Policy
Windows Defender Firewall: Allow authenticated IPsec bypass
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport. If you enable this policy setting, you must type a security descriptor containing a list of computers or groups of computers. If a computer on that list authenticates using IPsec, Windows Defender Firewall does not block its unsolicited messages. This policy setting overrides other policy settings that would block those messages. If you disable or do not configure this policy setting, Windows Defender Firewall makes no exception for messages sent by computers that authenticate using IPsec. If you enable this policy setting and add systems to the list, upon disabling this policy, Windows Defender Firewall deletes the list. Note: You define entries in this list by using Security Descriptor Definition Language (SDDL) strings. For more information about the SDDL format, see the Windows Defender Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=25131).
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Define IPsec peers to be exempted from firewall policy: ID WF_AuthenticatedBypass_List_Name | text | HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\ICFv4\BypassFirewall Type REG_SZ | None |