This is an interesting one with a useful fix to know about.
A few months ago I did a new MDT Build and Capture, the process was largely automated with the use of LTISuspend.wsf to check a few things before resuming.
Recently I noticed that the Windows 7 Firewall Service wasn’t running on some computers. Not all, but still quite a few. I traced the problem back to this particular build.
Digging a bit more into the error – I could see Event 7024 ID’s being logged – The Windows Firewall Service terminated with service-specific error Access is denied..
The following Microsoft KB article was useful in diagnosing the fault and confirmed that the problem was related to the “NT Authority\MpsSvc” account not having the correct permissions to some registry keys.
It would seem that somewhere during the build and capture process, the service account permissions were stripped out or not applied correctly, possibly during the WSUS patching phase of the build.
The following Blog discusses the specific, correct permissions required for the Windows Firewall Service to start under Windows 7.
There seems to be quite a few articles that describe the cause and how to fix the problem, however I was unable to find a script or automated solution to address the issue. To automatically set the correct registry permissions I wrote a simply batch file using SubinACL, then created a program with Configuration Manager 2012 and deployed it to all my affected Windows 7 instances. Here is the syntax of the script:
Please be aware that when copying and pasting from this blog, the inverted commas may need to be re-typed.
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2” /grant=”NT Service\MpsSvc”=QS
SUBINACL /verbose=1 /keyreg “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” /grant=”NT Service\MpsSvc”=QSCEYDA
net start mpssvc
SUBINACL can be downloaded from here.
The script sets the correct permissions for the respective registry keys discussed in KB article 943996 and the Microsoft Technet Blog. Then starts the Windows Firewall Service and exits. Of course you can also simply just run the bat file from an elevated command prompt manually. The below screen shot show the keys that are changed.
Applying this change has resolved the problem and performing a new MDT Build and Capture and then deploying that WIM file with Configuration Manager 2012 R2 CU1 has not resulted in the problem re-occurring.
Use this script at your own risk, whilst it only restores permissions that should already be present, it should still be tested in a Lab environment before use.