🟑 Medium   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Expected allow rules exist but traffic is denied because higher-priority or broader rules supersede them.

Environment & Reproduction

Appears after layered local and domain firewall policy merges.

Get-NetFirewallRule -Direction Inbound | Select -First 30
Get-NetFirewallProfile
Test-NetConnection localhost -Port 5985

Root Cause Analysis

Conflicting policy stores, profile mismatch, and broad block rules trigger effective deny behavior.

Quick Triage

Inspect active store and matching block rules.

Get-NetFirewallRule -PolicyStore ActiveStore | Where-Object Action -eq 'Block' | Select -First 30
Get-NetFirewallRule -DisplayName '*5985*'

Step-by-Step Diagnosis

Trace targeted port filters and associated rule groups.

Get-NetFirewallPortFilter | Where-Object LocalPort -eq 5985
Get-NetFirewallRule -Enabled True | Where-Object Direction -eq Inbound | Select -First 40

Solution – Primary Fix

Narrow deny scopes and introduce explicit higher-specificity allow rules.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

New-NetFirewallRule -DisplayName 'Allow WinRM 5985 Domain' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 5985 -Profile Domain
Disable-NetFirewallRule -DisplayName 'Legacy Block Any Any'

Solution – Alternative Approaches

Enforce corrected rule ordering through Group Policy baseline.

gpupdate /force
Get-NetFirewallRule -DisplayName '*WinRM*'

Verification & Acceptance Criteria

Port test and remote management workflows complete successfully.

Test-NetConnection localhost -Port 5985
Enter-PSSession -ComputerName localhost -ErrorAction SilentlyContinue

Rollback Plan

Re-enable previous block policy if expanded allow scope violates security policy.

Enable-NetFirewallRule -DisplayName 'Legacy Block Any Any'
Remove-NetFirewallRule -DisplayName 'Allow WinRM 5985 Domain'

Prevention & Hardening

Document firewall intent and routinely validate effective policy after GPO updates.

Get-NetFirewallRule -PolicyStore ActiveStore | Export-Csv firewall-active.csv -NoTypeInformation
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Diagnostics commands in PowerShell β€” Illustrative mockup β€” Progressive Robot
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Event log verification for Windows Server 2022 β€” Illustrative mockup β€” Progressive Robot

May overlap with RDP access issues and WinRM failures due to profile auto-switching.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: effective firewall policy, Windows Filtering Platform, and GPO firewall deployment.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.