Windows Firewall misbehaving

Solution 1:

OK, so I found that the setting 'Apply local firewall rules' was being set to 'no' by group policy:

this is confirmed in gpresult:

GPO: Server firewall - logging only
            Folder Id: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge
            Value:       0, 0, 0, 0
            State:       Enabled

This is set to 'Not configured' in the 'Server firewall - logging only' policy. So I guess this is an implicit default option? (despite 'Yes' being te default). Its resolved my issue anyway.

Solution 2:

A key thing that I haven't seen mentioned anywhere discussing the 'Query User' 'Prompt the User for a decision corresponding to Inbound Traffic' filter is that this "rule" actually seems to indicate that none of the other firewall rules match. It's more a default block than a specific block. In my case, it didn't have anything to do with displaying a notification at all! (they were disabled locally and in group policy)

Most people run into this because their local rules aren't being merged with their group policy rules, and the UI doesn't do a great job of indicating that (i.e. you can still add rules, they just get silently ignored). The solution for that is to fix group policy by enabling SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge.

In my case, however, the problem was that the default firewall rules for RADIUS/NPS are broken: https://windowsserver.uservoice.com/forums/295059-networking/suggestions/35724043-fix-default-nps-firewall-rules-for-server-2019

The workaround for that is make the service unrestricted with sc.exe sidtype IAS unrestricted