Block specific apps’ network access with Windows Defender Firewall (Advanced Security) on Windows 10/11

Block specific apps’ network access with Windows Defender Firewall (Advanced Security) on Windows 10/11​

Difficulty: Intermediate | Time Required: 20 minutes
Introduction
Blocking an app’s internet access can help protect your privacy, conserve bandwidth, or prevent a troublesome program from phoning home. Windows Defender Firewall with Advanced Security (the MMC snap-in often called WFAS) lets you create per-program outbound rules so the chosen app cannot reach the network, while leaving other apps unaffected. The steps are straightforward, and they apply to both Windows 10 and Windows 11. Note that the exact UI can vary slightly between editions, so I’ve included checkbox options you’ll typically see in Pro/Enterprise/Education builds.
Prerequisites

• Administrative access on the PC (you’ll need to run the firewall tool as Administrator).
• Windows edition: Windows 10/11 Pro, Enterprise, or Education (WFAS GUI is not available in Windows 10/11 Home). If you’re on Home, I’ll show an alternative PowerShell method at the end.
• The path to the executable you want to block (e.g., C:\Program Files\Example\AppName\AppName.exe). If the app launches multiple executables, you may need to create multiple rules.
• Optional: plan whether to block on Domain/Private/Public networks (networks profiles).

Detailed step-by-step instructions (GUI method — Windows 10/11 Pro+)
1) Open Windows Defender Firewall with Advanced Security

• Press Windows + R, type wf.msc, and press Enter.
• If prompted by User Account Control (UAC), click Yes to grant admin rights.
• Tip: You can also search for "Windows Defender Firewall with Advanced Security" in the Start menu and open it from there.

2) Choose the outbound rules section

• In the left-hand navigation pane, click on “Outbound Rules.”
• Outbound rules govern traffic leaving your PC. Blocking outbound connections for a program is usually all you need to stop it from reaching the internet.

3) Create a new rule

• In the right-hand pane, click “New Rule…”.

4) Select the rule type

• Choose “Program” and then click “Next.”
• This option lets you specify the exact executable you want to block.

5) Specify the program path

• Click “This program path:” and then Browse to the app’s executable (for example, C:\Program Files\Example\AppName\AppName.exe).
• If the app has multiple launched executables, repeat the process for each one you want blocked (you can create multiple rules).

6) Set the action

• Choose “Block the connection” and click “Next.”

7) Apply to network profiles

• Choose when the rule applies: Domain, Private, and Public (check all three for a universal block, or pick only the networks you use most).
• Click “Next.”

8) Name and describe the rule

• Enter a clear Display name, such as “Block AppName outbound.”
• Add an optional Description like “Blocks all outbound traffic for AppName to prevent network access.”
• Click “Finish.”

9) Test the rule

• Launch the blocked app and try to access a network resource (e.g., open a website or update check). It should fail to connect.
• If the app still connects, double-check that you selected the correct executable path and that you’re blocking the outbound rule (not an inbound rule). You can also temporarily disable other firewall rules to verify there’s no conflicting allowance.

Optional: block related processes

• Some apps spawn helper processes or components. If connectivity still works, repeat steps 3–9 for any additional executables associated with the app.

Troubleshooting and tips (GUI method)

• If you can’t find Outbound Rules in your edition: Windows 10/11 Home users don’t have the WFAS GUI. Use the PowerShell method below as an alternative.
• If the app updates and changes its install path: You’ll need to update the rule or create a new rule for the new path. Consider creating a rule for the parent installer folder, but note that the firewall needs a specific path for the Program type rule.
• Conflicting rules: A benign “Allow” rule with higher priority can override a block rule in some edge cases. In WFAS, block rules generally take precedence for the same program path. If you’re not seeing the block take effect, review other outbound rules for the same program path and disable or delete conflicting ones.
• Network profiles matter: If you block on all profiles (Domain, Private, Public), be mindful of scenarios where you connect to work networks (Domain) or hot-spots (Public). You can tailor profiles to your typical usage.

Alternative method (PowerShell) — Windows 10/11 Home or prefer command line
If you’re on Windows 10/11 Home or simply prefer a command-line approach, you can create outbound block rules with PowerShell. This method works across editions as long as you have admin access.
1) Open PowerShell as Administrator

• Press Windows + X, choose “Windows PowerShell (Admin)” or search for PowerShell, right-click, and select “Run as administrator.”

2) Create an outbound block rule for a single executable

• Run a command like:
  New-NetFirewallRule -DisplayName "Block AppName outbound" -Direction Outbound -Program "C:\Program Files\Example\AppName\AppName.exe" -Action Block -Profile Any
• Replace the path with the actual executable path. The -Profile Any parameter applies to Domain, Private, and Public networks.

3) Verify the rule

• You can list the rule with:
  Get-NetFirewallRule -DisplayName "Block AppName outbound"
• Confirm that the rule shows as Enabled and Action Block.

4) Add more rules if needed

• If the app uses multiple executables, repeat for each path:
  New-NetFirewallRule -DisplayName "Block AppName updater" -Direction Outbound -Program "C:\Program Files\Example\AppName\Updater.exe" -Action Block -Profile Any

5) Test

• Launch the app and test connectivity as in the GUI method.

Notes on Windows version information

• This guidance applies to Windows 10 and Windows 11, but remember: the Windows Defender Firewall with Advanced Security GUI (wf.msc) is typically available on Windows 10/11 Pro, Enterprise, and Education. Home editions may lack the GUI, though PowerShell rules work there.
• If you’re on Windows 11 22H2 or Windows 10 version 1809 and later, the steps above are generally consistent. UIs may look slightly different due to theme or minor updates, but the core process remains the same.

Conclusion
Blocking specific apps’ network access with Windows Defender Firewall (Advanced Security) gives you precise control over what connects to the internet. The GUI method is approachable for most users, while PowerShell offers a solid alternative for Home editions or those who prefer scripting. With a little care in selecting the correct executable paths, you can protect your privacy, manage bandwidth, and minimize unwanted network activity without affecting other programs.
Key takeaways

• You can block a specific app’s outbound network access using a per-program rule in WFAS.
• The GUI method is straightforward on Windows 10/11 Pro and above; Home users can achieve the same via PowerShell.
• Always verify the exact executable path and test after creating the rule.
• You can apply the rule to Domain, Private, and Public networks or tailor by profile as needed.
• For apps with multiple executables, create separate rules per executable.

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
Key Takeaways:

• Per-program outbound blocking provides targeted control over internet access.
• Use the GUI in WFAS when available; otherwise, rely on PowerShell for Home editions.
• Test thoroughly after adding a rule to ensure the app is properly blocked.