Configure Windows Firewall with Advanced Security by Using an Answer File

Updated: October 20, 2013

Applies To: Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2

For unattended installations, you can configure Windows® Firewall with Advanced Security settings in an answer file by using the Networking-MPSSVC-Svc component. In addition to the answer file (Unattend.xml) settings for Windows Firewall with Advanced Security, you can create a RunSynchronous command that runs Netsh advfirewall commands during the auditUser or oobeSystem configuration pass.

Use RunSynchronous commands only to add, modify, or delete rules for Windows Firewall with Advanced Security. To modify rule groups, use the FirewallGroups setting in the Networking-MPSSVC-Svc component. For more information about Windows components and settings that you can add to an answer file, see the Unattended Windows Setup Reference Guide.

  1. On your technician computer, open Windows System Image Manager (Windows SIM). Click Start, type Windows System Image Manager, and then select Windows System Image Manager.

  2. Create a new answer file, or update an existing answer file. For more information, see Create or Open an Answer File and Best Practices for Authoring Answer Files.

  3. On the Insert menu, click RunSynchronous.

  4. Select the configuration pass where you want to install the command. This can be the auditUser or oobeSystem configuration pass.

    Don't use the RunSynchronousNetsh advfirewall command during the specialize configuration pass.

  5. The Create Synchronous Command dialog box appears.

  6. In the Enter command line box, type the command-line syntax, like Netsh advfirewall firewall. For more information, see the Network Shell (Netsh) Technical Reference.

  7. In the Order box, select the order of the commands that will run, and then click OK.

    The command is added to the answer file in the selected configuration pass, as follows:

    1. Commands that are added to the 6 auditUser passes configuration pass appear in the setting Microsoft-Windows-Deployment\RunSynchronous.

    2. Commands that are added to the 7 oobeSystem configuration pass appear in the setting Microsoft-Windows-Shell-Setup\FirstLogonCommands.

  8. In the SynchronousCommand Properties pane, in the Settings section next to Description, enter a description like Enable Windows Messenger.

  9. The command is added to the answer file under the configuration pass that you selected. This example illustrates how an incoming rule for Windows Messenger is configured:

             <RunSynchronousCommand wcm:action="add">
                <Path>Netsh advfirewall firewall 
                      add rule name="allow messenger" dir=in 
                <Description>Enable Windows Messenger</Description>
The Netsh advfirewall command requires administrator permissions to run. If the RunSynchronous command runs in a configuration pass that runs in user context, that user account must have administrator permissions.

The following example illustrates how to add a new outgoing firewall rule to block a port by using the Netsh advfirewall command-line tool.

  • At an elevated command prompt, enter syntax that adds a new outgoing firewall rule to block a port. For example:

    Netsh advfirewall firewall add rule name="allow80" protocol=TCP
    dir=out localport=80 action=block

    where the blocked port is TCP port 80.

You can convert Netsh commands to Windows PowerShell® commands. For more information, see the Netshell to Powershell Conversion Guide.

See Also

© 2014 Microsoft