Windows XP firewall service is enabled after installing XP SP3 – even if it was previously disabled

If Windows XP SP2 firewall service is set to manual or disabled when Windows XP SP3 is applied, the Windows Firewall/Internet Connection Sharing (ICS) service and Security Cetner service will be changed to automatic startup.  This behavior is by design, for the purpose of increasing the security of Windows XP.

This setting will remain in effect for computers that had the service startup manually altered.  
According to the Microsoft Enterprise Networking Team:
If the service is administratively disabled via domain Group Policy, it will again be disabled after subsequent application of Group Policy. The automatic service startup should only be seen on the first reboot after applying Service Pack 3. To cause GPO settings to be updated immediately on a client, run gpupdate /force from a command prompt.

Comments [1]

  1. I noticed this summer when I started deploying xp machines with sp3 installed that MS had changed something. Even though I had GP set to disable the firewall it just didn’t seem to “take” on SP3 machines. After some testing in vmware, I finally found this setting in GP that worked to turn off the firewall in SP3;

    Computer configuration / Administrative Templates / Network / Network Connections /
    Prohibit use of Internet Connection Firewall on your DNS domain network = enabled

    Hope this helps someone out!

Leave a Reply

Your email address will not be published. Required fields are marked *