Windows Firewall Policy import failed, Access is denied, Code 5

Posted on 2012-08-15
Last Modified: 2013-06-04
I'm working on Server 2008 R2 Std. Embedded image for one of our products.
I'm nearly done but I just realized that for some reason I can export the Windows Firewall policy but can't import it back.

Policy import failed.
Error:  Access is denied
Code:  5

Here's a little bit of history:
As I'm making my image, I periodically make backup images just in case I screw something up.
The last backup that still allows me to import a policy was taken just before I configured group policy and installed Symantec Endpoint Protection.
Group Policy changes were pretty extensive.  I basically used Department of Homeland Security guidelines which cover many many areas.

Anyway, I decided to narrow it down by a process of elimination so I started with my backup that still worked.  I set every possibly related (that I thought would prevent me from policy import) GP setting and I can still import!  I even installed the Endpoint Protection.

One other "hint".  For some reason my Inbound and Outbound rules are all blank on the image that doesn't allow policy import while these rules are full of stuff on the image that does allow the policy import.  Something isn't running?

I would really appreciate any help/suggestions because the DHS guideline is so big that it literally takes an entire day to configure GP.  If I go back to the working image and start with GP settings from scratch (and regularly check if the import still functions), it'll take me forever.

Thank you
Question by:RNGAdmin
    LVL 59

    Expert Comment

    by:Darius Ghassem
    Is the firewall service disabled? I have seen SEP disable the firewall service which would cause the import failure. Check to see if firewall is enable even if the service is enabled check to see if it is turned on.

    Author Comment

    I just checked and Windows Firewall service is set to "Automatic" and it's "Started".
    Thank you for suggestion though.

    Accepted Solution

    All right, I used the painful way (process of elimination) and found the problem.

    When you set this setting to "Enabled", you can't import the firewall policy:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
    System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

    My guess is that the policy file is encrypted with an incompatible algorithm.  Just in case I tried exporting the policy with this setting set to Enabled and then import it back and still got the same issue.
    Also, when the import fails, it wipes out the entire firewall configuration, hence, my blank Inbound/Outbound rules.
    Oh well, at least now I know what to do.

    Author Closing Comment

    Works for me after I narrowed it down.

    Expert Comment

    This fix worked for me as well.
    Once FIPs entry disabled my vendor was able to import his firewall file.

    Expert Comment

    The system on which I had this same issue had FIPs disabled already (It was disabled on the system I exported a profile from as well).

    The only way that I was able to successfully import the policy was by importing it through the Local Security Policy. Windows Firewall with Advanced Security - Local Group Policy Object > Right Click > Import Policy.

    Expert Comment

    Not to necro this thread, but thank you to lanpro. My problem was the same and your solution was a nice workaround. Importing still does not work, but the policies are in place.

    The following was also a nice work around:
    Import the following registry branch:

    Just for future searchers :)

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now