Does Windows 7 re-enable Windows Firewall after removing from domain?

4

We have the following GPO's configured for our default domain policies:

  • Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Domain Profile Settings
    • Firewall state -- Off
  • Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
    • Windows Firewall: Protect all network connections -- Disabled
  • Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
    • Windows Firewall: Protect all network connections -- Disabled

Recently, we've had some strange hiccups that required a few machines to be taken off of the domain and be rejoined. However, after being removed and completing it's first reboot, the Windows Firewall turns itself back on and blocks our attempts to connect remotely to rejoin it.

Although I'm not aware of this being an issue for us in the past, is this default behavior for when a machine is removed from the domain?

RecursiveGreen

Posted 2014-01-13T15:28:55.933

Reputation: 43

Answers

2

The Windows Advanced Firewall has three profiles: Domain, Public, and Private/Home. Each profile has its own settings. When you leave a domain, the Domain profile gets disabled and the Private profile gets activated. You need to ensure that the Private profile does not activate using netsh advfirewall command.

For more info: http://technet.microsoft.com/en-us/library/getting-started-wfas-firewall-profiles-ipsec(v=ws.10).aspx

pepoluan

Posted 2014-01-13T15:28:55.933

Reputation: 962

1I had a sneaky suspicion this was the case. Thank you for the info! – RecursiveGreen – 2014-01-13T20:07:18.030

1

By Default, the windows firewall is turned on. If you have a policy to turn off the firewall set by GPOs, there's no way to ensure the policy you want or don't want will be set when its removed from the domain. Rejoining to the domain should always be followed with manual GP updates using the following from the command prompt.

GPUpdate /force

GPUPDATE

This ensures the system pulls completely up to date policy. The only way to really prevent this is to also disable it at the local policy level.

MDT Guy

Posted 2014-01-13T15:28:55.933

Reputation: 3 683

1Your answer is correct, but I think @pepoluan has more relevance to my current situation. Thanks! : ) – RecursiveGreen – 2014-01-13T20:10:00.907

Asked: 2014-01-13T15:28:55.933

Viewed: 2 546 times

Active: 2014-01-13T20:20:45.857