Windows Firewall with Advanced Security is a powerful built-in firewall that can be managed centrally across your entire organisation via Group Policy. This guide covers how to configure Windows Firewall rules via Group Policy in 2026 — including creating inbound and outbound rules, blocking applications and deploying rules to domain-joined machines.
Open Windows Firewall Group Policy Settings
- Open Group Policy Management Console
- Create a new GPO or edit an existing one
- Navigate to Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
- Right-click Windows Defender Firewall with Advanced Security and select Properties to configure the firewall profiles
Configure Firewall Profiles
Windows Firewall has three profiles — Domain, Private and Public. In a corporate environment configure all three but the Domain profile is the most important as it applies when machines are connected to the corporate network.
- Domain Profile — applies when connected to a domain network
- Private Profile — applies on home or trusted networks
- Public Profile — applies on untrusted public networks — should be most restrictive
Create an Inbound Firewall Rule via Group Policy
- Expand Windows Defender Firewall with Advanced Security → Inbound Rules
- Right-click and select New Rule
- Select the rule type — Port, Program, Predefined or Custom
- For a port rule: select TCP or UDP and specify the port number
- Select Allow the connection or Block the connection
- Select which profiles the rule applies to — Domain, Private, Public
- Give the rule a descriptive name and click Finish
Create Firewall Rules via PowerShell
# Allow inbound RDP (port 3389) on domain profile only
New-NetFirewallRule -DisplayName "Allow RDP Inbound" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -Profile Domain
# Block outbound access for a specific application
New-NetFirewallRule -DisplayName "Block App Outbound" -Direction Outbound -Program "C:\Program Files\App\app.exe" -Action Block -Profile Any
# Allow inbound ping (ICMP)
New-NetFirewallRule -DisplayName "Allow ICMPv4 Inbound" -Direction Inbound -Protocol ICMPv4 -IcmpType 8 -Action Allow
# View all firewall rules
Get-NetFirewallRule | Select-Object DisplayName, Direction, Action, Enabled | Format-Table -AutoSize
# Disable a specific rule
Disable-NetFirewallRule -DisplayName "Allow RDP Inbound"Common Enterprise Firewall Rules
| Rule | Direction | Protocol | Port | Action |
|---|---|---|---|---|
| Allow RDP from IT subnet only | Inbound | TCP | 3389 | Allow (scoped to IP range) |
| Allow WinRM management | Inbound | TCP | 5985, 5986 | Allow |
| Allow SCCM client | Inbound | TCP | 445, 135 | Allow |
| Block Telnet | Outbound | TCP | 23 | Block |
| Allow DNS | Outbound | UDP/TCP | 53 | Allow |
Frequently Asked Questions
Will Windows Firewall Group Policy override local firewall rules?
By default Group Policy firewall rules merge with local firewall rules. You can change this in the firewall profile properties — set Rule merging to No to make Group Policy rules the only rules that apply, overriding any local rules users may have created.
How do I troubleshoot Windows Firewall blocking traffic?
Enable Windows Firewall logging in the profile properties — set log dropped packets to Yes and specify a log file path. Then review the log file to identify which rule is blocking traffic. Alternatively use the Windows Firewall with Advanced Security console and run the Troubleshoot option, or use: netsh advfirewall monitor show firewall rule name=all
Can I disable Windows Firewall via Group Policy?
Yes — in the firewall profile properties set Firewall state to Off. However disabling Windows Firewall is strongly discouraged as it removes a critical layer of defence. If a third-party firewall is in use, ensure it is fully configured before disabling the Windows Firewall.
How do I scope a firewall rule to specific IP addresses?
When creating a rule, go to the Scope tab and specify the remote IP addresses the rule applies to. This allows you to create rules that only apply to traffic from or to specific subnets — for example allowing RDP only from your IT management subnet.
About The Author
Discover more from TechyGeeksHome
Subscribe to get the latest posts sent to your email.