Why Firewall Allows Outbound After a Specific App Updates Itself

Quick fix: Some apps create their own Windows Firewall rules during update, including overly-broad outbound allow. Audit existing rules: Get-NetFirewallRule | Where-Object Direction -eq Outbound | Where-Object Action -eq Allow. Delete rules created by the app: Remove-NetFirewallRule -DisplayName “Suspicious Rule”.

You configured strict outbound firewall rules. After updating a specific app, outbound traffic for that app started working unexpectedly — your rules were supposed to block it. The app’s installer or updater added its own “Allow outbound” rule during update.

What allows app rule creation

By default, Windows Firewall allows apps running as Administrator (or installers via UAC) to add their own firewall rules. Updates often run under elevated context and silently add rules. The result: your “deny by default” policy gets undermined.

Method 1: Audit and remove unwanted rules

1. Open elevated PowerShell.
2. List recent outbound allow rules: Get-NetFirewallRule | Where-Object {$_.Direction -eq ‘Outbound’ -and $_.Action -eq ‘Allow’} | Sort-Object DisplayName.
3. Identify rules created by the app (often named after the app or its EXE).
4. Remove: Remove-NetFirewallRule -DisplayName “Rule Name”.

Method 2: Prevent apps from creating rules

1. gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security → Windows Defender Firewall Properties.
2. For each profile (Domain, Private, Public), open Settings.
3. Under Rule merging, set Apply local firewall rules to No.
4. Now only GPO-pushed rules apply; locally-added rules (including from app updates) are ignored.

Method 3: Set strict outbound default deny

1. In the same GPO Properties dialog, set Outbound connections to Block.
2. Add explicit allow rules only for apps you trust.
3. Any app that adds its own rule under this policy gets denied unless you explicitly allow.

Verification

• The app you didn’t want to allow can’t reach the Internet after rule removal.
• New rules created by the app on update fail to apply (if Method 2).

If none of these work

For very aggressive apps that bypass firewall via different mechanisms (UWP apps with broadFileSystemAccess, or apps that use port-binding tricks), consider a third-party firewall like SimpleWall or tinywall that doesn’t allow app self-modification.

Bottom line: Apps adding their own firewall rules is the default Windows behavior. Block via GPO “Apply local firewall rules: No” or audit and remove unwanted rules periodically.