The Windows built-in Firewall still has protective value today, as this informative article by SANS Internet Storm Center shares:

https://isc.sans.edu/forums/diary/Powershell+Active+Directory+and+the+Windows+Host+Firewall/24706/

When Windows XP was released in late 2001, one of the new features that everyone thought was outstanding was the workstation firewall.  This feature was going to save us all, blocking attacks and malware on known and easily exploitable ports such as those used by AD – surely we could quantify our own domains and block any and all traffic from non-domain stations?  Or block attack traffic from our AD neighbors?

Sadly, it’s now 2019 (just over 17 years later), and it’s depressing for us in the security industry to see that firewalls are routinely disabled domain-wide in most Windows shops by the folks who admin those domains.

Why is this so terrible?  For starters, the most common windows malware these days propagates over port tcp/445 (used for SMB, which is used extensively in AD, among other protocols), and in most shops there’s no good reason for one workstation to have the capability to connect to another workstation on tcp/445.