STATUS_FWP_INVALID_ACTION_TYPE (0xC0220024) Fix

This error drives people nuts

You're getting error 0xC0220024 — STATUS_FWP_INVALID_ACTION_TYPE — and it's probably blocking a VPN, a game, or a corporate app from connecting. I've seen this on Windows 10 version 22H2 and Windows 11 23H2 after a third-party firewall or security suite left junk behind. The fix is straightforward: kill the bad filter rule.

The direct fix: delete the corrupted rule

Open an elevated Command Prompt (right-click Start, choose Terminal (Admin) or Command Prompt (Admin)).

1. Type this command and press Enter:

netsh wfp show state

Wait a few seconds. You'll see a lot of text dump on screen — don't panic. Look for a line that says Filter ID followed by a number, and below it action type: INVALID or action type: 0. That's your culprit. Write down the Filter ID number.

2. Delete that specific filter with this command (replace 12345678 with your actual Filter ID):

netsh wfp delete filter id=12345678

After you hit Enter, you should see Ok. — no fancy confirmation. That's it. The rule is gone.

3. Reboot your machine. Not optional — Windows caches firewall state at boot.

Why this works

The Windows Filtering Platform (WFP) is the low-level traffic cop for all network packets in Windows. Every firewall rule, every IPsec policy, every app exemption is stored as a filter. Each filter has an action type — Permit, Block, Callout, etc. When a filter's action type gets set to a value that isn't allowed (like 0 or some garbage from a corrupted install), WFP throws this error instead of processing the rule. Deleting the filter gets rid of that broken instruction. The rest of your firewall keeps working fine.

If the direct fix doesn't work — reset the whole firewall

Sometimes the corrupted rule is hidden inside a group policy or protected by the system. The netsh wfp show state command might not show you the bad ID. In that case, nuke the whole firewall from orbit. This resets everything to factory defaults — your custom port openings and app exceptions will be gone, so back those up first.

1. Open Command Prompt as Admin again.
2. Run:

netsh advfirewall reset

You'll see Ok. — that's it. No progress bar.

3. Reboot.

After reboot, go check Windows Defender Firewall — it's back to the default profile. Your third-party firewall software (if any) will need to be reinstalled or reconfigured.

Less common variations of this error

Same error code, different scenarios:

• After uninstalling a VPN client: Cisco AnyConnect, NordVPN, and OpenVPN GUI often leave orphaned WFP filters. The netsh wfp show state method works great here.
• During a Windows Update: I've seen this after KB5034204 on Windows 11. Resetting the firewall fixed it for most people.
• When a domain policy conflicts with a local rule: If you're on a corporate domain, the bad filter might be pushed by Group Policy. In that case, contact your IT admin — they'll need to find and delete the GPO, not just your local rule.

How to prevent this from happening again

Two things cause this most of the time: uninstalling security software the wrong way, or letting a game's anti-cheat driver mess with the firewall.

• Always use the official uninstaller for any VPN or antivirus. Don't just delete the folder. Run the installer's Uninstall.exe or use Add/Remove Programs.
• If you're a power user and want to see all WFP filters at once (to spot bad ones early), run netsh wfp show state > C:\wfpdump.txt and then search that text file for INVALID. Do this monthly.
• Turn off Windows Defender Firewall when installing a third-party firewall, then turn it back on after the third-party one is installed. Having two firewalls active is a recipe for corrupted rules.

That's the whole fix. If you're still stuck after resetting the firewall, you might have malware that's hooking into WFP directly — run a full scan with Malwarebytes or Microsoft Defender Offline. But in my 10 years doing help desk work, that's a rare case. The corrupted filter is almost always the culprit.