Share via

Windows Firewall rules automatically deleted

Kamesh Patil 5 Reputation points
2025-04-01T05:04:19.5033333+00:00

As we encountered multiple firewall rules deleted automatically as it looks suspicious but not sure. As I would like to understand whether this application behavior which could be considered as false positive, or action is necessary?

Would be great if we have in depth understanding of this behavior to monitor in Microsoft Sentinel.

A change was made to the Windows Firewall exception list. A rule was deleted. Profile Changed: All Deleted Rule: Rule ID: {65BC97E7-515C-4D7F-970A-4BC09ECF3974} Rule Name: d964bef6-bd64-4949-b244-3ea53ba512f9

 

A change was made to the Windows Firewall exception list. A rule was deleted. Profile Changed: Domain,Private,Public Deleted Rule: Rule ID: {4DC11E02-BF2D-4093-BBA7-3A96C132D6AB} Rule Name: @{microsoft.windowscommunicationsapps_16005.14326.22301.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/hxoutlookintl/AppManifest_OutlookDesktop_DisplayName}

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tasadduq Burney 8,956 Reputation points MVP Volunteer Moderator
    2025-04-01T06:35:34.5066667+00:00

    Hi,

    It looks like the firewall rules are being deleted, which could be related to app updates or changes. Here's what to consider:

    1. Rule Deletions:
      • The deleted rules are linked to Microsoft Outlook and other Windows communications apps. These might be removed as part of an app update or configuration change.
      Possible Causes: Normal app updates or changes in settings might delete old rules. 
        If the deletions happen unexpectedly or repeatedly without any app updates, this could be suspicious.

    Actions to Take:

    Check for App Updates: Confirm if these deletions align with app update times.

    Review Logs: Use Microsoft Sentinel to monitor Windows Event Logs for any related activity.

    Set Alerts: Track firewall changes to spot patterns or suspicious behavior.

    ✨ Please Upvote and Accept the Answer if it helps! ✨

    Thanks & Regards,
    Tasadduq Burney
    (Microsoft MVP & MCT)
    (Azure 15x)

    0 comments
  2. Anonymous
    2025-04-02T07:06:47.0033333+00:00

    Hi Kamesh Patil,

    Thanks for your post. Basically, we can see the firewall activity in Windows Defender Firewall Logs. We may find this info on a target by logging the dropped packets while replicating the steps in PDQ Deploy or Inventory that we are receiving the error or connection problems.

    Enable Manually

    To manually enable logging dropped packets on a failing target:

    1. Launch the Windows Firewall Console on the Target Computer.
    2. Select the Windows Defender Firewall tab and click Properties in the Actions menu.
    3. Inside the Properties tab, select the Customize button under Logging.
    4. Select Yes in the Log Dropped Packets dropdown menu.
    5. Press OK to close the Logging Settings menu and again to close the Windows Defender Firewall Properties.

    Enable with PowerShell

    Set-NetFirewallProfile -Profile Domain -LogBlocked TrueCopy

    Accessing the logs

    Once logging is enabled, verify you are able to read the log file. If not, open the Log Files Security tab and enable Read permissions for your account.

    You can find the logs at the following path:C:\Windows\System32\LogFiles\Firewall

    By default, the log is named pfirewall.log

    After verifying the log can be opened and read, attempt to replicate the error received. You may need to close and reopen the file after each test to see updates

    If the firewall is in Azure, you can follow the guide for Azure monitoring.

    MonitorAzure Firewall | Microsoft Learn

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.