0XC0220017

0XC0220017: Can't Delete Built-In Firewall Object — Fix

Windows Errors Intermediate 👁 0 views 📅 May 26, 2026

This error pops up when you try to delete a built-in Windows Firewall rule. You can't delete it — but you can disable or bypass it.

Yeah, I know. You're staring at that error — 0XC0220017 — and it's telling you you can't delete this thing. Frustrating. You probably just wanted to clean up an old firewall rule or remove something Windows added automatically. But the OS locks it down. Here's what's really going on and how to get around it.

The Fix: Disable, Don't Delete

You cannot delete a built-in Windows Firewall rule. Period. The error code 0XC0220017 means "STATUS_FWP_BUILTIN_OBJECT" — the object is part of the operating system's core firewall configuration. Deleting it would break Windows' own network security.

So instead of deleting, you disable it. Or you create a higher-priority rule that overrides it. Here are the two methods that actually work.

Method 1: Disable via Windows Firewall with Advanced Security (GUI)

  1. Press Win + R, type wf.msc, and hit Enter. The Windows Firewall with Advanced Security console opens.
  2. In the left pane, click Inbound Rules (or Outbound Rules, depending on where your target rule lives).
  3. In the middle pane, find the rule you were trying to delete. Built-in rules have a small shield icon next to them. They also show Group as something like "Windows Firewall Remote Service" or "Core Networking".
  4. Right-click the rule, then select Disable Rule. That's it. The rule turns off — it's still there but inactive.

After disabling, you won't get the error when you try to delete it, but you also don't need to delete it. The rule no longer applies.

Method 2: Override with a Higher-Priority Rule (Best for blocking unwanted traffic)

Sometimes disabling a built-in rule isn't enough. Maybe Windows keeps re-enabling it (yes, that happens with some Windows Defender and Core Networking rules). In that case, create a custom rule with a higher priority that blocks the traffic you want.

  1. In the same wf.msc console, right-click Inbound Rules (or Outbound) and select New Rule....
  2. Choose Custom, then click Next.
  3. Set All programs unless you want to target a specific app.
  4. Under Protocol and Ports, set the same protocol (TCP/UDP) and port number as the built-in rule you're overriding. For example, if the built-in rule opens port 3389 for Remote Desktop, set your rule to block TCP port 3389.
  5. Under Scope, leave defaults unless you want to restrict by IP.
  6. Under Action, select Block the connection.
  7. Name it something clear like "Block RDP port 3389 override".

This custom rule gets a higher priority than the built-in one because user-created rules are evaluated before built-in rules. The traffic gets blocked even though the built-in rule allows it.

Why This Happens

Windows Firewall stores rules in the registry under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules. Built-in rules are marked with a special attribute (the BuiltIn flag) that tells the system they're protected. When you try to delete one, the firewall engine checks that flag and returns 0XC0220017.

This isn't a bug — it's a deliberate safety feature. Removing a core rule could leave your machine open to attacks or break Windows features like file sharing, remote management, or Windows Update. Microsoft designed it so that even administrators can't accidentally brick the firewall.

But here's the kicker: some third-party firewall tools or scripts don't check that flag. They try to delete the rule, hit 0XC0220017, and fail silently (or throw that error in your face). That's why you're seeing it.

Less Common Variations of the Same Issue

Using netsh advfirewall from Command Line

If you're scripting with netsh advfirewall firewall delete rule, you'll get the same error when targeting a built-in rule. For example:

netsh advfirewall firewall delete rule name="File and Printer Sharing (Echo Request - ICMPv4-In)"

That'll fail with 0XC0220017. Instead, use:

netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" new enable=No

That disables it without deleting.

Using PowerShell to Manage Firewall

PowerShell's Remove-NetFirewallRule also blocks deletion of built-in rules. You'll see a similar error. Use Disable-NetFirewallRule instead:

Disable-NetFirewallRule -DisplayName "File and Printer Sharing (Echo Request - ICMPv4-In)"

Or to override, create a blocking rule with New-NetFirewallRule and set -Direction Inbound -Action Block.

Group Policy Override

In corporate environments, built-in rules often come from Group Policy. You can't delete those either — you need to modify the GPO itself. Talk to your domain admin. But you can create local rules that take precedence.

How to Prevent This Error Going Forward

Here's what I'd suggest to keep from running into 0XC0220017 again:

  • Never try to delete built-in rules. Just disable them. Write that on a sticky note.
  • Use the GUI — wf.msc shows you which rules are built-in (shield icon). That's your hint.
  • If you're scripting, always check the rule's BuiltIn property first. In PowerShell, Get-NetFirewallRule | Where-Object {$_.BuiltIn -eq $true} lists them. Skip those.
  • When possible, override instead of disable. Overrides are cleaner if Windows decides to re-enable the rule after an update.
  • Keep a backup of your firewall config. Run netsh advfirewall export "C:\backup\firewall.wfw" before making changes. That way, if something breaks, you can restore.

That's it. You can't delete the built-in object — but you don't need to. Disable it, override it, and move on. The error is just Windows protecting itself.

Was this solution helpful?

STATUS_FWP_BUILTIN_OBJECT 0XC0220017 Windows Firewall built-in rule delete firewall rule disable firewall rule netsh advfirewall PowerShell firewall firewall object Group Policy firewall Windows 10 Windows 11 firewall error