How do I use DSC to totally disable the Windows Firewall?

This topic contains 4 replies, has 3 voices, and was last updated by  Anthony 2 years, 2 months ago.

  • Author
  • #38809


    How do I use DSC (either cfirewall or xnetworking) to disable the private, public and domain profiles of the Windows firewall? I'm using Windows server 2012 and WMF 4.

    I want to totally disable the Windows firewall. Must I modify an entry in the registry?

    I tried using cfirewall and xnetworking (downloading files from the Internet). Here is an example of what I tried after I manually disabled to the windows firewall (to try to enable it to prove it can work):

    configuration Add_FirewallRuleToExistingGroup
    { param
    ( [string[]]$NodeName = 'localhost' )
    Import-DSCResource -ModuleName xNetworking
    Node $NodeName
    { xFirewall Firewall
    { Name = "MyFirewallRule"
    DisplayName = "My Firewall Rule"
    DisplayGroup = "My Firewall Rule Group"
    Access = "Allow"
    State = "Enabled"
    Profile = "Private" }
    Add_FirewallRuleToExistingGroup -OutputPath .

    I had no errors when I ran the script above. I applied the configuration with start-dscconfiguration Add_FirewallRuleToExistingGroup -Wait -Verbose. There were no errors. But the firewall remained disabled. Rebooting didn't help.

    I manually enabled the firewall. I then changed the above configuration script to try to disable the firewall. There were no errors when I compiled it. There were no errors when I tried to apply the .mof file. But the firewall remained enabled. How do I use DSC (not plain PowerShell scripts) to totally disable the Windows Firewall?

  • #38825


    You cannot use the xFirewall resource for disabling the firewall. Here is a script resource to do the job.

    Script DisableFirewall 
        GetScript = {
                GetScript = $GetScript
                SetScript = $SetScript
                TestScript = $TestScript
                Result = -not('True' -in (Get-NetFirewallProfile -All).Enabled)
        SetScript = {
            Set-NetFirewallProfile -All -Enabled False -Verbose
        TestScript = {
            $Status = -not('True' -in (Get-NetFirewallProfile -All).Enabled)
            $Status -eq $True
  • #38960


    That worked!

  • #38964


    Glad it did. I usually find it easier to write resource scripts if the code you want to run is just a one liner. Anything more complicated gets a proper resource.

  • #39033


    I wrote a resource for that. I was surprised that the xFirewall resource didn't allow it.

You must be logged in to reply to this topic.