Can't add a valid rule to win 11 firewall

[windsurfer51]

I use win 11 latest update, when i try to add an inbound or outbound rule i don't get an error message but the rule shows as in the image attached. I have 2 computers with windows 11 pro and they both act the same. I don't use any virus software besides defender.
Any suggestions ? any solutions i googled don't work.

 

[ChatGPT]

It looks like you're encountering an issue with defining valid inbound or outbound rules in the Windows 11 firewall. From the image you shared, the interface is related to managing "Outbound Rules," and I can see entries like "bdcam," which likely correspond to applications.
Since you're not receiving specific error messages but still observing that the rules aren't functioning as expected, here are a few troubleshooting steps and recommendations:

General Checks & Solutions:​

1. Rule Configuration Validation:
   • Carefully inspect the rule you are attempting to create. Ensure all fields—such as the program path, IP ranges, ports, or protocols—are correctly defined.
   • Try creating a simple rule (e.g., blocking or allowing all traffic for a specific app, like notepad.exe) to see if it applies.
2. Firewall Profile Mismatch:
   • Verify if your firewall is active on the correct profile (Domain, Private, or Public). You can check this via Control Panel > Windows Defender Firewall > Settings.
   • Ensure the rule you create is being applied to the relevant profile marked as "active."
3. Administrative Permissions:
   • Confirm that you are creating these rules with administrative rights. If not, launch the Windows Defender Firewall tool as an admin (wf.msc).
4. Firewall Service Integrity:
   • Reset the firewall settings to their defaults and try again:
     

     bash
          netsh advfirewall reset

     Run this command in an elevated Command Prompt or PowerShell. Be aware that it will clear all custom rules, so back up your existing rules if needed.
5. Corrupted Firewall Configuration:
   • If the rules seem to be added but don't function properly, the firewall's internal configuration may be corrupted. Use the sfc (System File Checker) tool to repair potential issues:
     

     bash
          sfc /scannow

6. Windows Defender Firewall Advanced Security (GPO):
   • If your systems are part of an Active Directory (AD) domain, ensure no Group Policy Object (GPO) is overwriting your configuration. Certain domain policies can cause one or more settings to revert or prevent modifications.

Testing with Diagnostic Commands:​

Run the following commands to confirm the current firewall rules and troubleshooting:

• View active rules:
  

  bash
    netsh advfirewall firewall show rule name=all

  Look for your custom rule in the output to confirm it's listed.
• Firewall events can be logged in the Event Viewer:
  1. Open Event Viewer.
  2. Navigate to Applications and Services Log > Microsoft > Windows > Security-Auditing.
  3. Look for warnings or errors relating to firewall configuration.

---

If the above suggestions don’t resolve your issue, let me know exactly:

• What kind of rules you are adding (e.g., specific program, port-based rule, etc.).
• Any observations on why the rule (when set) is flagged differently or doesn't work.

I'll guide you further based on this feedback!

 

[windsurfer51]

Everything seems to be in order according to your instructions, i only have one user account which is myself. I tried to set and outbound rule for notepad with the same result.

 

[ChatGPT]

Thank you for the additional clarification. Since the issue persists even when attempting to block something as straightforward as notepad.exe with an outbound rule, this indicates a deeper issue with the firewall or rule enforcement on your system.
Here's a more advanced troubleshooting plan:

---

1. Advanced Firewall Rule Debugging​

• When you create the outbound rule for notepad.exe, ensure you're doing the following:
  1. Open Windows Defender Firewall with Advanced Security (wf.msc).
  2. Go to Outbound Rules and select New Rule on the right-hand panel.
  3. Under Rule Type, select Program.
  4. Provide the exact path to the Notepad executable: C:\Windows\System32\notepad.exe.
  5. Select Block the connection, apply to all profiles (Domain, Private, Public), and finish the rule setup.
• After creating the rule, test its functionality by running Notepad and attempting to reach web resources (if possible).

If this appears properly configured but has no effect or shows the same invalid output in the rules list, proceed to the deeper steps below.

---

2. Check Firewall Policies​

• Run the following commands in an elevated Command Prompt:
  

  bash
       netsh advfirewall show allprofiles

  Review the output to verify:
  • State: ON
  • Default outbound behavior: ALLOW (this changes per the rule).
  If this looks fine, then there could still be a hidden Group Policy (or registry) issue overriding the settings.

---

3. Verify Registry Settings for Firewall​

A misconfigured registry key could cause odd behavior for firewall rules. Follow these steps:

1. Open Registry Editor (regedit) as an administrator.
2. Navigate to:
   

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

3. Check the sub-folders FirewallRules or RestrictedServices and ensure they align with the rules you are setting. If anything looks suspicious (e.g., corrupted data, incomplete rules), consider deleting or backing it up before resetting.
   If unsure about what you’re looking at, take a backup of this branch:
   • Right-click FirewallPolicy, select Export, and save a .reg file.

---

4. Testing Firewall Core Functionality​

Sometimes, the firewall itself could have underlying issues. You can try completely resetting and rebuilding the firewall components:

• Reset Firewall Completely:
  

  bash
       netsh advfirewall reset

• Rebuild Windows Firewall rules using PowerShell:
  

  powershell
       New-NetFirewallRule -DisplayName "Test Rule" -Direction Outbound -Program "C:\Windows\System32\Notepad.exe" -Action Block -Profile Any

  Check if this adds the new rule and displays it correctly.
  If even scripted rule creation fails, there may be issues with the firewall binaries themselves.

---

5. Audit the Event Viewer​

It's possible that Windows is logging errors silently when you attempt to add or enforce rules. Here's how to check:

1. Open Event Viewer (eventvwr).
2. Navigate to:
   

         Applications and Services Logs > Microsoft > Windows > Windows Firewall with Advanced Security

3. Look for entries related to errors or warnings while creating or enforcing outbound rules.
   Share any specific error codes or messages you find, as they can reveal what's going wrong behind the scenes.

---

6. Ultimate "Sledgehammer" Fix: Reinstall Firewall Service​

If nothing else works, the issue might stem from missing or corrupted files associated with the Firewall service (mpssvc). You can repair or reinstall it as follows:

• Run this command to stop the service and reset its configuration:
  

  bash
       sc stop mpssvc
       sc config mpssvc start=auto

• Attempt to restart the service:
  

  bash
       sc start mpssvc

• If the service won't start or still misbehaves, use DISM to fix any corrupted system components:
  

  bash
       dism /online /cleanup-image /restorehealth
       sfc /scannow

---

7. External Culprit Check​

While it seems unlikely since you’re only using Windows Defender, ensure no other software is interfering:

• Any third-party VPN or networking applications?
• Any outdated system monitoring or device drivers?

Firewalls can sometimes exhibit strange behavior when external tools or configurations override native Windows functionality.

---

Let me know what outcome you observe after these steps, especially from Event Viewer or any command-line tools. If all else fails, there may still be workarounds to achieve your goal!

 

[windsurfer51]

My VPN is not running
netsh advfirewall show allprofiles says OK
dism /online /cleanup-image /restorehealth<br> sfc /scannow appears okay

 

[ChatGPT]

Thanks for confirming that your VPN isn't running, and the netsh advfirewall show allprofiles command indicates no apparent issues with your firewall profiles. Since the base configuration of the firewall seems functional, the issue may lie deeper in how the rules are being processed or stored. Let's go further and tackle this methodically.

---

Additional Steps:​

1. Firewall Logging​

To get a clearer insight into what’s happening when a rule is created and possibly applied, enable and check Windows Firewall logging. This will help determine if outbound traffic related to your rule shows up at all:

• Enable logging for the current profile:
• Open Windows Security > Firewall & network protection > Advanced Settings.
• Right-click on the active profile (e.g., Domain profile) under Monitoring, then select Properties.
• Enable Log dropped packets and Log successful connections.
• Set Log file size (e.g., 4MB for sufficient logging).
• Note the log file location: Usually at C:\Windows\System32\LogFiles\Firewall\pfirewall.log.
• Recreate your outbound rule for notepad.exe, and then check the log file for matching entries. Look for any discrepancies or signs that your rule isn’t being enforced.

---

2. Narrow Down the Issue: Outbound Traffic Validation​

To test if the system even recognizes outbound traffic and properly blocks it when a rule is applied:

• Try blocking all outbound connections temporarily:
• Go to Advanced Security > Windows Defender Firewall with Advanced Security.
• Under the Outbound Rules, create a new rule for all programs:
• Type: Program
• Settings: Block all outbound traffic.
• Apply to all profiles.
• Test internet access for regular apps like a browser or Notepad (if relevant). This confirms if blanket rules are enforced.
• If this applies successfully, the issue could be rule-specific.
• If this still fails, there’s likely something interrupting the firewall engine or rule processing.

---

3. Firewall Group Policy Settings (Local or Domain)​

Double-check your machine’s Group Policy settings for unintended overrides. Policies might not be obvious but could impact the firewall’s behavior.

• Open the Group Policy Editor:
• Run gpedit.msc.
• Navigate to:
  

     Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall

• Look for the following settings:
• Prohibit Unicast Response to Multicast or Broadcast Requests
• Allow inbound or outbound rules
  Any restrictions here could interfere with custom rules.
• If no unusual settings are present, confirm local policies by running:
  

  powershell
     gpresult /h gp_report.html

  Open the generated HTML file for a summary of applied policies. Check for any firewall-related settings under Computer Configuration.

---

4. Service Dependencies​

The Firewall relies on several system services. If one of these is misbehaving, rules may fail to propagate. Check the services below:

• Make sure the following services are running:
• Windows Firewall (MpsSvc)
• Base Filtering Engine (BFE)
• IPsec Policy Agent (PolicyAgent)
• To check services:
  

  bash
    services.msc

• Ensure the Startup Type is set to Automatic for these services. Restart them manually if necessary.

---

5. Registry Cleanup for Firewall Rules​

Corrupted or leftover registry entries can sometimes prevent new rules from taking effect.

• Open the Registry Editor:
  

  cmd
     regedit

• Navigate to:
  

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

• Delete stagnant rules under FirewallRules or RestrictedServices, or export and reset them by recreating the rules.

---

6. Testing Outside Windows Firewall UI​

If the graphical interface for creating rules is failing, you might want to try enforcing rules programmatically. Use PowerShell to apply and verify rules:

New-NetFirewallRule -DisplayName "Block Notepad Test" -Program "C:\Windows\System32\notepad.exe" -Action Block -Direction Outbound -Profile Any

• After creating the rule, confirm it's listed:
  

  Get-NetFirewallRule -DisplayName "Block Notepad Test"

• Additionally, test enforcement by launching Notepad and checking for behavior consistency.

---

7. Analyze Core Firewall Functionality​

To ensure the core firewall binaries aren’t compromised:

• Run DISM and SFC as a safeguard:
  

  cmd
    dism /online /cleanup-image /restorehealth
    sfc /scannow

---

8. Check for Windows Bugs​

If all local troubleshooting fails, it’s worth considering that this could be a bug in the latest Windows 11 update. Although rare, updates can sometimes introduce faulty behavior:

• Check Windows Update history and ensure your device hasn’t skipped any cumulative updates.
• Review the patch notes for any known issues related to Firewall:
• Look at Microsoft's official changelogs for the latest version of Windows 11.
• If feasible, try uninstalling the most recent cumulative update to test whether the issue resolves.

---

If Problems Persist​

Let me know what you find from:

• Firewall logs.
• Behavior of global outbound rules for all programs.
• Results from PowerShell commands or any Event Viewer errors.

We’ll dig further based on the new insights!

 

[windsurfer51]

so far everything looks okay but i do get an error win windows update saying something went wrong

 

[ChatGPT]

Thanks for pointing out that you’re encountering an error during Windows Update. This could indeed be related to your firewall issue, as problems with core Windows services like Windows Update often indicate deeper system issues that might also affect the firewall.
Let’s address the Windows Update problem first, as resolving it may also restore full functionality to your firewall rules.

---

Steps to Fix Windows Update Error​

1. Run the Windows Update Troubleshooter
   • Open Settings > Update & Security > Troubleshoot.
   • Click on Additional troubleshooters > Select Windows Update > Run the troubleshooter.
   • Follow the on-screen instructions and let it try to resolve the problem.
2. Reset Windows Update Components
   Sometimes, corrupted update components can cause both update issues and strange behaviors in firewall dependencies. Use the following steps to reset them:
   Open Command Prompt as Administrator, and execute these commands one by one:
   

   cmd
      net stop wuauserv
      net stop cryptSvc
      net stop bits
      net stop msiserver
      ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
      ren C:\Windows\System32\catroot2 catroot2.old
      net start wuauserv
      net start cryptSvc
      net start bits
      net start msiserver

   After running these commands, restart your system and retry both Windows Update and creating a new firewall rule.
3. Check Event Viewer for Update Errors
   • Open Event Viewer (eventvwr.msc).
   • Go to Windows Logs > System or Applications.
   • Look for error IDs related to Windows Update (common ones include 0x80073712, 0x80070005, or similar).
   • Share any error codes or descriptions you find, as they’ll help us narrow down the underlying issue.
4. Run DISM and SFC
   Since we know something isn’t right with Windows Update, running repairs using the DISM and SFC tools is critical. These commands repair system files and components:
   

   cmd
      dism /online /cleanup-image /restorehealth
      sfc /scannow

5. Manually Install Missing Updates
   If Windows Update is stuck but you can identify the problematic cumulative update, try manually downloading it from the Microsoft Update Catalog.
   • Identify the needed update: Go to Settings > Update & Security > View Update History.
   • Search for the KB number in the Microsoft Update Catalog, download the standalone installer, and install it manually.

---

Additional Checks if Firewall and Update Are Linked​

1. Update Error Blocking Services
   A corrupted Windows Firewall configuration or other related services might be interfering with updates. Confirm these services are running:
   • Background Intelligent Transfer Service (BITS) (bits).
   • Windows Update Service (wuauserv).
   • Cryptographic Services (cryptSvc).
   • Windows Firewall Service (mpssvc).
   Check in the Services manager (services.msc):
   • Ensure they are all set to Automatic and running.
   • Restart each service if necessary.
2. Corrupt Update Affecting Firewall
   A partial or broken update could corrupt aspects of Windows, including the firewall. If cleaning up the update components doesn’t work, you may need to reset Windows Update and Firewall settings via:
   • Reset Firewall Rules to Default:
     

     cmd
          netsh advfirewall reset

   • Reinstall Update Packages per earlier instructions.

---

Next Steps​

Once you've tried the above, let me know:

1. What happens when you attempt to fix the Windows Update issue.
2. Any Event Viewer logs for Windows Update or even Firewall-specific errors.
3. Results from SFC or DISM (e.g., if repairs are successful or errors persist).

We'll work further from there! Both issues are likely connected, and fixing the updates could resolve your firewall functionality too.

 

[Neemobeer]

If you're adding firewall rules via the GUI then there isn't really a way to set them up incorrectly. This sounds like you might not have the correct rules for your use case. Lets step back and talk about what your specific use case is