How to Configure Windows Firewall with Advanced Security by Using an Answer File
Updated: May 31, 2012
Applies To: Windows 8, Windows Server 2012
For unattended installations, you can configure Windows® Firewall with Advanced Security settings in an answer file by using the Networking-MPSSVC-Svc component. In addition to the answer file (Unattend.xml) settings for Windows Firewall with Advanced Security, you can create a RunSynchronous command that runs Netsh advfirewall commands during the auditUser or oobeSystem configuration pass.
Use RunSynchronous commands only to add, modify, or delete rules for Windows Firewall with Advanced Security. To modify rule groups, use the FirewallGroups setting in the Networking-MPSSVC-Svc component. For more information about Windows components and settings that you can add to an answer file, see the Unattended Windows Setup Reference Guide.
On your technician computer, open Windows System Image Manager (Windows SIM). Click Start, type Windows System Image Manager, and then select Windows System Image Manager.
On the Insert menu, click RunSynchronous.
Note Don't use the RunSynchronousNetsh advfirewall command during the specialize configuration pass.
The Create Synchronous Command dialog box appears.
In the Enter command line box, type the command-line syntax, like Netsh advfirewall firewall. For more information, see the Network Shell (Netsh) Technical Reference.
In the Order box, select the order of the commands that will run, and then click OK.
The command is added to the answer file in the selected configuration pass, as follows:
Commands that are added to the 6 auditUser passes configuration pass appear in the setting Microsoft-Windows-Deployment\RunSynchronous.
Commands that are added to the 7 oobeSystem configuration pass appear in the setting Microsoft-Windows-Shell-Setup\FirstLogonCommands.
- Commands that are added to the 6 auditUser passes configuration pass appear in the setting Microsoft-Windows-Deployment\RunSynchronous.
In the SynchronousCommand Properties pane, in the Settings section next to Description, enter a description like Enable Windows Messenger.
The command is added to the answer file under the configuration pass that you selected. This example illustrates how an incoming rule for Windows Messenger is configured:
<RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Path>Netsh advfirewall firewall add rule name="allow messenger" dir=in program="c:\programfiles\messenger\msmsgs.exe" action=allow </Path> <Description>Enable Windows Messenger</Description> <Order>1</Order> </RunSynchronousCommand> </RunSynchronous>
|The Netsh advfirewall command requires administrator permissions to run. If the RunSynchronous command runs in a configuration pass that runs in user context, that user account must have administrator permissions.|
The following example illustrates how to add a new outgoing firewall rule to block a port by using the Netsh advfirewall command-line tool.
At an elevated command prompt, enter syntax that adds a new outgoing firewall rule to block a port. For example:
Netsh advfirewall firewall add rule name="allow80" protocol=TCP dir=out localport=80 action=block
where the blocked port is TCP port 80.
You can convert Netsh commands to Windows PowerShell® commands. For more information, see the Netshell to Powershell Conversion Guide.