(reformulated question following Ramhound's suggestion – original question below)
Firewall in use: standard Microsoft windows 10 firewall
Settings: everything is blocked inbound and outbound except if a explicit rule allows it
Problem: almost with every MS update, rules are added to the rules list. Example: Cortana exceptions are added.
Desired situation: A method to lock down modification of the rules set by anyone including the system itself.
Only if I explicitly allow it, rules can be altered.
(original question)
I have windows 10 own firewall setup with minimal in and outbound rules.
Anything not in the rules get blocked.
But I noticed that practically with every time windows updates get installed, unwanted rules are added (which I delete as soon as I notice)
Is there a way I can totally freeze rule modification even from the system itself?
I don't want another firewall. For once MS's own is sufficient (just lack a functioning learn/log mode)
Best Answer
I can understand your wish. It is absolutely crazy how many rules Windows 10 does create without you can even see the rules. The one created on a per User Base for Cortana in WF.msc is just one. This is also the reason why I do not think that Windows 10 is more secure than Windows 7. The filtering Plattform is the same but the numbers of services and background tasks as well as predefined exeptions of firewall rules are enormous higher than in Windows 7. So the attack surface is - in my opionion - much higher than in Windows 7 where you can configure the firewall very strict and with almost no automatic modifications.
To come back to your question: it is not to complicate to modify Windows-Firewall to prevent automatic Firewall-Rules. What you need is to break inheritance and copy permissions in Registry. Take off all write permissions for MpsSvc and to avoid futer overwrite also for System. You may want to create also a new group which has the right to change them and is also owner of these subkeys.
Following Registry-Keys store the Rules: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices" and all Subfolders. "Static" are only configurable by Registry, "Configurable" by command-line and Registry, "FirewallRules" are the rules you can see in WF.msc. If you take the rights of FirewallRules too, you can not modify by mmc.exe/wf.msc anymore.
However, like with all such deep tweaks there are more or less big caveats. If you delete all Allow-Rules in subfolders Static and Configurable for modern Apps like Cortana, Shell-Experience, AAD Broker and so on, you will break the Startmenu as well. So nothing happens when you click on the button because new apps communicate over the network / Filtering-Plattform and as you dissallowed to do so, they won't do anything if these rules do not exist. Especially first time login is highly depended on these things. However windows still works like a charm. All apps are showed in the tasklist, desktop still works fine and so on also Shortcust like Win+R. But Startmenu with Cortana does not.
There are also other things I do not like at all. For example MS did deform a lot of Services which are for telemetry/privace use only. So no other technical reason. For example the AitAgent. You can not disable it, because you can not see it in the mmc.exe plugin. Even not with SystemUtilities. But in Registry you see the half of it. There are many other Privacy-related Tasks and services too and with every update there are new ones. Even in LTSB-Enterprise-Versions. In my Opinion W10 is a technically very good OS but in questions of Privacy it is far worse than you may ever expect and MS is making it all the time harder to prevent that you disable the crap. They collect all data and if a user forgots to click on no everything is sended over the air. For some tweaks you need to start in secure mode, for some you need a Task with "TrustedInstaller" or System, with a lot of them you can even not use SystemUtilites and you have to modify the registry yourself and so on.
Unfortunately there is no way to really avoid Windows 10 in future as new silicon does only support Windows 10 and without Windows you can not work in a modern Company as the bigest part of software-vendors work on windows and a lot of people just do not care about these things.