[UPDATE] – this may be my fault - i just noticed firewall was set to “safe mode”. i may have done that accidentally
first thing i do when installing CIS is delete almost all predefined policies/rules, including rules/policies affecting windows update, CIS, etc., etc.
i just noticed that running windows update causes rules to be created WITHOUT ASKING for svchost.exe allowing all traffic on 80 and 443
this started very recently, possibly as a result of the last CIS update, or possibly on its own
VirtualBox is another one - it added several rules
cfpupdat.exe is another - adds itself without prompting