Policy
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Defender Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Defender Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is selected and administrators cannot clear it. If you disable this policy setting, Windows Defender Firewall blocks these ports, which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list, Windows Defender Firewall does not open the ports. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is cleared and administrators cannot select it. If you do not configure this policy setting, Windows Defender Firewall does not open these ports. Therefore, the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Defender Firewall component of Control Panel, the "UPnP framework" check box is cleared. Administrators can change this check box."
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework\Enabled | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Allow unsolicited incoming messages from these IP addresses: ID WF_Scope_Name | text | HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework\RemoteAddresses Type REG_SZ | None |
Other policies in this category
Explore related policies at the same level.
- ComputerWindows Defender Firewall: Allow ICMP exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound file and printer sharing exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound remote administration exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound Remote Desktop exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local program exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow loggingAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Define inbound port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Define inbound program exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Do not allow exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit notificationsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit unicast response to multicast or broadcast requestsAt least Windows XP Professional with SP2