Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Server 2016 Modern Apps per user firewall rules #135

Open
BrianRiegels-Morgan opened this issue Sep 12, 2019 · 5 comments
Assignees

Comments

@BrianRiegels-Morgan
Copy link

@BrianRiegels-Morgan BrianRiegels-Morgan commented Sep 12, 2019

This is a feature request for the BIS-F image sealing script in relation to the modern apps firewall rules that are created on Windows Server 2016 when a user logs in to the server. If the script can be updated to remove the user based rules that accumulate on Citrix servers it would be really appreciated. I've included details of the issue in a blog written by Insentra in Aus. https://www.insentra.com.au/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp/
If you need more information please reach out to me on email brian.riegels-morgan@insentragroup.com

@matthias-schlimm

This comment has been minimized.

Copy link
Collaborator

@matthias-schlimm matthias-schlimm commented Sep 12, 2019

@martinzugec-ctx

This comment has been minimized.

Copy link

@martinzugec-ctx martinzugec-ctx commented Sep 12, 2019

@BrianRiegels-Morgan Can you please report this also using https://bit.ly/CitrixOptimizerFeedback? I would like to track this internally, thanks!

@BrianRiegels-Morgan

This comment has been minimized.

Copy link
Author

@BrianRiegels-Morgan BrianRiegels-Morgan commented Sep 12, 2019

@BrianRiegels-Morgan

This comment has been minimized.

Copy link
Author

@BrianRiegels-Morgan BrianRiegels-Morgan commented Sep 12, 2019

@martinzugec

This comment has been minimized.

Copy link

@martinzugec martinzugec commented Sep 13, 2019

I had a look at this behavior and this is what I see (Windows 10 build 1903).

Some UWP apps will create per-user rules, on default system it means that 9 firewall rules are being created for each new profile.

After Citrix Optimizer is used to remove UWP apps, no new rules are created for applications that have been removed - this however includes only 2 apps, 'Mail and Calendar' and "Microsoft Photos". When you delete profiles of these users, FW policies will stay in place.

I don't see how there is anything we can do in Optimizer, as this is a default (and expected) behavior, however I think there is an opportunity here for BIS-F to automatically delete all firewall rules that are created per-user. I would suggest to look for any policies where "Local User Owner" is not "Any" and delete it ('Get-NetFirewallRule' and attribute 'Owner').

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.