Configure Hyper-V firewall

Starting in Windows 11, version 22H2, Hyper-V firewall is a network firewall solution that enables filtering of inbound and outbound traffic to/from containers hosted by Windows, including the Windows Subsystem for Linux (WSL).
This article describes how to configure Hyper-V firewall rules and settings using PowerShell or configuration service provider (CSP).

Important

The configuration of Hyper-V firewall is not available via group policy (GPO). If Windows Firewall settings are configured via GPO and Hyper-V firewall settings aren't configured via CSP, then the applicable rules and settings are automatically mirrored from the GPO configuration.

Configure Hyper-V firewall with PowerShell

This section describes the steps to manage Hyper-V firewall using PowerShell.

Obtain the WSL GUID

Hyper-V firewall rules are enabled per VMCreatorId. To obtain the VMCreatorId, use the cmdlet:

Get-NetFirewallHyperVVMCreator

The output contains a VmCreator object type, which has unique identifier VMCreatorId and friendly name properties. For example, the following output shows the properties of WSL:

PS C:\> Get-NetFirewallHyperVVMCreator
VMCreatorId : {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}
FriendlyName : WSL

Note

The WSL VMCreatorId is {40E0AC32-46A5-438A-A0B2-2B479E8F2E90}.

Verify Hyper-V firewall settings

Hyper-V firewall has settings that apply in general to a VMCreatorId. Use the Get-NetFirewallHyperVVMSetting cmdlet to check the settings. For example, you can obtain the policies applied to WSL with the command:

Get-NetFirewallHyperVVMSetting -PolicyStore ActiveStore -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'

Note

-PolicyStore ActiveStore returns the applied settings.

The output contains the following values:

Value Description
Enabled (True/False) True if Hyper-V Firewall is enabled for WSL VMs.
DefaultInboundAction, DefaultOutboundAction These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article.
LoopbackEnabled Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host.
AllowHostPolicyMerge Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.
This setting is detailed with the Set-NetFirewallHyperVVMSetting cmdlet.

Configure Hyper-V firewall settings

To configure Hyper-V firewall, use the Set-NetFirewallHyperVVMSetting command. For example, the following command sets the default inbound connection to Allow:

Set-NetFirewallHyperVVMSetting -Name '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -DefaultInboundAction Allow

Firewall Rules

Hyper-V firewall rules can be enumerated and created from PowerShell. To view rules, use the Get-NetFirewallHyperVRule cmdlet. For example, to view firewall rules that only pertain to WSL, use the following command:

Get-NetFirewallHyperVRule -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}'

To configure specific rules, use the Set-NetFirewallHyperVRule cmdlet.

For example, to create an inbound rule to allow TCP traffic to WSL on port 80, use the following command:

New-NetFirewallHyperVRule -Name MyWebServer -DisplayName "My Web Server" -Direction Inbound -VMCreatorId '{40E0AC32-46A5-438A-A0B2-2B479E8F2E90}' -Protocol TCP -LocalPorts 80

Target Hyper-V firewall rules and settings to specific profiles

Hyper-V firewall rules and settings can be targeted to the Firewall profiles, which are based on the type of network the device is connected to:

  • Public profile
  • Private profile
  • Domain profile

The policy options are similar to the ones already described, but are applied to specific profiles for the connected Windows Host network adapter.

To view the settings per profile, use the following command:

Get-NetFirewallHyperVProfile -PolicyStore ActiveStore

Note

-PolicyStore ActiveStore returns the applied settings.

The output contains an extra value compared to the ones described in the previous section:

Value Description
AllowLocalFirewallRules (True/False) This setting determines how enterprise Hyper-V firewall rules (CSP or GPO) interact with the locally defined Hyper-V firewall rules:
- if the value is True, both the enterprise Hyper-V firewall rules and the locally defined rules are applied
- if the value is False, the locally defined Hyper-V firewall rules aren't applied, and only enterprise rules are applied.

Note

To configure these settings per profile, use the Set-NetFirewallHyperVProfile cmdlet.

To configure these rules per profile using the Set-NetFirewallHyperVRule cmdlet with the -Profile option.

Configure Hyper-V firewall with CSP

You can configure Hyper-V firewall using the Firewall CSP, for example with an MDM solution like Microsoft Intune.

To learn more about the CSP options, follow these links:

To learn how to configure the firewall with Microsoft Intune, see Firewall policy for endpoint security.

Provide feedback

To provide feedback for Hyper-V firewall, open Feedback Hub and use the category Security and Privacy > Microsoft Defender Firewall and network protection.