So everybody should enable firewall policies in order to keep their environment secure. Best practice is to manage the firewalls through policies.. keep a default policy to enable the firewall and do not allow incoming connections.. then based on server role add exceptions and ports. That way, each server added to the domain is secured by the firewall by default, but additional policies can enable applications to receive traffic.

When designing policies with the Security Compliancy Manager you can quickly design the Firewall policies and import these settings to a policy in your environment. However, when you configure the policies through that console, also make sure to configure the exceptions through that console!

In short, when you configure the donotallowexceptions, the registrykey HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DoNotAllowExceptions is set to REG_DWORD:1. When you configure the exceptions through the normal GPO editor, this key is NOT reset to 0, thus no exceptions are allowed and your configured exceptions will not work!. By configuring the exception also using this SCM console, you specifically edit the REG_DWORD to be 0.

PS: It is best to only configure the Windows Firewall with Advanced Security in the 2008 template:
Do not use: Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
Use: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile