Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Firewall Status
Environment: Microsoft Defender Firewall
Summary: Huntress reports the status of Windows Defender Firewall.
Huntress’ Firewall status allows the ability to view the status of Microsoft Defender Firewall on the protected Endpoints. The endpoint is reviewed by our system for the Microsoft Firewall Profiles to ensure they are all enabled.
More information about Microsoft Firewall Profiles here.
Enabling and Managing Microsoft Defender Firewall
Microsoft's Defender Firewall should be enabled by default, however, if not, you'll want to re-enable it and the best place to start is with these external links from Microsoft (in order of increasing complexity):
- Enable the firewall on a specific endpoint.
- Best practices for configuring Microsoft Defender Firewall.
- Enable the firewall via PowerShell commands. Please note, it's generally not a good idea to run these particular commands programmatically across your entire account as it could accidentally block key services or disrupt server communications. Instead, we recommend running those commands on a case-by-case basis. For reference, those PowerShell commands are:
netsh advfirewall set allprofiles state on
-=OR=-
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
You can then verify the setting has applied with this PowerShell command:
Get-NetFirewallProfile | Select Name, Enabled
Although Huntress is able to view the status of the firewall, support in enabling the firewall is limited. Please reach out to Microsoft support or review the articles above if there are any issues enabling the firewall properly.
Defender Firewall Managed through GPO
When checking for the endpoint's Firewall status, if managed through GPO we are looking for the active profiles to be set to enabled at the same level as the GPO. Examples of what that would look like would be shown below, but must be configured for the active profiles as well as at the level the GPO is configured.