I recently had to add 130 IP addresses to a Windows Firewall policy that was configured in Group Policy in order to allow traffic for a cloud-hosted application. I could have spent over an hour tediously adding IP addresses manually to a rule using the Group Policy Management Console (and likely making typos and omitting a few along the way), or I could use PowerShell to accomplish the same task in minutes.
Prerequisites
For this blog post, I’ll assume you have the following:
- Basic PowerShell knowledge
- Permissions to modify Group Policy
- A Group Policy Object (GPO) that contains a Windows Firewall policy
Step 1: Open the GPO
First, we must open the GPO using the Open-NetGPO command. If you look at the Help documentation for this command, you’ll see it creates a cached copy of a GPO to modify locally which is exactly what we want to do. We will save the changes back to Group Policy later in Step 3. We specify the GPO using the -PolicyStore parameter. In my example, my domain is “contoso.com”, and I have a GPO called “Windows Firewall Policy”.
# Specify the domain
$Domain = 'contoso.com'
# Specify the GPO name
$GpoName = 'Windows Firewall Policy'
# Combine the domain and GPO name to create the $PolicyStore variable
$PolicyStore = "$Domain\$GpoName"
# Create a GPO session to open the GPO
$GpoSession = Open-NetGPO -PolicyStore $PolicyStore
In the code above, I used variables to specify the details of the GPO and then opened and stored the GPO in a variable called $GpoSession.
Step 2: Modify the Windows Firewall policy
With the GPO open, you can use PowerShell commands such as Get-NetFirewallRule, New-NetFirewallRule, Set-NetFirewallRule, and Remove-NetFirewallRule to make changes to the Windows Firewall rules.
# Create a rule to block outbound traffic on TCP port 80
New-NetFirewallRule -GPOSession $GpoSession -DisplayName "Block Outbound Port 80" -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block
# Rename the previously created rule's name and change the Action to Allow
Set-NetFirewallRule -GPOSession $GpoSession -DisplayName "Block Outbound Port 80" -NewDisplayName "Allow Outbound Port 80" -Action Allow
# Get the rule and its details
Get-NetFirewallRule -GPOSession $GpoSession -DisplayName "Allow Outbound Port 80"
# Delete the rule
Remove-NetFirewallRule -GPOSession $GpoSession -DisplayName "Allow Outbound Port 80"
The code above shows four basic examples of how you can modify the Windows Firewall rules.
Step 3: Save the GPO
Once you’ve made your changes, the last step is simply to save the GPO.
# Save the GPO
Save-NetGPO -GPOSession $GpoSession
That’s it! You’re finished!
David C. Bird 
What do we put in $PolicyStore when it’s a standalone machine ?
LikeLike
It’s been a while since I worked with Group Policy, and I don’t have a test environment to check, so I’m not entirely sure.
Looking at the Open-NetGPO cmdlet documentation, perhaps you could try specifying the hostname or localhost for the -PolicyStore parameter. See here: https://learn.microsoft.com/en-us/powershell/module/netsecurity/open-netgpo?view=windowsserver2019-ps#-policystore
If that doesn’t work, it might not be possible as someone mentioned in the following Microsoft Q&A forum post: https://learn.microsoft.com/en-us/answers/questions/795411/group-policy-using-powershell-on-a-non-domain-join.html
LikeLike
Thanks David, None of those worked for me, but I did find a way of editing them programmatically as follows: 1. Secedit.exe to export the current configuration 2. Edit the output file with a program or powershell or notepad etc (its an ini or inf type text format) 3. Secedit.exe to import back to be the main config 4. gpupdate /force or reboot to make it stick. That seems to work after a week long battle to see if I could do it using powershell commands, but at least secedit gives a way
LikeLike
I’m glad to hear you found a solution. Thanks for following up and sharing!
LikeLike