SMB firewall rule changes in Windows Insider

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Heya folks, Ned here again. Starting with Windows 11 Insider preview Build 25992 (Canary), creating SMB shares changes a longtime Windows Defender Firewall default behavior. 



Previously, creating a share automatically configured the firewall to enable the rules in the “File and Printer Sharing” group for the given firewall profiles. This began in Windows XP SP2 with the introduction of the then-new built in firewall, and the rule was designed for both SMB1 and ease of deployment of a wide array of SMB-using technology, including printing, legacy group policy, and others.



Windows now automatically configures the new “File and Printer Sharing (Restrictive)” group when you create an SMB share, which no longer contains inbound NetBIOS ports 137-139. Those ports are not used by SMB2 or later and are an artifact of SMB1. If you reinstall SMB1 server for some legacy compatibility reason, you will need to ensure that those firewall ports are reopened.


Defender firewallDefender firewall

This change enforces a higher degree of default of network security as well as bringing SMB firewall rules closer to the Windows Server “File Server” role behavior, which only opens the minimum ports needed to connect and manage sharing. Administrators can still configure the “File and Printer Sharing” group if necessary as well as modify this new firewall group, these are just default behaviors.


Final Note

We plan future updates for this rule to also remove inbound ICMP, LLMNR, and Spooler Service ports and restrict down to the SMB sharing-necessary ports only.


This is part of a campaign to improve the security of Windows and Windows Server for the modern landscape. You've read my posts on SMB security changes over the past year:



For more information on securing SMB on Windows in-market, check out:



Until next time,


Ned Pyle

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.