I have worked with a new thing in PowerShell the other day that I thought would be nice to share: How to work with the Windows Firewall. I needed to verify if some specific machines had the correct firewall settings in order to allow Configuration Manager Client push. I put my self a challenge, and tried to figured that out using Powershell.

For the ones who do not know what Configuration Manager client push is, it is a method that will help you to push the SCCM client on any discovered machine, by right clicking it, and clicking “Install client” from the Console. This is a great way to quickly install  the SCCM clients on remote machines.

Client Push is great when everything works well. When it does not, it can become a real nightmare to troubleshoot. There are two main settings that need to be granted ; Local administrator rights for the account that pushes the client on the targeted machine, and a set of specific firewall exceptions need to be enabled.

This blog post will answer the question “what firewall rules need to be enabled for configuration manager client push?”. How to identify if the configuration manager firewall rules, and how to set the configuration manager firewall rules into the appropriate state using Windows PowerShell.

This blog post covers the configuration manager firewall rules automation. The second part of this blog post will highlight the automation of local admin part.

1-How to get windows firewall rules using powershell?

I needed to check if some firewall rules were enabled on some specific machines today.

Generaly a GPO is used to open these ports,this solution offers an alternative, and helps to identify which ports are not open. The challenge here was to use powershell. Which could become handy if you do not have access to the GPMC console for one reason or another.

So, what do we need nowadays to work on the Windows Firewall?

Basically, In order to work with the firewall, there is one cmdlet that you need to know of: Get-NETFirewallRule

Actually, you can easily find all the cmdlets related to the firewall using this simple command:

You will get something similar to this:

configuration manager client push firewall cmdlets

For my specefic situation, I needed to check for the following two rule if they were enabled or not:

  • Print File sharing services
  • Windows Management instrumentation (WMI)

Now, where there can be a little struggle, how to identify the name of the rules that you need to focus on. No worries,I got the line for you guys 😉

The thing to keep in mind here, is that the name of the rule you are looking for in powershell, is actually not the one that is displayed in the Windows advance Firewall mmc . There is a name, and a displayname

configuration manager client push firewall DisplayName

Knowing that, we can easily go fetch the name and the display name of the firewall rules that we are curious about.

We receive a lot of information on the screen using this command. to much in order to be able to analyze anything. Since we want only the file and printer sharing and the Windows Management instrumention we will narrow it down to these two groups.

Groups? Who said groups? yep, I did. If you check the image of the firewall rules above, you notice that there is a section called group. We can then filter on the Group property.

The column called “Group” in the Advanced Windows Firewall window is actually the “DisplayGroup” field in PowerShell

configuration manager client push File and print firewall rules

Cool tip! In order to avoid to have the little dots (…) in the displayname where the string is to long, and to have everything nicely formatted, we can pipe our results to Format-Table -AutoSize as showed in the example below. It will nicely organize everything for us.

configuration manager client push File and print rules_3

One thing to remember when using format-table (or it’s alias ‘ft’), be sure to respect the powershell best practice, and use it at the very very right of your cmdlet, otherwise it will break your object and you wont be able to use it further in the pipeline.

And now we do the same thing for the Windows Management Instrumentation rules using the following command:

configuration manager client push WMI Firewall rules1

2-How to set windows firewall rules using Powershell?

Now that we know how to identify the needed firewall rules for the ConfigMgr Client push, we need to know how we can change the state of the ones that are missing.

To set a firewall rule, we will have to use “Set-NetFirewallRule“.

The code is pretty straightforward, we simply get one firewall rule (or a bunch of them) using this command:

configuration manager client push Windows Firewall powershell

Did you know that FPS-ICMP4-ERQ-IN was actually the “File and Printer Sharing (Echo Request – ICMPv4-In)”. In other words, the ping rule.

We can simply pipe the result back to “Set-NetFirewallRule” as follow in order to enable the rule.

Easy right? 🙂

3-PowerShell configuration script

All of that being said, I have written a function that will query for each of these rules, and offer you solutions for correcting it if needed.

–> Get-SCCMClientPushFireWallSettings

The functions returns an object with information that could be used to generated reports in HTML or CSV output.

Basically, with Get-SCCMClientPushFireWallSettings you got all the hard work done here 😉

The function works remotely, or locally, and accept pipeline input. It also works for large number of machines.

You can download the script on my technet page here

The script can work to identify which rules are open, and which rules are currently missing.

3-1 How to check if Configuration manager client push firewall rules are enabled using powershell

Using the “Get-SCCMClientPushFireWallSettings” cmdlet I wrote makes things pretty straight forward.

In my lab, I would like to push the client to amachine named “CL04”. I will call the function like this:

As prerequisite, you must have PS remoting enabled, otherwise you might not be able to connect to the remote machine.

configuration manager client push get-sccmfirewallclientpushsettings not reachable

get-sccmfirewallclientpushsettings not reachable

This can be done either through GPO, or directly on the machine using “Enable-PsRemoting” on your machine.

On important thing to note, is that the PS remoting could enabled, although you cannot reach it using a regular test-Connection. (ICMP simply might be blocked). Therefore, i am using @leeholmes Test-PsRemoting function to verify the remote connectivity.

Once the connectivy is established (or when launched locally), you will have a result back similar to this.

configuration manager client push get-sccmfirewallclientpushsettings no rules enabled

get-sccmfirewallclientpushsettings no rules enabled

The object that is returned is pretty self explanatory: The Client “CL04” is reachable but the WMIRules and FileRules are both not enabled on the machine.

IF launched on multiple computers, we would have the following results:

configuration manager client push get-sccmfirewallclientpushsettings multiple computers

get-sccmfirewallclientpushsettings multiple computers

We can see that the warning messages are displayed per device. The script explains that we can use -detailedList to see the exact list that is missing (and thus the exact list that will be impacted once the correction is launched). And how to remediate each missing group of rules;

  • CorrectWMIRules
  • -CorrectFileRules

The object that the script returns is rich, and can be used to pipe the results to another cmdlet or function.

3-1 How to enable Configuration manager client push firewall rules using powershell

Now that the script told us how to correct the missing configuration manager client push firewall rules, we simply need to apply it using the proposed solutions.

The client rules will then take a short while to be enabled, and something similar to this should appear once the operation is finished:

configuration manager client push get-sccmfirewallclientpushsettings enabling missing rules

get-sccmfirewallclientpushsettings enabling missing rules

The rules are now enabled, and we are almost ready to push the client agent, on the remote clients.

4 – Next step to enable configuration manager client push using powershell

The next and last step would be to verifiy the local admin rights of the account that executes the client push. This will be covered shortly in a next post.

Thanks for reading.