Policy
Windows Defender Firewall: Do not allow exceptions
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Specifies that Windows Defender Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Defender Firewall policy settings that allow such messages. If you enable this policy setting, in the Windows Defender Firewall component of Control Panel, the "Block all incoming connections" check box is selected and administrators cannot clear it. You should also enable the "Windows Defender Firewall: Protect all network connections" policy setting; otherwise, administrators who log on locally can work around the "Windows Defender Firewall: Do not allow exceptions" policy setting by turning off the firewall. If you disable this policy setting, Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender Firewall component of Control Panel, the "Block all incoming connections" check box is cleared and administrators cannot select it. If you do not configure this policy setting, Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender Firewall component of Control Panel, the "Block all incoming connections" check box is cleared by default, but administrators can change it.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile Value name DoNotAllowExceptions | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.