At the start of the year, we started getting a windows firewall popup when a user started a call in Microsoft Teams for the first time, and before long customers started complaining about it.
I thought this would be an easy fix, update the firewall rules in group policy and be done with it. I was wrong. As I found out the windows firewall settings can’t handle user-based wildcards such as %localappdata%\Microsoft\Teams\current\Teams.exe.
After a bit of searching, I came across this little powershell script on Microsoft docs. It worked, but I was not sure of the best way to deploy it on mass.
I then found this great MSEndpointMgr community article on how to deploy it via intune, written by @michael_mardahl he also wrote an enhanced version of the script that does some fancy checks and clean up. If we were using intune I would have used his script.
In this article I will show you how to apply the Microsoft Teams firewall script using compliance in MEMCM (Microsoft Endpoint Configuration Manager, formally known as SCCM or ConfigMgr).
This article also assumes you already know how to create and deploy Configuration Baselines and Configuration Items in MEMCM however I will provide all our settings screenshots to help you along the way.
- From the Assets and Compliance tree in MEMCM navigate to Compliance Settings > Configuration Items, from there create a folder and then right click on the folder and select Create Configuration Item.
- On the general tab of the Create Configuration Item Wizard, enter a Name for your CI, a Description if you wish, ensure that Windows Desktops and Servers (custom) radio button is selected and then choose Next.
- Selected the Supported Platforms e.g. Windows 10 and then choose Next.
- From the Settings tab choose New, in the Create Setting box, enter a name for the setting, select Script form the Setting Type: dropdown and String from the Data Type: dropdown, then under Discovery script click on Add Script.
- In the Edit Discovery Script window ensure Script language is Windows Powershell, then in the Script section, paste the following code:
<#
.SYNOPSIS
Checks firewall rules for Teams.
.DESCRIPTION
(c) Microsoft Corporation 2018. All rights reserved. Script provided as-is without any warranty of any kind. Use it freely at your own risks.
Must be run with elevated permissions. Can be run as a GPO Computer Startup script, or as a Scheduled Task with elevated permissions.
The script will create a new inbound firewall rule for each user folder found in c:\users.
Requires PowerShell 3.0.
.Notes
Modified by Mark Szili from remediation script to check compliance
#>
#Requires -Version 3
#get Users
$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
#Check for teams and firewall rules for each users
if ($null -ne $users) {
foreach ($user in $users) {
$progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
if (Test-Path $progPath)
{if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue))
{$compliance = "Not Compliant"}
}
}
}
else {$compliance = "Compliant"}
$compliance
This is where the secret source is, this script has been modified from the original script at the end, to not remediate, but instead write either “Not Compliant” or “Complaint” to the $Compliance variable and then output it to host.
Choose OK to save the script.
- Back on the Create Setting window, under Remediation script (optional) click on Add Script. Then in the Create Remediation Script windows paste in the original script that we obtained from the Microsoft Docs site. Click OK, and then OK again a then Next.
<#
.SYNOPSIS
Creates firewall rules for Teams.
.DESCRIPTION
(c) Microsoft Corporation 2018. All rights reserved. Script provided as-is without any warranty of any kind. Use it freely at your own risks.
Must be run with elevated permissions. Can be run as a GPO Computer Startup script, or as a Scheduled Task with elevated permissions.
The script will create a new inbound firewall rule for each user folder found in c:\users.
Requires PowerShell 3.0.
#>
#Requires -Version 3
#get Users
$users = Get-ChildItem (Join-Path -Path $env:SystemDrive -ChildPath 'Users') -Exclude 'Public', 'ADMINI~*'
#Check for teams and firewall rules for each users
if ($null -ne $users) {
foreach ($user in $users) {
$progPath = Join-Path -Path $user.FullName -ChildPath "AppData\Local\Microsoft\Teams\Current\Teams.exe"
if (Test-Path $progPath) {
if (-not (Get-NetFirewallApplicationFilter -Program $progPath -ErrorAction SilentlyContinue)) {
$ruleName = "Teams.exe for user $($user.Name)"
"UDP", "TCP" | ForEach-Object {
New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Domain,Private -Program $progPath -Action Allow -Protocol $_
New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -Profile Public -Program $progPath -Action Block -Protocol $_
}
Clear-Variable ruleName
}
}
Clear-Variable progPath
}
}
- From the Compliance Rules tab click on New. In the Create Rule window, enter a Name for the rule, and then select Browse, and select the CI that we have created and click on OK. You will now be able to add a value for the rule. Type in Compliant in the following values: box (the secret source from step 5). Then tick the box next to Run the specified remediation script when the setting is noncompliant. Change the Noncompliance severity for reports: to warning. Then click OK to save.
- Click Next until the CI wizard is complete.
- Add the CI to a configuration baseline and then deploy it to a device collection. These can be called anything you want here I’ve created dedicated baselines and collections in our UAT domain and added the CI we just created.
- Once deployed to clients. The result on the client side can be seen from the Configuration Manager Properties found in the control panel. You may need local admin to view the report.
- From the local firewall admin you can also see that the new firewall rules have been applied.
