Set Up and Use Windows Firewall Outbound Rules to Stop Apps Going Online
Difficulty: Intermediate | Time Required: 15 minutesIf you want to stop a desktop app from accessing the internet without uninstalling it, Windows Firewall outbound rules are one of the most effective built-in tools you can use. This is useful for privacy, reducing background traffic, blocking update checkers, or preventing older software from phoning home.
The good news is that Windows 10 and Windows 11 include everything you need. The less obvious part is that outbound traffic is allowed by default, so you must create a specific block rule for the app you want to control.
This guide walks you through creating, testing, editing, and removing outbound firewall rules step by step.
Prerequisites
Before you begin, make sure you have:- A Windows 10 or Windows 11 PC
- An administrator account
- The full path to the app’s
.exefile you want to block - The app closed, if possible, while you set the rule up
Note: These instructions apply to both Windows 10 and Windows 11. The screens may look slightly different, but the Windows Defender Firewall with Advanced Security console works very similarly on both.
Why use an outbound rule?
By default, Windows Defender Firewall allows outbound connections unless a rule blocks them. That means most apps can connect out to the internet automatically.Creating an outbound block rule lets you:
- Stop a specific app from reaching the web
- Keep software from checking for updates
- Reduce telemetry or background syncing
- Test how a program behaves offline
- Add another layer of privacy control
Important: Blocking internet access can break cloud features, sign-in functions, syncing, online activation, multiplayer, or update delivery for some apps.
Step 1: Open Windows Firewall with Advanced Security
- Press Start
- Type wf.msc
- Press Enter
Tip: You can also open it from:
Control Panel > System and Security > Windows Defender Firewall > Advanced settings
Step 2: Go to Outbound Rules
- In the left pane, click Outbound Rules
- In the right pane, click New Rule...
Step 3: Choose the rule type
You have two common choices:- Program: easiest if you want to block one specific app
- Custom: best if you want more control over ports, protocols, or addresses
Recommended method for most users
- Select Program
- Click Next
Step 4: Select the app executable
- Choose This program path
- Click Browse
- Navigate to the app’s
.exefile - Select it, then click Open
- Click Next
C:\Program Files\AppName\App.exeC:\Program Files (x86)\AppName\App.exeC:\Users\YourName\AppData\Local\Programs\AppName\App.exe
Tip: If you are not sure which file to choose, open Task Manager, right-click the running app, and select Open file location.
Warning: Some apps use more than one executable. Blocking only one.exemay not fully stop all traffic.
Step 5: Block the connection
- On the Action screen, select Block the connection
- Click Next
Step 6: Choose when the rule applies
You will see three profile options:- Domain – for work or managed network environments
- Private – for trusted home or private networks
- Public – for coffee shops, hotels, airports, and other untrusted networks
- Check Domain, Private, and Public
- Click Next
Tip: If you only want the app blocked on public Wi-Fi, select only Public.
Step 7: Name the rule clearly
- In Name, enter something descriptive, such as:
Block Internet - VLC
or
Block Outbound - GameLauncher - Optionally add a description
- Click Finish
Step 8: Test the app
After creating the rule:- Launch the app
- Try to use any online feature
- Check whether it can still connect
- The app uses a different executable
- The app runs traffic through a service
- You blocked the wrong file
- An existing allow rule may be taking precedence in a specific scenario
Note: Some apps cache content and may appear partially online even after you block them.
Step 9: Disable or delete the rule later if needed
If you want to restore internet access:- Open wf.msc
- Select Outbound Rules
- Find your rule in the center pane
- Right-click it
- Disable Rule – temporarily turns it off
- Delete – permanently removes it
- Properties – lets you edit it
Optional: Create a more advanced custom rule
If you want tighter control, use a Custom outbound rule instead of a basic Program rule.This can be useful if you want to:
- Block only certain ports
- Block only certain protocols like TCP or UDP
- Block only specific remote IP addresses
- Apply rules to a service hosted in a shared executable
Basic custom-rule process
- Open wf.msc
- Click Outbound Rules
- Click New Rule...
- Select Custom
- Click Next
- Choose This program path and select the app
- On Protocol and Ports, optionally specify ports or leave defaults
- On Scope, optionally specify remote IP addresses
- Choose Block the connection
- Select the profiles
- Name the rule and click Finish
Helpful note: Microsoft documentation notes that Custom rules expose all wizard pages and provide the most flexibility.
Tips and troubleshooting
1) The app still connects
Try these checks:- Look for helper processes or launchers
- Block additional
.exefiles used by the app - Restart the app after creating the rule
- Reboot the PC if the app keeps background services active
2) Microsoft Store apps are different
Modern Store/UWP apps can be trickier than traditional desktop programs. Some rely on system-hosted processes rather than a simple standalone.exe.3) Don’t block critical Windows components casually
Blocking system processes can cause unexpected problems with:- Windows Update
- Sign-in services
- Microsoft Store
- Device sync
- Search and cloud features
Warning: Avoid blockingsvchost.exe, core Windows services, or system apps unless you know exactly what you are doing.
4) Use clear rule names
Good naming makes troubleshooting much easier later. Include:- App name
- Direction
- Purpose
Photoshop - Outbound Block - All Profiles5) You can scope rules by network type
If you trust your home network but not public hotspots, apply the rule only to Public.6) Check for duplicate rules
If you’ve experimented before, there may already be older firewall entries for the same app. Review the list and remove confusion where possible.When this method works best
Outbound firewall rules are especially useful for:- Older programs with no privacy settings
- Software that nags you to update
- Games or tools you want to keep offline
- Lab/testing environments
- Users who want better control without third-party firewall software
Conclusion
Windows Firewall outbound rules give you a practical way to stop specific apps from going online while keeping the rest of your system connected. Once you know where to find the advanced firewall console, the process is straightforward: choose the program, block the connection, apply the rule to the desired profiles, and test it.For privacy-minded users and anyone who wants more control over app behavior, this is one of the most useful built-in Windows security features to learn.
Key Takeaways:
- Windows allows outbound traffic by default, so you must create a block rule to stop an app going online
- The quickest path is wf.msc > Outbound Rules > New Rule
- A Program rule is easiest for most users; Custom rules provide more control
- You can apply the block to Domain, Private, and Public profiles as needed
- Rules can be disabled, edited, or deleted later without uninstalling the app
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.
