Windows Firewall Policy import failed, Access is denied, Code 5

I'm working on Server 2008 R2 Std. Embedded image for one of our products.
I'm nearly done but I just realized that for some reason I can export the Windows Firewall policy but can't import it back.

Policy import failed.
Error:  Access is denied
Code:  5

Here's a little bit of history:
As I'm making my image, I periodically make backup images just in case I screw something up.
The last backup that still allows me to import a policy was taken just before I configured group policy and installed Symantec Endpoint Protection.
Group Policy changes were pretty extensive.  I basically used Department of Homeland Security guidelines which cover many many areas.

Anyway, I decided to narrow it down by a process of elimination so I started with my backup that still worked.  I set every possibly related (that I thought would prevent me from policy import) GP setting and I can still import!  I even installed the Endpoint Protection.

One other "hint".  For some reason my Inbound and Outbound rules are all blank on the image that doesn't allow policy import while these rules are full of stuff on the image that does allow the policy import.  Something isn't running?

I would really appreciate any help/suggestions because the DHS guideline is so big that it literally takes an entire day to configure GP.  If I go back to the working image and start with GP settings from scratch (and regularly check if the import still functions), it'll take me forever.

Thank you
Who is Participating?
RNGAdminConnect With a Mentor Author Commented:
All right, I used the painful way (process of elimination) and found the problem.

When you set this setting to "Enabled", you can't import the firewall policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

My guess is that the policy file is encrypted with an incompatible algorithm.  Just in case I tried exporting the policy with this setting set to Enabled and then import it back and still got the same issue.
Also, when the import fails, it wipes out the entire firewall configuration, hence, my blank Inbound/Outbound rules.
Oh well, at least now I know what to do.
Darius GhassemCommented:
Is the firewall service disabled? I have seen SEP disable the firewall service which would cause the import failure. Check to see if firewall is enable even if the service is enabled check to see if it is turned on.
RNGAdminAuthor Commented:
I just checked and Windows Firewall service is set to "Automatic" and it's "Started".
Thank you for suggestion though.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

RNGAdminAuthor Commented:
Works for me after I narrowed it down.
This fix worked for me as well.
Once FIPs entry disabled my vendor was able to import his firewall file.
The system on which I had this same issue had FIPs disabled already (It was disabled on the system I exported a profile from as well).

The only way that I was able to successfully import the policy was by importing it through the Local Security Policy. Windows Firewall with Advanced Security - Local Group Policy Object > Right Click > Import Policy.
Not to necro this thread, but thank you to lanpro. My problem was the same and your solution was a nice workaround. Importing still does not work, but the policies are in place.

The following was also a nice work around:
Import the following registry branch:

Just for future searchers :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.