I have a Windows Server 2008 R2 Active Directory environment and Windows Server 2008 and Windows Server 2008 R2 member servers. I want to enable Windows Firewall on my member servers but I want to still allow server administrators to disable Windows Firewall if they need to do so for troubleshooting purposes. Is it possible to enable Windows Firewall via GPO but not to actually enforce it (i.e., if a server admin goes into the Windows Firewall GUI, they can turn it off rather than seeing their options grayed out)?

Hi Ignatius, As far as I know, after the Windows Firewall policy has been applied successfully, server admin cannot go into the Windows Firewall GUI to turn it off However, you can manually change the registry value to turn it off. Assume you enabled the following policy to turn on Windows Firewall: [Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Protect all network connections] The corresponding registry key is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall Server admin can try to manually change its value to 0. Then, Windows Firewall will be turned off. Hope this helps. Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Bruce, Thank you very much for the help. I will pass this on to my fellow server admins.

Server admin can try to manually change its value to 0. Then, Windows Firewall will be turned off. you'll need to restart the firewall service for the setting to work, also, upon the next domain policy "refresh" the value will be rolled back to 1 as set by GPOs so that change won't be permanent