Browser Choice firewall rule created on logon

Whenever a user logs onto a machine (Both 8 & 8.1) a firewall rule is created called "Browser choice" and the description "Browser choice."

This is created by the firewall service user and svchost.exe

Eventually this begins to create quite a few rules, and the slower machines on the network begin showing symptoms of high CPU usage due to the firewall enumerations.

Several events show up in the firewall logs all saying a new rule has been added to the firewall list. These make up the rules for inbound, outbound and the 3 firewall profile types.

Below is an example of one of the event logs:

A rule has been added to the Windows Firewall exception list.

Added Rule:
Rule ID:    {F79CDB08-DDA3-45C1-A062-B5EB934FADE3}
Rule Name:  Browser Choice
Origin: Local
Active: Yes
Direction:  Inbound
Profiles:   Private,Domain
Action: Allow
Application Path:   
Service Name:   
Protocol:   Any
Security Options:   None
Edge Traversal: None
Modifying User: NT SERVICE\MpsSvc
Modifying Application:  C:\windows\System32\svchost.exe

I'm trying to trace what is actually creating this rule, it happens as soon as the user logs in and are at the start screen, no user interaction required.

Does any one know what is causing this and/or how to disable it?

If any additional information is required I can edit as required.

Lister

Posted 2016-12-02T09:44:58.927

Reputation: 1 185

Today I remember what "Browser Choice" is. this was the update that was deployed to users inside the EU to download other browser. tr this to disable it: https://support.microsoft.com/en-us/kb/2019411 maybe this stops recreating the entries

– magicandre1981 – 2016-12-02T15:54:32.750

We tried pushing that out today, no joy. The other annoying problem is that its KB doesnt show up in WSUS, it just seams to sneek through. – Lister – 2016-12-02T18:16:05.787

this KB is no update, the KB describes a registry setting that you can apply – magicandre1981 – 2016-12-05T05:14:54.270

@magicandre1981 There is also a KB for the deployment 976002. It shows as installed on the client machines, but no uninstall option and no block in WSUS (neither when searching for it, nor in the categories) – Lister – 2016-12-05T08:41:46.113

I told here why you can't remove such an update: http://superuser.com/a/948750/174557 you can try to remove this permanence="permanent" entry and remove the update.

– magicandre1981 – 2016-12-05T17:07:44.737

Thanks, Will keep it in mind. Interestingly we are beginning roll overs to 8.1. One of the rooms with 8.1 has the update removed, but instead the three built in VPN providers are now creating the duplicate firewall rules. These are F5 VPN, Check Point VPN & SonicWall mobile connect. – Lister – 2016-12-06T10:15:22.200

Answers

We eventually did find out what caused this.

In our image there was the browser choice update (KB976002). It was this that was creating the firewall rules. Normally this update cannot be removed, however changing the permamence of the update from permament to uninstallable allowed us to uninstall the update.

We pushed this out via GPO to the machines, and a clean image has been made for future installs. This would only happen to mainly Europeans, as the browser choice update was created in response to a EU mandate forced upon microsoft. The update has since been pulled, and images beyond ~2013 should be fine.

If you do need to uninstall a "permament windows update" This can be done by the following:

Open Windows installed updates screen in programs and features
Identify update and its KB number
Browse to "C:\Windows\servicing\Packages\"
Find the KB and open the associated .mum files, these are XMLs.
Find the line "permanency=”permanent”" and change to "permanency="removable""

Credit to magicandre1981 for pointing me in the right direction there.

Note, they may be set as permament for a good reason, in this case it was malicious to prove a point. But that is off topic. Usually it will be because the patch has altered the operating in a way that is irreversable, or has integrated with other patches.

Lister

Posted 2016-12-02T09:44:58.927

Reputation: 1 185

-1

In windows 10, I see about 90 firewall rules created per user, if you include the configurableservicestore, querying with powershell.

js2010

Posted 2016-12-02T09:44:58.927

Reputation: 321

Can you clarify how this answers what was asked in the question? – fixer1234 – 2017-01-30T20:30:26.867