4

I am in charge of a group of computers that process highly confidential data. They cannot be connected to the Internet or even the company network, only a network drive. So I wrote a batch file on the network drive and run it on each computer to consistently apply security settings.

The batch file calls netsh exec with the following script:

advfirewall
set store gpo = %COMPUTERNAME%
reset
set store local
reset

The problem is that the environment variable %COMPUTERNAME% fails to resolve to the actual computer name, so the GPO is not reset and there are conflicts between the settings in the two locations. Furthermore, netsh advfirewall reset only resets the local store and set store can only be run from a netsh script (the direct netsh advfirewall set store gpo in the batch file does not work).

How do I get set store to access the GPO for the machine that the batch file is running from? Or is there another way to reset the GPO settings (for Windows Firewall with Advanced Security) from the command line? I understand these settings are not stored in Registry.pol.

KFC
  • 43
  • 5

1 Answers1

4

I suspect you're trying to pass %COMPUTERNAME% to netsh directly. It doesn't expand environment variables. Let the shell expand the variable for you, like this:

@echo off
SET F="%TEMP%\%RANDOM%.txt"

echo advfirewall>%F%
echo set store gpo = %COMPUTERNAME%>>%F%
echo reset>>%F%
echo set store local>>%F%
echo reset>>%F%

netsh -f %F%
del %F%

netsh ends up getting a script with the expanded environment variable already in it.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • Thanks so much! But I do not understand why ``echo advfirewall>%F%`` is repeated again in the third last line. Thought that would just overwrite the script file with a single line? – KFC Oct 23 '14 at 03:09
  • @KFC - Oops! You caught a mistake. I fixed it up. – Evan Anderson Oct 23 '14 at 03:47