Why Windows 11 Firewall Blocks Trusted Apps and How to Allow Them

Quick fix: Windows Defender Firewall sometimes blocks legitimate apps. Open Settings → Privacy & security → Windows Security → Firewall & network protection → Allow an app through firewall. Click Change settings then Allow another app. Browse to the app’s EXE. Tick both Private and Public network checkboxes.

An app you trust (game, IDE, server software) can’t connect to the network. Windows Firewall is blocking it. Default is to block unknown apps; legitimate apps need explicit allow rules. The fix is to add the app to the firewall’s allow list.

What causes this

Windows Defender Firewall has two rule directions: Inbound rules (incoming connections to your PC; blocked by default) and Outbound rules (your PC connecting out; allowed by default). When an app tries to listen on a port, Windows prompts the first time. If you click No or the prompt doesn’t appear, the app stays blocked.

The Allow list in Firewall settings shows which apps have inbound permission per network profile (Private, Public, Domain).

Method 1: Allow app via Windows Security UI

The standard route.

1. Open Settings → Privacy & security → Windows Security → Firewall & network protection.
2. Click Allow an app through firewall.
3. Click Change settings (requires admin elevation).
4. Scroll the list to find your app.
5. If app is listed but blocked: tick both Private and Public network columns. Click OK.
6. If app isn’t listed: click Allow another app. Click Browse, navigate to the app’s EXE, click Open. Click Add.
7. Tick Private and Public for the newly-added app.
8. Click OK to apply.
9. Test: launch the app, attempt to connect. Should work.

This is the canonical fix.

Method 2: Create inbound rules in advanced firewall

For port-specific or service-specific rules.

1. Open Windows Defender Firewall with Advanced Security (wf.msc).
2. Click Inbound Rules. Click New Rule.
3. Pick rule type:
   • Program — allow specific EXE.
   • Port — allow specific TCP/UDP port (e.g., 80 for HTTP, 22 for SSH).
   • Predefined — allow a Windows service (e.g., File and Printer Sharing).
   • Custom — any combination.
4. For Program: browse to EXE. Choose Allow the connection. Pick profiles (Domain, Private, Public). Name the rule.
5. For Port: enter TCP/UDP and port number. Same as above.
6. Click Finish. Rule is active.
7. To edit: right-click rule → Properties. Adjust as needed.
8. To disable temporarily: right-click rule → Disable Rule.

This is the right path for power users with specific port requirements.

Method 3: Allow app via PowerShell for scripted setup

For automated deployment.

1. Open Terminal (Admin).
2. Allow an app:

   New-NetFirewallRule -DisplayName "My App" -Direction Inbound -Program "C:\Path\to\myapp.exe" -Action Allow -Profile Private,Public

3. Allow a port:

   New-NetFirewallRule -DisplayName "My App Port 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow -Profile Private

4. List existing rules:

   Get-NetFirewallRule | Where-Object Enabled -eq True | Format-Table DisplayName, Direction, Action

5. Remove a rule:

   Remove-NetFirewallRule -DisplayName "My App"

6. For corporate deployment: save commands as PowerShell script, deploy via Intune or scheduled task.

This is the right path for IT automation.

How to verify the fix worked

• Launch the previously-blocked app. Network connectivity works.
• In Allow an app dialog: app appears with both Private and Public ticked.
• Run Get-NetFirewallApplicationFilter -PolicyStore ActiveStore | Where-Object Program -like "*yourapp*". Shows the active rule.

If none of these work

If firewall still blocks despite allow rule: Multiple firewall conflict: third-party antivirus (Norton, McAfee) may have its own firewall. Two firewalls fight; one usually blocks. Disable one or configure both. For corporate-managed PCs: Group Policy may override your rules. Check via gpresult /h C:\result.html. For app needing specific source IP: rule may need to specify Source IP. Use Advanced Security → rule Properties → Scope tab. For ports already in use: another app may be using the port. netstat -ano | findstr :8080 shows which process. Stop conflicting process or use different port. For sleep-related connection loss: after sleep, network may need to re-establish. Disable USB selective suspend and Wi-Fi power management. For app showing in allow list but still blocked: delete and re-add the rule. Sometimes the rule’s path becomes stale (e.g., after app update).

Bottom line: Allow an app through firewall → Change settings → Allow another app → browse to EXE. Tick Private and Public. For granular control, use Windows Defender Firewall with Advanced Security.