Search code examples
powershellwindows-firewallwindows-server-2016

How to disable windows firewall for all networked machines using the command line in Windows Server 2016?


I am currently building a Hyper-V lab consisting of a DC and multiple networked VMs, using Windows Server 2016. I'd like to completely disable the windows firewall for all existing and newly created VMs.

The best way that I've found to do this so far is via Group Policy for the Domain Profile. Then set Windows Firewall: Protect all network connections to disabled. What I would like to do is to have a way of scripting this out (using Powershell if possible).

I've found that by performing the above steps in the GUI, it creates a few entries in the registry:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsFirewall\DomainProfile

In each of those entries, there is a property called EnableFirewall which is set to 0. So I tried creating all of this using Powershell like this:

New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft" -name WindowsFirewall 
New-Item -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall" -name DomainProfile
New-ItemProperty -path "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -name EnableFirewall -value 0 -PropertyType DWord -Force

Unfortunately it doesn't seem to be working, so there must be something else that I'm missing.

Does anybody know how to completely disable the windows firewall for all networked machines using the command line in Windows Server 2016?


Solution

  • Setting up the Windows-Firewall for your domain-computers through computer-startup-script is not a great solution in my opinion. You should definetly use Group Policy for this task.

    GP does exactly what I want, I would just like a way of modifying GP using Powershell. I'm building a lab from scratch, and I'm looking to script as much of it as possible rather than using the gui.

    I am not completely sure, what you are trying to achive. You have created a lab now and I think you are trying to script a complete automatic built-up for future use. Is this correct?

    If yes, then my solution is maybe what you are looking for:

    1. Create a new GPO in your lab named "Firewall-Settings" for example.
    2. Make all of your needed FireWall-Settings to the new GPO.
    3. In Group Policy Editor open the main-node named „Group Policy Objects“. (important) Find the newly created GPO, right-click it and select "Backup":

    GPO Backup

    1. Save the GPO-backup to a folder. (folder must exist)

    GPO Backup to folder

    1. The GPO is beeing saved and named like on the screenshot below (GUID):

    Saved GPO in File-System

    That's it for the preparation. Now you maybe want to script the creation of the GPO with Powershell for future use and import the backup to obtain it's settings in a new environment:

    New-GPO -Name "FireWall-Settings" | New-GPLink -Target "DC=mydomain,DC=local" # distinguishedName of Target-OU
    Import-GPO -Path $PathtoGPOBackup -TargetName "FireWall-Settings" -BackupGpoName "FireWall-Settings"
    

    The Script creates a GPO in the new environment with the name "FireWall-Settings" and links it to the target-OU. After that you import the settings of the backup-GPO. All the domain-members in scope of the GPO will get the Windows-Firewall configured automatically.

    Now the process is documented and fully automatic, if this is, what you are looking for.

    Kind regards