How to delete huge number of firewall rules (Windows server 2019)?

Question

I have 12 servers (session hosts) with tens of thousands firewall rules on each of them. Rules are creating when users are logging in and system is not deleting them when the're logging off (probably a bug which was fixed in WS2016, but in 2019 is here again).

I have tried to delete the rules with powershell's Remove-NetFirewallRule , but it's useless because of a performance. It takes 33 hours to delete 40k rules (20 rules per minute). Now I'm trying to achieve it with.netsh.exe which is much quicker (1000 rules per minute), but I'm unable to find out how to filter out rules with "Any" in profile (these I want to keep).

I have tried to filter the rules with powershell and then push it to.netsh:

$rulesToRemove = Get-NetFirewallRule | where {$_.profile -ne "Any"} | select displayName

foreach($rule in $rulesToRemove) { netsh advfirewall firewall delete rule name=$rule }

and it's working for some rules and for others not - "No rules match the specific criteria". I tried to push displayName, name and several other values, but most of the rules simply didn't match the criteria. The only condition here is the fw rule name, so I tried to get the names with.netsh and I got something like this for example:

@{Microsoft.Windows.Cortana_1.11.6.17763_neutral_neutral_cw5n1h2txyewy?mc-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}

and even this didn't work for.netsh as rule name:(.

QUESTION: Is there a way how to delete tens of thousands FW rules by script in a reasonable time?

Answer 1

Like Bill_Stewart says, and you can also dot reference it.

$rulesToRemove = (Get-NetFirewallRule | where {$_.profile -eq "Any"}).DisplayName
foreach($rule in $rulesToRemove) { netsh advfirewall firewall delete rule name=$rule }

Answer 2

This script will remove most of them; just add the rest if they have similar name. It's not fancy, but it works. The remove-command searches through both in and out firewall lists and removes all that match with the displayname. Run it regularly and it will not use many resources:

    Write-Host '*** Deleting: '
    remove-netfirewallrule -DisplayName "Your account" 
    remove-netfirewallrule -DisplayName "Work or school account"
    remove-netfirewallrule -DisplayName "cortana"
    remove-netfirewallrule -DisplayName "SmartScreen"
    remove-netfirewallrule -DisplayName "Windows Default Lock Screen"
    remove-netfirewallrule -DisplayName "Windows Shell Experience"
    remove-netfirewallrule -DisplayName "Xbox Game UI"
    remove-netfirewallrule -DisplayName "Email and accounts"

Answer 3

There's a reg edit to stop this from happening once you've deleted the orphaned rules.

Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable this solution, use regedit to modify the following and set it to 1:

Type: “DeleteUserAppContainersOnLogoff” (DWORD)
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy