So one of the SBS 2008's I recently migrated from SBS 2003 has been reporting in the console and the email status report that one of the client machines has the firewall disabled. I checked straight away that this was not the case and indeed, the Windows firewall was enabled and configured in line with the default SBS 2008 group policies. That was six weeks ago and I felt it was about time I got around to fixing the issue.
It seems that the built in Windows Firewall doesn't register itself in WMI. Third party firewalls do. SBS bases the results of its reports on WMI queries to this namespace. If it finds no instance at all the client appears in the console as having an 'unknown status', and when the report comes through in email it still has the green check mark, i.e unknown status = OK. I guess Microsoft have done this to accomodate the Windows built in firewall which many of its customers will be using. The problem on the machine I was dealing with was that it had at one time had a third party firewall, which had created an instance in WMI, but upon uninstallation of the firewall, rather than deleting the WMI entry, the status in WMI was set to OFF. Upon querying this client the SBS was not seeing an unknown status as would normally happen when using Windows firewall, but a WMI firewall instance was present and the status OFF, and therefore causing the red cross in the status reports. To correct the issue I had to open up wbemtest.exe, the WMI test utility found in %WINDIR%\system32\Wbem, then click connect and change the namespace to root\securitycenter, then click connect again. Next click Open Class and type in firewallproduct, then click on instances. For XP clients that have always used the Windows firewall and never had a third party firewall installed, the instances list will be empty. On my problem client there was a guid in there of the firewall instance that had previously been installed. Deleting that entry from the instances list solved the problem.