win_firewall_rule enabling a group does not work on Window 2022

[Sergong]

SUMMARY

When using the win_firewall_rule module as follows:

- name: Ensure Remote Desktop Group rules are enabled
  community.windows.win_firewall_rule:
    group: "Remote Desktop"
    enabled: true

against a Windows Server 2022 host, I get the following output:

TASK [Ensure Remote Desktop Group rules are enabled] ****************************************************************************************************************************************************************************
ok: [win1] => (item={'group': 'Remote Desktop', 'enabled': True})

PLAY RECAP *****************************************************************************************************************************************************************************************************************************
win1                       : ok=1    changed=0    unreachable=0    failed=0    skipped=1    rescued=0    ignored=0   

but none of the firewall rules are enabled.

Same is true when run in adhoc mode as follows:

ansible windows -m win_firewall_rule -a 'group="Remote Desktop" enabled=true'
win1 | SUCCESS => {
    "changed": false
}

ISSUE TYPE

• Bug Report

COMPONENT NAME

win_firewall_rule

ANSIBLE VERSION

ansible [core 2.14.2]
  config file = /mnt/c/Users/MeeuwsenS/OneDrive - Ultima Business Solutions/source/test/ansible.cfg
  configured module search path = ['/home/smeeuwsen/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/smeeuwsen/.local/lib/python3.11/site-packages/ansible
  ansible collection location = /home/smeeuwsen/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/smeeuwsen/.local/bin/ansible
  python version = 3.11.2 (main, Feb  8 2023, 00:00:00) [GCC 12.2.1 20221121 (Red Hat 12.2.1-4)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

Collection        Version
----------------- -------
community.windows 1.12.0 

CONFIGURATION

CONFIG_FILE() = /mnt/c/Users/Xyz/OneDrive - Xyz/source/test/ansible.cfg
DEFAULT_HOST_LIST(/mnt/c/Users/Xyz/OneDrive - Xyz/source/test/ansible.cfg) = ['/mnt/c/Users/Xyz/OneDrive - Xyz/source/test/inventory']

OS / ENVIRONMENT

Host OS: Windows Server 2022 Standard Edition Ansible Controller OS: Fedora 37

STEPS TO REPRODUCE

Run the following adhoc command:

ansible windows -m win_firewall_rule -a 'group="Remote Desktop" enabled=true'
win1 | SUCCESS => {
    "changed": false
}

- name: Ensure Remote Desktop Group rules are enabled
  community.windows.win_firewall_rule:
    group: "Remote Desktop"
    enabled: true

EXPECTED RESULTS

I expect Change: True when running the command against a Windows Server 2022 where the group rules are not enabled

ACTUAL RESULTS

The actual result is as described above, the command outputs Changed: false but the rules in the group are not enabled

ansible windows -m win_firewall_rule -a 'group="Remote Desktop" enabled=true'
win1 | SUCCESS => {
    "changed": false
}

[V0idC0de]

Confirming this issue.

We just stumbled upon this when trying to enable the Remote Event Log Management group. Ad-hoc module execution, as well as using the module in a playbook task yielded changed=false on both target systems.

When trying the same with name: Remote Event Log Management (RPC) (a single rule of this group), the module behaved as expected, enabling the rule on the first run, correctly reporting changed=true and on second run it correctly identified as the desired state already being present with changed=false.

Target systems were freshly installed Windows Server 2022, Ansible controller system is Ubuntu 20.04.

[spectras]

FWIW, here is a workaround:

    group: "@FirewallAPI.dll,-28752"

…selects the remote desktop group.

I found this out by checking the output of (New-Object -ComObject HNetCfg.FwPolicy2).Rules in powershell.