Policy
Windows Defender Firewall: Define inbound program exceptions
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Allows you to view and change the program exceptions list defined by Group Policy. Windows Defender Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender Firewall component in Control Panel. If you enable this policy setting, you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it asks Windows Defender Firewall to open, even if that port is blocked by another policy setting, such as the "Windows Defender Firewall: Define inbound port exceptions" policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable the policy setting, note the syntax, click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program, click its definition, and then press the DELETE key. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Defender Firewall component in Control Panel, also enable the "Windows Defender Firewall: Allow local program exceptions" policy setting. If you disable this policy setting, the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists, it is ignored unless you enable the "Windows Defender Firewall: Allow local program exceptions" policy setting. If you do not configure this policy setting, Windows Defender Firewall uses only the local program exceptions list that administrators define by using the Windows Defender Firewall component in Control Panel. Note: If you type an invalid definition string, Windows Defender Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries. Note: If you set the Status parameter of a definition string to "disabled," Windows Defender Firewall ignores port requests made by that program and ignores other definitions that set the Status of that program to "enabled." Therefore, if you set the Status to "disabled," you prevent administrators from allowing the program to ask Windows Defender Firewall to open additional ports. However, even if the Status is "disabled," the program can still receive unsolicited incoming messages through a port if another policy setting opens that port. Note: Windows Defender Firewall opens ports for the program only when the program is running and "listening" for incoming messages. If the program is not running, or is running but not listening for those messages, Windows Defender Firewall does not open its ports.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\Enabled | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Define program exceptions: ID WF_AllowedPrograms_Show | list | HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications\List\Enabled Type REG_MULTI_SZ | List: additive |
Other policies in this category
Explore related policies at the same level.
- ComputerWindows Defender Firewall: Allow ICMP exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound file and printer sharing exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound remote administration exceptionAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound Remote Desktop exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow inbound UPnP framework exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow local program exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Allow loggingAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Define inbound port exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Do not allow exceptionsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit notificationsAt least Windows XP Professional with SP2
- ComputerWindows Defender Firewall: Prohibit unicast response to multicast or broadcast requestsAt least Windows XP Professional with SP2