Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.
On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:
But the connection attempt was still interrupted after a timeout.
Looking trough Group Policy
After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:
In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:
As you can see rule merging is turned of in the Windows 10 Security Baseline which means, all locally configured firewall rules are being ignored for the public profile. Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.
Configure the appropriate firewall rule
The easiest way to allow Miracast connections is to create a Windows Firewall Rule for all profiles with Group Policy, as recommended in the Microsoft Blog:
Allow In/Out connections for TCP and UDP, Ports: All.
With the Miracast rule configured, connecting to Miracast devices should work as expected even with activated Windows Firewall Rule merging.
On domain-joined devices, Group Policy can also block Miracast.
- Use the Windows Key + R and type
rsop.mscto execute the Resultant Set of Policy snap-in. This will show the current policies applied to the PC.
- Review Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies. There should be a setting for wireless policies.
- Double click the setting for wireless policies and a dialog box will appear.
- Open the Network Permissions tab and select Allow everyone to create all user profiles.