Overview
The Microsoft Wireless Display Adapter is used to connect to an external monitor. On a technical level the wireless connection is established via Miracast which is an extension of Wi-Fi Direct. This peer-to-peer communication protocol allows users to share multimedia that allows devices to communicate directly with each other without requiring an access point or network infrastructure in between.
Problem
After a Windows (10/11) system is hardened according to CIS connecting to an external display using Microsoft´s Wireless Display Adapter is no longer possible. The adapter itself is still seen by the client but connecting to external display runs into a timeout.
Cause
Necessary requirements
So that communication to the adapter can be established the respective client needs an inbound firewall rule named „Wireless Display (TCP-In)“ for public networks to enable the program %systemroot%/system32/WUDFHost.exe
Hardening configuration
The hardening configuration contains, among other things, a setting that ensures ‚Windows Firewall: Public: Settings: Apply local firewall rules‘ is set to ‚No‚ . The rationale is that there should be no special local firewall exceptions per computer when in the Public profile. These settings should be managed by a centralized policy, all local rules are not applied.
Even if this inbound firewall rule is existent and enabled locally it never will be applied due to the mentioned hardening recommendation of CIS: The result is that the connection establishment runs into a timeout.
Solution
To maintain the compliance of the system and its hardening configuration a central GPO has to be created and applied only to the respective clients using Microsoft Wireless Display Adapter.
The firewall settings are as follows:
-
- Program %systemroot%/system32/WUDFHost.exe
- Protocol: TCP
- Authorized Local Principals: NT Authority\User Mode Drivers
- Local Port: Any