Thank you for the clarification and link to the information. I checked several of the services SIDs that I have fw rules for and they are all set to unrestricted or restricted. Only gpsvc and gupdate were None. Certainly there are probably others, but of the ones that matter to me most they were Restricted or Unrestricted. I have no rule for gpsvc, nor have I restricted it with any 3rd party fw I've used in the past. As for Google Chrome's update service, I control it by restricting the Googleupdate.exe file, and it works fine. I'll spend some more time checking but so far this seems to be a mostly trivial problem for my purposes at least. EDIT actually after looking at all the command line outputs none were Restricted; they're all Unrestricted except for the two I mention above. I checked a bunch of others minutes ago and they're Unrestricted too.
@watt0114 do you know what the difference is between the restricted setting and the unrestricted setting? I never did find the answer to that.
Well I only searched briefly and found this Microsoft blog and it mentions that the difference between the two is that a Restricted SID service will have an additional "write restricted" token in addition to the "per-service SID" that both Unrestricted and Restricted type of SID services have. There is a part 4 "write-restricted token" article that explains things further. I confess this is all a bit too technically overwhelming for me to properly grasp.
But who cares if it's a third party tool? Fact of the matter is that M$ made it very user-unfriendly to manage the Win Firewall. Keep in mind, tools like WFC and TinyWall don't do any blocking themselves. Via SpyShelter's network monitor I can check if the Win Firewall is blocking things correctly, and it just works. I haven't actually upgraded to newer versions of WFC, because the old version works just fine.