$
MdmStore/FirewallRules/{FirewallRuleName}/Profiles
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Profiles

Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace

Allowed values:

Flag Description
0x1 FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.
0x2 FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they're in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD.
0x4 FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator aren't trusted.
0x7FFFFFFF FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.
0x80000000 FW_PROFILE_TYPE_CURRENT: This value represents the current profiles to which the firewall and advanced security components determine the host is connected at the moment of the call. This value can be specified only in method calls, and it can't be combined with other flags.
MdmStore/FirewallRules/{FirewallRuleName}/Protocol
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Protocol

0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-255]
MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 20H2 with KB5013942 [10.0.19042.1706] and later
✅ Windows 10, version 21H1 with KB5013942 [10.0.19043.1706] and later
✅ Windows 10, version 21H2 with KB5013942 [10.0.19044.1706] and later
✅ Windows 11, version 21H2 [10.0.22000] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressDynamicKeywords

Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemoteAddressRanges

Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

"*" indicates any remote address. If present, this must be the only token included.

"Defaultgateway" "DHCP" "DNS" "WINS" "Intranet" "RemoteCorpNetwork" "Internet" "PlayToRenderers" "LocalSubnet" indicates any local address on the local subnet. This token isn't case-sensitive.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

A valid IPv6 address.

An IPv4 address range in the format of "start address - end address" with no spaces included.

An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/RemotePortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.

When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP).

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[0-9,-]+$
MdmStore/FirewallRules/{FirewallRuleName}/Status
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/FirewallRules/{FirewallRuleName}/Status

Provides information about the specific version of the rule in deployment for monitoring purposes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

MdmStore/Global

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/Global/BinaryVersionSupported

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/BinaryVersionSupported

This value contains the binary version of the structures and data types that are supported by the server. This value isn't merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that's supported only on servers that have a schema version of 0x0201.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

MdmStore/Global/CRLcheck

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/CRLcheck

This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace

Allowed values:

Value Description
0 Disables CRL checking.
1 Specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) don't cause certificate validation to fail.
2 Means that checking is required and that certificate validation fails if any error is encountered during CRL processing.

MdmStore/Global/CurrentProfiles

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/CurrentProfiles

Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it isn't merged and has no merge law.

Description framework properties:

Property name Property value
Format int
Access Type Get

MdmStore/Global/DisableStatefulFtp

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/DisableStatefulFtp

This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false

Allowed values:

Value Description
false (Default) Stateful FTP enabled.
true Stateful FTP disabled.

MdmStore/Global/EnablePacketQueue

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/EnablePacketQueue

This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is an integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0x0

Allowed values:

Flag Description
0x0 (Default) Indicates that all queuing is to be disabled.
0x1 Specifies that inbound encrypted packets are to be queued.
0x2 Specifies that packets are to be queued after decryption is performed for forwarding.

MdmStore/Global/IPsecExempt

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/IPsecExempt

This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0x0

Allowed values:

Flag Description
0x0 (Default) FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NONE: No IPsec exemptions.
0x1 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC: Exempt neighbor discover IPv6 ICMP type-codes from IPsec.
0x2 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ICMP: Exempt ICMP from IPsec.
0x4 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_ROUTER_DISC: Exempt router discover IPv6 ICMP type-codes from IPsec.
0x8 FW_GLOBAL_CONFIG_IPSEC_EXEMPT_DHCP: Exempt both IPv4 and IPv6 DHCP traffic from IPsec.

MdmStore/Global/OpportunisticallyMatchAuthSetPerKM

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/OpportunisticallyMatchAuthSetPerKM

This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they don't support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace

Allowed values:

Value Description
false FALSE.
true TRUE.

MdmStore/Global/PolicyVersion

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersion

This value contains the policy version of the policy store being managed. This value isn't merged and therefore, has no merge law.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get

MdmStore/Global/PolicyVersionSupported

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/PolicyVersionSupported

Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.

Description framework properties:

Property name Property value
Format int
Access Type Get

MdmStore/Global/PresharedKeyEncoding

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/PresharedKeyEncoding

Specifies the preshared key encoding that's used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1

Allowed values:

Value Description
0 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_NONE: Preshared key isn't encoded. Instead, it's kept in its wide-character format. This symbolic constant has a value of 0.
1 (Default) FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8: Encode the preshared key using UTF-8. This symbolic constant has a value of 1.

MdmStore/Global/SaIdleTime

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/Global/SaIdleTime

This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Allowed Values Range: [300-3600]
Default Value 300

MdmStore/HyperVFirewallRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules

A list of rules controlling traffic through the Windows Firewall for Hyper-V containers. Each Rule ID is ORed. Within each rule ID each Filter type is AND'ed.

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/HyperVFirewallRules/{FirewallRuleName}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}

Unique alpha numeric identifier for the rule. The rule name mustn't include a forward slash (/).

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: ^[^|/]*$
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action

Specifies the action the rule enforces:

0 - Block 1 - Allow.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1

Allowed values:

Value Description
0 Block.
1 (Default) Allow.
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction

The rule is enabled based on the traffic direction as following.

IN - the rule applies to inbound traffic.

OUT - the rule applies to outbound traffic.

If not specified the default is OUT.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get, Replace
Default Value OUT

Allowed values:

Value Description
IN The rule applies to inbound traffic.
OUT (Default) The rule applies to outbound traffic.
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Enabled

Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.

If not specified - a new rule is disabled by default.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace

Allowed values:

Value Description
0 Disabled.
1 Enabled.
MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalAddressRanges

Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.

Valid tokens include:

"*" indicates any local address. If present, this must be the only token included.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

A valid IPv6 address.

An IPv4 address range in the format of "start address - end address" with no spaces included.

An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/LocalPortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[0-9,-]+$
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name

Specifies the friendly name of the Hyper-V Firewall rule.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority

This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it's highly recommended to configure the value for ALL rules to ensure expected evaluation of rules.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-65535]
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Profiles
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Profiles

Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace

Allowed values:

Flag Description
0x1 FW_PROFILE_TYPE_DOMAIN: This value represents the profile for networks that are connected to domains.
0x2 FW_PROFILE_TYPE_STANDARD: This value represents the standard profile for networks. These networks are classified as private by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are behind Network Address Translation (NAT) devices, routers, and other edge devices, and they're in a private location, such as a home or an office. AND FW_PROFILE_TYPE_PRIVATE: This value represents the profile for private networks, which is represented by the same value as that used for FW_PROFILE_TYPE_STANDARD.
0x4 FW_PROFILE_TYPE_PUBLIC: This value represents the profile for public networks. These networks are classified as public by the administrators in the server host. The classification happens the first time the host connects to the network. Usually these networks are those at airports, coffee shops, and other public places where the peers in the network or the network administrator aren't trusted.
0x7FFFFFFF FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Protocol

0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Allowed Values Range: [0-255]
MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemoteAddressRanges

Consists of one or more comma-delimited tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:

"*" indicates any remote address. If present, this must be the only token included.

A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.

A valid IPv6 address.

An IPv4 address range in the format of "start address - end address" with no spaces included.

An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)
MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/RemotePortRanges

Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: ^[0-9,-]+$
MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Status

Provides information about the specific version of the rule in deployment for monitoring purposes.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get
MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/VMCreatorId

This field specifies the VM Creator ID that this rule is applicable to. A NULL GUID will result in this rule applying to all VM creators.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values Regular Expression: \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}

MdmStore/HyperVVMSettings

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings

Settings for the Windows Firewall for Hyper-V containers. Each setting applies on a per-VM Creator basis.

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/HyperVVMSettings/{VMCreatorId}

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}

VM Creator ID that these settings apply to. Valid format is a GUID.

Description framework properties:

Property name Property value
Format node
Access Type Add, Delete, Get, Replace
Atomic Required True
Dynamic Node Naming ServerGeneratedUniqueIdentifier
Allowed Values Regular Expression: \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}
MdmStore/HyperVVMSettings/{VMCreatorId}/AllowHostPolicyMerge
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/AllowHostPolicyMerge

This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true

Allowed values:

Value Description
false AllowHostPolicyMerge Off.
true (Default) AllowHostPolicyMerge On.
MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultInboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DefaultOutboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/AllowLocalPolicyMerge
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.
MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/DefaultInboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/DefaultInboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/DefaultOutboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/DefaultOutboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/DomainProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/EnableFirewall
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/DomainProfile/EnableFirewall

This value is an on/off switch for the Hyper-V Firewall enforcement.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true

Allowed values:

Value Description
false Disable Firewall.
true (Default) Enable Firewall.
MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableFirewall

This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It's recommended to instead use the profile setting value under the profile subtree.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true

Allowed values:

Value Description
false Disable Hyper-V Firewall.
true (Default) Enable Hyper-V Firewall.
MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/EnableLoopback

This value is an on/off switch for loopback traffic. This determines if this VM is able to send/receive loopback traffic to other VMs or the host.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value false

Allowed values:

Value Description
false (Default) Disable loopback.
true Enable loopback.
MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/AllowLocalPolicyMerge
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.
MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/DefaultInboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/DefaultInboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/DefaultOutboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/DefaultOutboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/EnableFirewall
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PrivateProfile/EnableFirewall

This value is an on/off switch for the Hyper-V Firewall enforcement.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true

Allowed values:

Value Description
false Disable Firewall.
true (Default) Enable Firewall.
MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile

Description framework properties:

Property name Property value
Format node
Access Type Get
MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/AllowLocalPolicyMerge
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.
MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/DefaultInboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/DefaultInboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/DefaultOutboundAction
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/DefaultOutboundAction

This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow].

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/[VMCreatorId]/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.
MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/EnableFirewall
Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ [10.0.25398] and later
✅ Windows 11, version 22H2 [10.0.22621.2352] and later
./Vendor/MSFT/Firewall/MdmStore/HyperVVMSettings/{VMCreatorId}/PublicProfile/EnableFirewall

This value is an on/off switch for the Hyper-V Firewall enforcement.

Description framework properties:

Property name Property value
Format bool
Access Type Replace
Default Value true

Allowed values:

Value Description
false Disable Hyper-V Firewall.
true (Default) Enable Hyper-V Firewall.

MdmStore/PrivateProfile

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalIpsecPolicyMerge

This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalIpsecPolicyMerge Off.
true (Default) AllowLocalIpsecPolicyMerge On.

MdmStore/PrivateProfile/AllowLocalPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.

MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AuthAppsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AuthAppsAllowUserPrefMerge Off.
true (Default) AuthAppsAllowUserPrefMerge On.

MdmStore/PrivateProfile/DefaultInboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.

MdmStore/PrivateProfile/DefaultOutboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.

Example:

<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
    <!-- Block Outbound by default -->
    <Add>
      <CmdID>2010</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultOutboundAction</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
        </Meta>
        <Data>1</Data>
      </Item>
    </Add>
<Final/>
</SyncBody>
</SyncML>

MdmStore/PrivateProfile/DisableInboundNotifications

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableInboundNotifications

This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Firewall May Display Notification.
true Firewall Must Not Display Notification.

MdmStore/PrivateProfile/DisableStealthMode

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthMode

This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Use Stealth Mode.
true Disable Stealth Mode.

MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableStealthModeIpsecSecuredPacketExemption

This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false FALSE.
true (Default) TRUE.

MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableUnicastResponsesToMulticastBroadcast

This value is used as an on/off switch. If it's true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Unicast Responses Not Blocked.
true Unicast Responses Blocked.

MdmStore/PrivateProfile/EnableFirewall

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall

This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Add, Get, Replace
Default Value true

Allowed values:

Value Description
false Disable Firewall.
true (Default) Enable Firewall.

MdmStore/PrivateProfile/EnableLogDroppedPackets

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogDroppedPackets

This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Dropped Packets.
true Enable Logging Of Dropped Packets.

MdmStore/PrivateProfile/EnableLogIgnoredRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogIgnoredRules

This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule isn't enforced for any reason. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Ignored Rules.
true Enable Logging Of Ignored Rules.

MdmStore/PrivateProfile/EnableLogSuccessConnections

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableLogSuccessConnections

This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Successful Connections.
true Enable Logging Of Successful Connections.

MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/GlobalPortsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false GlobalPortsAllowUserPrefMerge Off.
true (Default) GlobalPortsAllowUserPrefMerge On.

MdmStore/PrivateProfile/LogFilePath

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogFilePath

This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get, Replace
Default Value %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/PrivateProfile/LogMaxFileSize

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/LogMaxFileSize

This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 1024
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/PrivateProfile/Shielded

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/Shielded

This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Shielding Off.
true Shielding On.

MdmStore/PublicProfile

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile

Description framework properties:

Property name Property value
Format node
Access Type Get

MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalIpsecPolicyMerge

This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalIpsecPolicyMerge Off.
true (Default) AllowLocalIpsecPolicyMerge On.

MdmStore/PublicProfile/AllowLocalPolicyMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge

This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AllowLocalPolicyMerge Off.
true (Default) AllowLocalPolicyMerge On.

MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AuthAppsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false AuthAppsAllowUserPrefMerge Off.
true (Default) AuthAppsAllowUserPrefMerge On.

MdmStore/PublicProfile/DefaultInboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 1
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 Allow Inbound By Default.
1 (Default) Block Inbound By Default.

MdmStore/PublicProfile/DefaultOutboundAction

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Default Value 0
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
0 (Default) Allow Outbound By Default.
1 Block Outbound By Default.

Example:

<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncBody>
    <!-- Block Outbound by default -->
    <Add>
      <CmdID>2010</CmdID>
      <Item>
        <Target>
          <LocURI>./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultOutboundAction</LocURI>
        </Target>
        <Meta>
          <Format xmlns="syncml:metinf">int</Format>
        </Meta>
        <Data>1</Data>
      </Item>
    </Add>
<Final/>
</SyncBody>
</SyncML>

MdmStore/PublicProfile/DisableInboundNotifications

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableInboundNotifications

This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Firewall May Display Notification.
true Firewall Must Not Display Notification.

MdmStore/PublicProfile/DisableStealthMode

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthMode

This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Use Stealth Mode.
true Disable Stealth Mode.

MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableStealthModeIpsecSecuredPacketExemption

This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false FALSE.
true (Default) TRUE.

MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableUnicastResponsesToMulticastBroadcast

This value is used as an on/off switch. If it's true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Unicast Responses Not Blocked.
true Unicast Responses Blocked.

MdmStore/PublicProfile/EnableFirewall

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall

This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true

Allowed values:

Value Description
false Disable Firewall.
true (Default) Enable Firewall.

MdmStore/PublicProfile/EnableLogDroppedPackets

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogDroppedPackets

This value is used as an on/off switch. If this value is on, the firewall logs all the dropped packets. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Dropped Packets.
true Enable Logging Of Dropped Packets.

MdmStore/PublicProfile/EnableLogIgnoredRules

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogIgnoredRules

This value is used as an on/off switch. The server MAY use this value in an implementation-specific way to control logging of events if a rule isn't enforced for any reason. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Ignored Rules.
true Enable Logging Of Ignored Rules.

MdmStore/PublicProfile/EnableLogSuccessConnections

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableLogSuccessConnections

This value is used as an on/off switch. If this value is on, the firewall logs all successful inbound connections. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Disable Logging Of Successful Connections.
true Enable Logging Of Successful Connections.

MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/GlobalPortsAllowUserPrefMerge

This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it's set or enumerated in the Group Policy store or if it's enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value true
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false GlobalPortsAllowUserPrefMerge Off.
true (Default) GlobalPortsAllowUserPrefMerge On.

MdmStore/PublicProfile/LogFilePath

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogFilePath

This value is a string that represents a file path to the log where the firewall logs dropped packets and successful connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Get, Replace
Default Value %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/PublicProfile/LogMaxFileSize

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 11, version 22H2 [10.0.22621] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/LogMaxFileSize

This value specifies the size, in kilobytes, of the log file where dropped packets and successful connections are logged. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured, otherwise the MdmStore value wins if it's configured, otherwise the local store value is used.

Description framework properties:

Property name Property value
Format int
Access Type Get, Replace
Allowed Values Range: [0-4294967295]
Default Value 1024
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

MdmStore/PublicProfile/Shielded

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Vendor/MSFT/Firewall/MdmStore/PublicProfile/Shielded

This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

Description framework properties:

Property name Property value
Format bool
Access Type Get, Replace
Default Value false
Dependency [Enable Firewall] Dependency Type: DependsOn
Dependency URI: Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall
Dependency Allowed Value: true
Dependency Allowed Value Type: ENUM

Allowed values:

Value Description
false (Default) Shielding Off.
true Shielding On.

Configuration service provider reference