New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Server 2016 Modern Apps per user firewall rules #135
Comments
Thanks Brian, is this more for Citrix Optimizer instead BIS-F. The UWP are removed from Citrix Optimizer, why not the rules too ?
… Am 12.09.2019 um 08:01 schrieb BrianRiegels-Morgan ***@***.***>:
This is a feature request for the BIS-F image sealing script in relation to the modern apps firewall rules that are created on Windows Server 2016 when a user logs in to the server. If the script can be updated to remove the user based rules that accumulate on Citrix servers it would be really appreciated. I've included details of the issue in a blog written by Insentra in Aus. https://www.insentra.com.au/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp/
If you need more information please reach out to me on email ***@***.***
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@BrianRiegels-Morgan Can you please report this also using https://bit.ly/CitrixOptimizerFeedback? I would like to track this internally, thanks! |
Hi Matthias,
Happy to drop the request over to Martin.
Ta
Brian Riegels-Morgan Consultant
Professional Services
Phone: +61 431 984 764 Email: brian.riegels-morgan@insentragroup.com
[https://i.xink.io/Images/Get/I2235/i81.png]<www.insentragroup.com> [https://i.xink.io/Images/Get/I2235/t9.png] <https://twitter.com/Insentra?lang=en> [https://i.xink.io/Images/Get/I2235/l7.png] <https://www.linkedin.com/company/insentra/> [https://i.xink.io/Images/Get/I2235/f83.png] <https://www.facebook.com/Insentragroup/> [https://i.xink.io/Images/Get/I2235/i558.gif] <https://www.instagram.com/insentra/>
________________________________
From: Matthias Schlimm <notifications@github.com>
Sent: Friday, 13 September 2019 4:41 AM
To: EUCweb/BIS-F <BIS-F@noreply.github.com>
Cc: Brian Riegels-Morgan <brian.riegels-morgan@insentragroup.com>; Author <author@noreply.github.com>
Subject: Re: [EUCweb/BIS-F] Windows Server 2016 Modern Apps per user firewall rules (#135)
Externally Generated E-Mail
Thanks Brian, is this more for Citrix Optimizer instead BIS-F. The UWP are removed from Citrix Optimizer, why not the rules too ?
Am 12.09.2019 um 08:01 schrieb BrianRiegels-Morgan ***@***.***>:
This is a feature request for the BIS-F image sealing script in relation to the modern apps firewall rules that are created on Windows Server 2016 when a user logs in to the server. If the script can be updated to remove the user based rules that accumulate on Citrix servers it would be really appreciated. I've included details of the issue in a blog written by Insentra in Aus. https://www.insentra.com.au/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp/
If you need more information please reach out to me on email ***@***.***
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FEUCweb%2FBIS-F%2Fissues%2F135%3Femail_source%3Dnotifications%26email_token%3DAE4LYT26IZMCRRFSTHN5IVLQJKEL5A5CNFSM4IV7ROKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6S3LOI%23issuecomment-530953657&data=02%7C01%7Cbrian.riegels-morgan%40insentragroup.com%7C9a17010a79184fc6a1d508d737b0c532%7C671563ba62bf48be912017075aaaa1cc%7C0%7C1%7C637039104689242059&sdata=AmgBXzdInTSd7ilqB6Tn8kfoAJpVjmbQCb5jSfG2L58%3D&reserved=0>, or mute the thread<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAE4LYT2MIA2AD2DTBWP7TRLQJKEL5ANCNFSM4IV7ROKA&data=02%7C01%7Cbrian.riegels-morgan%40insentragroup.com%7C9a17010a79184fc6a1d508d737b0c532%7C671563ba62bf48be912017075aaaa1cc%7C0%7C1%7C637039104689242059&sdata=Q4GCLOmxTaNVY9NjjAvQON%2FotFYiP0P2Ds1Oif5UGB8%3D&reserved=0>.
…________________________________
The content of this email and any attachment is private and may be legally privileged. If you are not the intended recipient of this email, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this communication in error please notify the sender and delete this email and any attachments immediately.
________________________________
|
I had a look at this behavior and this is what I see (Windows 10 build 1903). Some UWP apps will create per-user rules, on default system it means that 9 firewall rules are being created for each new profile. After Citrix Optimizer is used to remove UWP apps, no new rules are created for applications that have been removed - this however includes only 2 apps, 'Mail and Calendar' and "Microsoft Photos". When you delete profiles of these users, FW policies will stay in place. I don't see how there is anything we can do in Optimizer, as this is a default (and expected) behavior, however I think there is an opportunity here for BIS-F to automatically delete all firewall rules that are created per-user. I would suggest to look for any policies where "Local User Owner" is not "Any" and delete it ('Get-NetFirewallRule' and attribute 'Owner'). |
Source: https://koetzingit.de/index.php/en/blog-en/194-common-logon-issues-and-how-to-solve-them Description Solve Microsoft has released an update in March 2019 (KB4490481), but you must set a registry key to activate the fix! HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy Even with the Hotfix, you might already have thousands of unwanted firewall rules that still slow everything down. For that, use the attached PoSh script to clean up the unwanted rules. References March 26, 2019—KB4490481 (OS Build 17763.402) |
This is a feature request for the BIS-F image sealing script in relation to the modern apps firewall rules that are created on Windows Server 2016 when a user logs in to the server. If the script can be updated to remove the user based rules that accumulate on Citrix servers it would be really appreciated. I've included details of the issue in a blog written by Insentra in Aus. https://www.insentra.com.au/windows-firewall-behaviour-in-windows-10-vdi-and-windows-server-2016-w-citrix-xenapp/
If you need more information please reach out to me on email brian.riegels-morgan@insentragroup.com
The text was updated successfully, but these errors were encountered: