Windows Firewall rule automatically created and deleted by microsoft apps

Question

Windows Firewall rule automatically created and deleted by microsoft apps

ASHISH PATIL 10

We have noticed in Windows the firewall rules are automatically created and deleted majorly for Microsoft store apps and third-party adobe reader.

As it looks strange behavior we observed in windows OS and unable to understand whether this is legitimate or suspicious activity.

3 answers

Your answer

Answer 1

Anonymous

Hello,

Here are a few points to consider:

Automatic Rule Creation: Windows Defender Firewall can automatically create rules for certain applications, including Microsoft Store apps and third-party softwares. This is typically done to ensure these applications can function correctly and securely.

Legitimate Activity: In many cases, these automatic changes are legitimate and part of the normal operation of Windows and the applications you use. For example, updates to apps might trigger the creation or modification of firewall rules to maintain proper connectivity and security.

Suspicious Activity: If you notice unusual or frequent changes that seem out of the ordinary, it could be worth investigating further. Ensure your system is up to date with the latest security patches and run a full system scan with your antivirus software to rule out any potential threats.

Have a nice day.

Best Regards,

Hania Lian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

ASHISH PATIL 10 Reputation points

2025-03-28T07:31:04.44+00:00

Hey Lian - Thanks for your quick response. As I can totally understand the rules creation and modification are legitimate but what about the event ID :-4948 which we are observing continuously for firewall rule deletion.

Sometime the firewall rule deleted without any application name (mentioned below events looking strange).

Can you please confirm windows behavior on this events?

A change was made to the Windows Firewall exception list. A rule was deleted. Profile Changed: All Deleted Rule: Rule ID: {65BC97E7-515C-4D7F-970A-4BC09ECF3974} Rule Name: d964bef6-bd64-4949-b244-3ea53ba512f9

A change was made to the Windows Firewall exception list. A rule was deleted. Profile Changed: Domain,Private,Public Deleted Rule: Rule ID: {4DC11E02-BF2D-4093-BBA7-3A96C132D6AB} Rule Name: @{microsoft.windowscommunicationsapps_16005.14326.22301.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/hxoutlookintl/AppManifest_OutlookDesktop_DisplayName}

A change was made to the Windows Firewall exception list. A rule was deleted. Profile Changed: All Deleted Rule: Rule ID: <All> Rule Name: -

Answer 2

Kamesh Patil 5

Hi Microsoft Team,

Anybody can response to our query as we are not able to find any documented information about firewall rules deletion in Windows.

Your prompt response is highly appreciated !

Answer 3

This is a known issue that Microsoft has refused to fix. The rules are created even though the firewall has been disabled. In our case (high volume/high turnover) Citrix environment the rules eventually fill up the registry causing a lot of issues.

The DeleteUserAppContainersOnLogoff registry key has stopped removing the entries.

The only fix we have discovered that works is to run these 2 PowerShell commands and then restart the server:
Remove-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules"

New-Item "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules"

The alternative of removing the rules individually took too long.

Share via

Windows Firewall rule automatically created and deleted by microsoft apps

3 answers

Your answer