Windows Firewall should block all communication until core windows services are 100% available
Currently,automating a windows deployment causes undo complexity as a server will being responding to commands on boot regardless of if internal systems are completely available. The biggest culprit to this is WinRM, as it will answer and even allow authentication despite the host OS still being in a boot state. For example, I can tell Ansible to poll windows WinRM 5985 while it reboots, but it will open ports and allow authentication during the boot screen even though the OS hasn't finished init, and thus when any followup commands are guaranteed to fail (even something as benign as gathering the hostname).
A simple fix would be a delayed enabling of firewall rules (even if the rule was to disable the firewall) so that the OS can ensure it's ready to accept commands and not cause devs to write silly wait conditions or unnecessary checks.