Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Troubleshoot Miracast on Surface Hub post from Microsoft.

SurfaceHub

Default Configuration

On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:

Miracast

But the connection attempt was still interrupted after a timeout.

Looking trough Group Policy

After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:

Surface Hub Miracast Connection Error

In the settings for the public profile under the “Customize” section there’s a section called “Rule merging”:

Surface Hub Miracast Connection Error

As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.

Configure the appropriate firewall rule

The easiest way to allow Miracast connections is to create a Windows Firewall Rule for all profiles with Group Policy, as recommended in the Microsoft Blog:

C:\Windows\System32\WUDFHost.exe Allow In/Out connections for TCP and UDP, Ports: All.

Surface Hub Miracast Connection Error Surface Hub Miracast Connection Error Surface Hub Miracast Connection Error Surface Hub Miracast Connection Error Surface Hub Miracast Connection Error

With the Miracast rule configured, connecting to Miracast devices should work as expected even with activated Windows Firewall Rule merging.

Additional Troubleshooting

On domain-joined devices, Group Policy can also block Miracast.

  1. Use the Windows Key + R and type rsop.msc to execute the Resultant Set of Policy snap-in. This will show the current policies applied to the PC.
  2. Review Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies. There should be a setting for wireless policies.
  3. Double click the setting for wireless policies and a dialog box will appear.
  4. Open the Network Permissions tab and select Allow everyone to create all user profiles.