windows: don’t disable builtin firewall rules before setting our own

Oops.

roles/windows/tasks/firewall.yml

@@ -1,16 +1,3 @@
-- name: Disable some builtin rules
-  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
-  changed_when: false # no way to tell
-  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
-    - "AllJoyn Router"
-    - "File and Printer Sharing"
-    - "mDNS"
-    - "OpenSSH Server"
-    - "Secure World Wide Web Services (HTTPS)"
-    - "Secure World Wide Web Services (QUIC)"
-    - "Windows Remote Management"
-    - "World Wide Web Services (HTTP)"
-
 - name: Allow ICMP
   win_firewall_rule:
     name: Allow incoming ICMP
@@ -45,3 +32,17 @@
   loop_control:
     label: "{{ service.name }}"
     loop_var: service
+
+- name: Disable some builtin rules
+  win_shell: "Set-NetFirewallRule -DisplayGroup '{{ item }}' -Enabled False"
+  changed_when: false # no way to tell
+  failed_when: false # fails if the group doesn’t exist
+  loop: # Get-NetFirewallRule | Where-Object -Property Enabled -eq True
+    - "AllJoyn Router"
+    - "File and Printer Sharing"
+    - "mDNS"
+    - "OpenSSH Server"
+    - "Secure World Wide Web Services (HTTPS)"
+    - "Secure World Wide Web Services (QUIC)"
+    - "Windows Remote Management"
+    - "World Wide Web Services (HTTP)"

roles/windows/tasks/firewall_rule.yml

@@ -1,4 +1,4 @@
-- name: Allow service
+- name: "Allow service {{ service.name }}"
   win_firewall_rule:
     name: "Allow incoming {{ service.name }} for {{ remoteip }}"
     group: "{{ service.name }}"