We’re seeing what appears to be a false negative in the Huntress Portal’s Windows Firewall status reporting on servers where Windows Defender Firewall is managed by Group Policy.

On the affected server(s), Huntress indicates Windows Firewall is disabled, but we’ve confirmed it is enabled and enforcing rules:

GPO policy keys show EnableFirewall = 1 for Domain/Private/Public:

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall{Domain,Private,Public}Profile\EnableFirewall

NetSecurity reports the effective applied state as enabled:

Get-NetFirewallProfile -PolicyStore ActiveStore (Domain/Private/Public = Enabled = True)

Get-NetFirewallProfile -PolicyStore RSOP (Domain/Private/Public = Enabled = True)

Functional validation: removing an “allow” rule for TCP 445 immediately causes remote Test-NetConnection to fail, and restoring the rule restores connectivity (indicating filtering is active).

However, legacy interfaces report the firewall as OFF on the same host:

netsh advfirewall show allprofiles → State OFF for Domain/Private/Public

COM: HNetCfg.FwPolicy2.FirewallEnabled(profile) → False for Domain/Private/Public

This makes it look like Huntress may be relying on one of those legacy reporting paths (netsh and/or HNetCfg.FwPolicy2), which can disagree with the effective policy store on some system—especially when firewall settings are managed via GPO and the legacy/local store is out of sync.