I’m currently experiencing an issue where I have machines with their windows firewall disabled with Group Policy (and the firewall is thus disabled) yet BigFix is reporting the firewall to be enabled for that particular network profile.
The inspector appears to correctly report if an end user disables the firewall but if the firewall is disabled using Group Policy the inspector doesn’t seem to notice and reports the state of the firewall IF group policy was not being applied.
(type of it, firewall enabled of it) of profiles of local policy of firewall
Luckily there are only three firewall profiles so I currently am using the following instead as a temporary workaround:
("Domain", firewall enabled of domain profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" of native registry as string | "-1") whose (it = "0"));("Public", firewall enabled of public profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" of native registry as string | "-1") whose (it = "0"));("Private", firewall enabled of private profile of local policy of firewall and not exists (value "EnableFirewall" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" of native registry as string | "-1") whose (it = "0"))
Seems like this could work to check all of the GPO options:
not exists values "EnableFirewall" whose(it = "0") of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall" of (x64 registries; x32 registries)
Seems like this would handle the normal case:
not exists firewalls enabled whose(FALSE=it) of profiles of local policies of firewalls
I have a tendency to use “current profile of local policy of firewall” to look at only the currently-active profile.
Current Firewall Profile: (“Domain”, “Public”, “Private”, “Standard”) type of current profile of local policy of firewall as string
Firewall Enabled - Local Policy (True/False) exists firewall whose (firewall enabled of current profile of local policy of firewall)
Firewall Enabled - Group Policy (True/False) exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
Firewall Configuration - Group Policy (returns “Enabled”, “Disabled”, or “Not Configured”) (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then "Enabled" else "Disabled" else "Not Configured") of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
Firewall Enabled - Active Configuration (True/False) - A couple of different ways of getting at it. I’m still playing with these. (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then True else False else firewall enabled of current profile of local policy of firewall) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry OR ( firewall enabled of current profile of local policy of firewall AND not exists (value "EnableFirewall" of key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry as string | "-1") whose (it = "0") )
It looks like current profile doesn’t work either when you have multiple active profiles:
Active Profiles:
Q: profile types of firewall
A: Domain
A: Public
First
Q: type of current profile of local policy of firewall as string
E: Singular expression refers to nonexistent object.
Second
Q: exists firewall whose (firewall enabled of current profile of local policy of firewall)
A: False
T: 83.131 ms
Third
Q: exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
E: Singular expression refers to nonexistent object.
Fourth
Q: (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then "Enabled" else "Disabled" else "Not Configured") of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
E: Singular expression refers to nonexistent object.
Fifth
Q: (if exists value "EnableFirewall" of it then if value "EnableFirewall" of it as integer = 1 then True else False else firewall enabled of current profile of local policy of firewall) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry
E: Singular expression refers to nonexistent object.
Last
Q: exists values "EnableFirewall" whose (it as integer = 1) of keys ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry OR ( firewall enabled of current profile of local policy of firewall AND not exists (value "EnableFirewall" of key ("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\" & current profile type of firewall as string & "Profile") of native registry as string | "-1") whose (it = "0") )
E: Singular expression refers to nonexistent object.
The use case for this is when you have multiple active adapters with different security levels.
For example:
Domain Joined machine with a local network connection (Domain Network) with an active VPN Connection (Public Network)
Domain Joined FileServer with a local network connection (Domain Network) private SAN network (Private Network)
Hmmm… back to a personal aggravation of mine, that all the Registry creation classes require “of registry”. So I can’t do something like exists profile types whose (exists values "EnableFirewall" of key ("HKLM\Software\Policies\Microsoft\WindowsFirewall\" & it & "Profile") of native registry) of firewall
I haven’t found a construct where “it” can refer to the profile type, rather than the native registry. This is a case that would be simpler with exists profile types whose (exists values "EnableFirewall" of native registry key ("HKLM\Software\Policies\Microsoft\WindowsFirewall\" & it & "Profile") ) of firewall
Sigh, if only there were a “native registry key” creation class (hint hint @AlanM)