Windows Defender Firewall: Allow inbound file and printer sharing exception

Allows inbound file and printer sharing. To do this, Windows Defender Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

If you enable this policy setting, Windows Defender Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.

If you disable this policy setting, Windows Defender Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Defender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared and administrators cannot select it.

If you do not configure this policy setting, Windows Defender Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Defender Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.

Note: If any policy setting opens TCP port 445, Windows Defender Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception," "Windows Defender Firewall: Allow inbound remote administration exception," and "Windows Defender Firewall: Define inbound port exceptions."

Supported on: At least Windows XP Professional with SP2

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint
Value NameEnabled
Value TypeREG_DWORD
Enabled Value1
Disabled Value0

Allow unsolicited incoming messages from these IP addresses:

Registry HiveHKEY_LOCAL_MACHINE
Registry PathSOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint
Value NameRemoteAddresses
Value TypeREG_SZ
Default Value

Syntax:

Type "*" to allow messages from any network, or

else type a comma-separated list that contains

any number or combination of these:

IP addresses, such as 10.0.0.1

Subnet descriptions, such as 10.2.3.0/24

The string "localsubnet"

Example: to allow messages from 10.0.0.1,

10.0.0.2, and from any system on the

local subnet or on the 10.3.4.x subnet,

type the following in the "Allow unsolicited"

incoming messages from these IP addresses":

10.0.0.1,10.0.0.2,localsubnet,10.3.4.0/24


windowsfirewall.admx

Administrative Templates (Computers)

Administrative Templates (Users)