We are deploying a Windows 10 LTSC image to multiple devices. The image configures one admin user and a second non-admin user. The non-admin user is the primary account for day-to-day use of the device. Another part of the configuration is to provide firewall rules for a set of custom applications.
This firewall configuration is currently giving us trouble:
Most of the pre-capture image configuration is driven by Powershell scripts - including the firewall part - while using the admin account.
The script eventually makes a call from within Powershell using Invoke-Expression to 'netsh advfirewall ...' using scripted arguments. One example is shown below:
netsh advfirewall firewall add rule name='Custom App Rule' enable=Yes profile=Domain,Private,Public dir=In action=Allow protocol=any localip='Any' remoteip='Any' program="C:\Program Files (x86)\Some Company\Bin\CustomApp.exe" edge=deferapp
Afterwards, we can check via Windows Defender Firewall editor ('wf.msc') that the entry has been created (output from Export List - Text Tab delimited; tabs changed to comma to save space):
Name,Group,Profile,Enabled,Action,Override,Program,Local Address,Remote Address,Protocol,Local Port,Remote Port,Authorized Users,Authorized Computers,Authorized Local Principals,Local User Owner,Application Package
Custom App Rule,,All,Yes,Allow,No,C:\Program Files (x86)\Some Company\Bin\CustomApp.exe,Any,Any,Any,Any,Any,Any,Any,Any,Any,Any
Or reformatted for visibility:
Name = Custom App Rule
Group
Profile = All
Enabled = Yes
Action = Allow
Override = No
Program = C:\Program Files (x86)\Some Company\Bin\CustomApp.exe
Local Address = Any
Remote Address = Any
Protocol = Any
Local Port = Any
Remote Port = Any
Authorized Users = Any
Authorized Computers = Any
Authorized Local Principals = Any
Local User Owner = Any
Application Package = Any
No error message shows up during the configuration that would imply an issue.
Rebooting the system automatically logs us into the non-admin account (this is by design) and starts our 'customapp.exe'. Which in turn triggers the unexpected firewall prompt:
Windows Defender Firewall has blocked some features of this app
Your network administrator can unlock this app for you.
...
Path: C:\program files (x86)\some company\bin\customapp.exe
Network location: Public, private networks
And sure enough when checking the Windows Defender Firewall editor, two new 'block' rules have been created for our 'customapp.exe': one for TCP and one for UDP (both with Profile = Public). The only additional difference seems to be that the path in 'Program' is all small caps. Does capitalization in the path matter when trying to match the application to a rule?
Concerns:
- Why is the firewall rule we create specifically for our app seemingly ignored?
- Are we using 'netsh' incorrectly? What would be the correct way?
- Are there any logs that would provide information like: app A asked for network access to X, checking firewall rule 1 ... n, rule y does not apply because of z? (The pfirewall.log seems to only list IP/ports but not application names - at least by default.)
Thank you for taking the time to read this and any advice on this issue.
