Jil/fix-fw.ps1

## fix-fw.ps1
# Disable built-in rules which conflict with GPO rules filtering on IP origin
$rules = Get-NetFirewallRule -Direction Inbound -Enabled True |?{$_.Name -like "RemoteDesktop*"}
foreach ($r in $rules) {
    "Disabling: " + $r.Name
    $r | Disable-NetFirewallRule
}

<#
Disabling: RemoteDesktop-UserMode-In-TCP
Disabling: RemoteDesktop-UserMode-In-UDP
Disabling: RemoteDesktop-Shadow-In-TCP
Disabling: RemoteDesktop-In-TCP-WS
Disabling: RemoteDesktop-In-TCP-WSS
#>

$rules = Get-NetFirewallRule -Direction Inbound -Enabled True |?{$_.Name -like "RemoteAssistance*"}
foreach ($r in $rules) {
    "Disabling: " + $r.Name
    $r | Disable-NetFirewallRule
}

$rules = Get-NetFirewallRule -Direction Inbound -Enabled True |?{$_.Name -like "*SMB*"}
foreach ($r in $rules) {
    "Disabling: " + $r.Name
    $r | Disable-NetFirewallRule
}

<#
Disabling: RemoteAssistance-RAServer-In-TCP-NoScope-Active
Disabling: RemoteAssistance-DCOM-In-TCP-NoScope-Active
Disabling: RemoteAssistance-In-TCP-EdgeScope-Active
Disabling: RemoteAssistance-SSDPSrv-In-UDP-Active
Disabling: RemoteAssistance-SSDPSrv-In-TCP-Active
Disabling: RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active
#>

if ((Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V -online).State -eq "Enabled") {
    $rules = Get-NetFirewallRule -Direction Inbound -Enabled True |?{$_.Name -like "VIRT-WMI*"}
    foreach ($r in $rules) {
        "Disabling: " + $r.Name
        $r | Disable-NetFirewallRule
    }
}

<#
Disabling: VIRT-WMI-RPCSS-In-TCP-NoScope
Disabling: VIRT-WMI-WINMGMT-In-TCP-NoScope
Disabling: VIRT-WMI-ASYNC-In-TCP-NoScope
#>
	# Disable built-in rules which conflict with GPO rules filtering on IP origin
	$rules = Get-NetFirewallRule -Direction Inbound -Enabled True \|?{$_.Name -like "RemoteDesktop*"}
	foreach ($r in $rules) {
	"Disabling: " + $r.Name
	$r \| Disable-NetFirewallRule
	}

	<#
	Disabling: RemoteDesktop-UserMode-In-TCP
	Disabling: RemoteDesktop-UserMode-In-UDP
	Disabling: RemoteDesktop-Shadow-In-TCP
	Disabling: RemoteDesktop-In-TCP-WS
	Disabling: RemoteDesktop-In-TCP-WSS
	#>

	$rules = Get-NetFirewallRule -Direction Inbound -Enabled True \|?{$_.Name -like "RemoteAssistance*"}
	foreach ($r in $rules) {
	"Disabling: " + $r.Name
	$r \| Disable-NetFirewallRule
	}

	$rules = Get-NetFirewallRule -Direction Inbound -Enabled True \|?{$_.Name -like "SMB"}
	foreach ($r in $rules) {
	"Disabling: " + $r.Name
	$r \| Disable-NetFirewallRule
	}

	<#
	Disabling: RemoteAssistance-RAServer-In-TCP-NoScope-Active
	Disabling: RemoteAssistance-DCOM-In-TCP-NoScope-Active
	Disabling: RemoteAssistance-In-TCP-EdgeScope-Active
	Disabling: RemoteAssistance-SSDPSrv-In-UDP-Active
	Disabling: RemoteAssistance-SSDPSrv-In-TCP-Active
	Disabling: RemoteAssistance-PnrpSvc-UDP-In-EdgeScope-Active
	#>

	if ((Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V -online).State -eq "Enabled") {
	$rules = Get-NetFirewallRule -Direction Inbound -Enabled True \|?{$_.Name -like "VIRT-WMI*"}
	foreach ($r in $rules) {
	"Disabling: " + $r.Name
	$r \| Disable-NetFirewallRule
	}
	}

	<#
	Disabling: VIRT-WMI-RPCSS-In-TCP-NoScope
	Disabling: VIRT-WMI-WINMGMT-In-TCP-NoScope
	Disabling: VIRT-WMI-ASYNC-In-TCP-NoScope
	#>