Every Windows computer has WFAS enabled by default, and contains a standard set of inbound and outbound firewall rules that are in effect. Essentially, it "allows all outbound" and "blocks all inbound" by default, though that is just a vague and unspecific way of saying it and isn't completely accurate, as there are actually a myriad of rules that work together to make it feel this way. When you enable certain services and options inside Windows, the operating system is often creating new WFAS rules in the background that enable those functions to work properly.
Since every computer has some firewall rules out of the box, that must mean that WFAS has a ruleset that is stored outside of Group Policy, right? ...