Recently I had to troubleshoot a sticky Surface Hub Miracast Connection error for a customer. They were unable to connect to the surface hub from domain joined devices but a newly installed device from a blank Windows image was working as expected. I started Troubleshooting the Surface Hub Miracast Connection Error and checked all the points mentioned in the official Microsoft Post about "Troubleshoot Miracast on Surface Hub"
On a Windows 10 1709 device exists a default firewall rule to allow Miracast connections to wireless displays:
But the connection attempt was still interrupted after a timeout.
Looking trough Group Policy
After analyzing the Windows 10 Security Baseline Group Policy configuration I came across the following settings:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security:
In the settings for the public profile under the "Customize" section there's a section called "Rule merging":
As you can see rule merging is turned of in the Windows 10 Security Baseline which means, **all locally configured firewall rules are being ignored for the public profile. **Because Miracast connections or connection attempts belong to the public profile of the Windows Firewall, the built-in local firewall rule gets always bypassed.
Configure the appropriate firewall rule
The easiest way to allow Miracast connections is to create a Windows Firewall Rule for all profiles with Group Policy, as recommended in the Microsoft Blog:
Allow In/Out connections for TCP and UDP, Ports: All.
With the Miracast rule configured, connecting to Miracast devices should work as expected even with activated Windows Firewall Rule merging.
- Use the Windows Key + R and type
rsop.mscto execute the Resultant Set of Policy snap-in. This will show the current policies applied to the PC.
- Review Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies. There should be a setting for wireless policies.
- Double click the setting for wireless policies and a dialog box will appear.
- Open the Network Permissions tab and select Allow everyone to create all user profiles.