Policy

Windows Defender Firewall: Allow inbound UPnP framework exceptions

Microsoft Windows

Back to Domain ProfileBack to main
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Defender Firewall > Domain Profile
Supported on
At least Windows XP Professional with SP2

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP

Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Defender Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Defender Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Defender Firewall blocks these ports, which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list, Windows Defender Firewall does not open the ports. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrators cannot select it. If you do not configure this policy setting, Windows Defender Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."

Internal name
WF_UniversalPlugAndPlay_Name_1
Policy ID
b63d097d05ec
Elements
1

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework
Value name
Enabled
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework
Value name
Enabled
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Allow unsolicited incoming messages from these IP addresses:
ID WF_Scope_Name
text
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework
Value name
RemoteAddresses
Type
REG_SZ
None
Allow unsolicited incoming messages from these IP addresses:
Computer · Type text
Registry mapping
Path
SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework
Value name
RemoteAddresses
Type
REG_SZ
DetailsNone