I am adding a windows firewall rule using netsh advfirewall firewall command in a setup program. My code is giving an error message if the system has windows firewall disabled.

So I need to check the window's firewall status before executing the command netsh advfirewall firewall add. ie, if firewall is disabled, no need to add the rule.

I am checking if the firewall is enabled or not by using the window registry value "EnableFirewall".

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

I am not sure this is the right way. There can be domain firewall profile(?) also.

Thanks in advance.

Another option is to use netsh itself to check if firewall is enabled or not. Execute the command netsh advfirewall show private|public|domain. It will give the state on/off.

Invoke-Command -ComputerName <servername> -Credential <username> -ScriptBlock {[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$env:COMPUTERNAME).OpenSubKey("System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile").GetValue("EnableFirewall")}

1 means enabled.

Make sure to also check the GPO policies for firewalls, they are not stored in the registry, but in another store, see this question as well: Windows Firewall state different between Powershell output and GUI

Try this for a Compliance and Non-Compliance check:

$FirewallStatus = 0
$SysFirewallReg1 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg1 -eq 1) {
$FirewallStatus = 1
}

$SysFirewallReg2 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg2 -eq 1) {
$FirewallStatus = ($FirewallStatus + 1)
}

$SysFirewallReg3 = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" -Name EnableFirewall | Select-Object -ExpandProperty EnableFirewall
If ($SysFirewallReg3 -eq 1) {
$FirewallStatus = ($FirewallStatus + 1)
}

If ($FirewallStatus -eq 3) {Write-Host "Compliant"}
ELSE {Write-Host "Non-Compliant"}

I just had to do something similar for an environment I took over. I used the below to check state for all three profiles.

invoke-command -computername $computer  -scriptblock {
    try{ get-netfirewallprofile | select name,enabled }
    catch{ netsh advfirewall show all state }
}

the try block will work with server 2012 or windows 8 and newer systems. if that fails when it throws an error about not having the cmdlet that will be caught and instead of giving you an error it will fall back to using netsh to display the information.

I've used this on server 2008 R2, 2012 R2 and 2016 with good results. Hope it works for you!

$Compliance = 'Non-Compliant'
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Domain' -and $_.Enabled -eq 'True'}
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Public' -and $_.Enabled -eq 'True'}
$Check = get-netfirewallprofile | Where-Object {$_.Name -eq 'Private' -and $_.Enabled -eq 'True'}
if ($Check) {$Compliance = 'Compliant'}
$Compliance

I am new to this but how ever i used reg query to get the details.

type this in command line and hit enter.

reg query \\IP_Address\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

I was using it in my works and also was using the command below.

reg query \\ip_address\path

Written as a one-liner:

if (((Get-NetFirewallProfile | select name,enabled) | where { $_.Enabled -eq $True } | measure ).Count -eq 3) {Write-Host "OK" -ForegroundColor Green} else {Write-Host "OFF" -ForegroundColor Red}

What it does?

• Iterates through each Firewall settings item: [Domain, Private, Public]
• Check if each item is enabled and set to TRUE
• There are 3 items, so we count all TRUES and compare to 3
• Print Green OK or Red OFF
• NOT using netsh or registry
• Requires a working NetSecurity Module for the Get-NetFirewallProfile cmdlet.