Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > Windows Firewall monitoring console displays Rule Source as Local Group Policy Setting
April 22
Windows Firewall monitoring console displays Rule Source as Local Group Policy Setting

Windows Firewall with Advanced Security console (the wf.msc) has a very useful node called Monitoring. Windows Firewall can receive many separate settings from local registry configuration, from local Group Policy Object (gpedit.msc) or from several domain based GPOs which all combine together to provide the resulting firewall configuration and rule list.

Although you can always use the gpresult /h reporting tool to troubleshoot domain based GPO deployment, this does not record the firewall settings comming from local registry and from the local GPO. Therefore I use the Monitoring node of the Windows Firewall console itself, which provides the best view of actual firewall settings and rules currently in effect. It displays just the rules which are applied and nothing else.

It also has a nice feature to display the originating Group Policy Object name from which the particular rule came. You just right-click the Monitoring - Firewall subnode, select View - Select columns and then add the column called Rule Source.

The last week, I have hit a weird situation in which I fought for hours to find out what the particular Rule Source means. Customer's workstations were applying some firewall rules that seemed to come from nowhere. Their Rule Source was Local Group Policy Setting. So naturally I went for local GPO with gpedit.msc, but found nothing. Not even anything in domain based GPOs.

Brief look at the registry HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile showed that the machine really applied something from a GPO. But which one?

Finally I found out what it was. The customer did one of the highly non-recommended thing as they always do :-) They were configuring their Windows XP firewall with Group Policy previously, so they just left it in place when they upgraded to Windows 7 recently.

So the settings came from a domain based GPO, from its Administrative Templates - Network - Network Connections - Windows Firewall - Domain Profile. Because these settings are obsolete for Windows 7 firewall, they appeared as Local Group Policy Setting in the Monitoring node of the Windows Firewall with Advanced Security console. The new console just didn't see where they come from.

Recommanded solution to Windows Firewall configuration

If you configure Windows XP and Windows 2003 firewall, use the Administrative Templates section. If you configure Windows Vista, Windows 7, Windows 2008 and newer firewall, use the Windows Settings - Security Settings - Windows Firewall with Advanced Security console exclusively. Or you get mixed and cofusing setting which also sometimes makes functional problems.

If you must use both groups of operating systems still, just apply WMI filters or any other GPO filtering method to separate the settings into different GPOs.


Re: Windows Firewall monitoring console displays Rule Source as Local Group Policy Setting

Had the same issue. Turned out to be a GPO linked to the OU, but the GPO had a dodgy setting in it, causing the "Remote Desktop" block rule to be added to the local PC firewall and showing up as "Local group policy setting".  I removed the GPO setting and the firewall rule disappeared.
 on 26/08/2016 14:39

Add Comment

Sorry comments are disable due to the constant load of spam *

This simple antispam field seems to work well. Just put here the number.


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *

Body *