diff --git a/changelogs/fragments/Fix-Expansion-of-vars-win_firewall_rule.yml b/changelogs/fragments/Fix-Expansion-of-vars-win_firewall_rule.yml
new file mode 100644
index 00000000000..df38eae14ca
--- /dev/null
+++ b/changelogs/fragments/Fix-Expansion-of-vars-win_firewall_rule.yml
@@ -0,0 +1,2 @@
+bugfixes:
+- "win_firewall_rule - Fix program var not expanding %SystemRoot% type vars (https://github.com/ansible/ansible/issues/44450)"
\ No newline at end of file
diff --git a/lib/ansible/modules/windows/win_firewall_rule.ps1 b/lib/ansible/modules/windows/win_firewall_rule.ps1
index 25bfaae0cb0..5cee71e9989 100644
--- a/lib/ansible/modules/windows/win_firewall_rule.ps1
+++ b/lib/ansible/modules/windows/win_firewall_rule.ps1
@@ -156,7 +156,7 @@ try {
     # the default for enabled in module description is "true", but the actual COM object defaults to "false" when created
     if ($null -ne $enabled) { $new_rule.Enabled = $enabled } else { $new_rule.Enabled = $true }
     if ($null -ne $description) { $new_rule.Description = $description }
-    if ($null -ne $program -and $program -ne "any") { $new_rule.ApplicationName = $program }
+    if ($null -ne $program -and $program -ne "any") { $new_rule.ApplicationName = [System.Environment]::ExpandEnvironmentVariables($program) }
     if ($null -ne $service -and $program -ne "any") { $new_rule.ServiceName = $service }
     if ($null -ne $protocol -and $protocol -ne "any") { $new_rule.Protocol = Parse-ProtocolType -protocol $protocol }
     if ($null -ne $localport -and $localport -ne "any") { $new_rule.LocalPorts = $localport }
diff --git a/test/integration/targets/win_firewall_rule/tasks/main.yml b/test/integration/targets/win_firewall_rule/tasks/main.yml
index 6e76e8fd92c..708810c2a87 100644
--- a/test/integration/targets/win_firewall_rule/tasks/main.yml
+++ b/test/integration/targets/win_firewall_rule/tasks/main.yml
@@ -411,3 +411,30 @@
   assert:
     that:
     - add_firewall_rule_with_list_profiles.changed == true
+
+# Test for variable expansion in the path
+- name: Add rule with path that needs to be expanded
+  win_firewall_rule:
+    name: VarExpansionTest
+    enabled: yes
+    state: present
+    action: allow
+    direction: in
+    protocol: tcp
+    program: '%SystemRoot%\system32\svchost.exe'
+
+- name: Add same rule with path that needs to be expanded
+  win_firewall_rule:
+    name: VarExpansionTest
+    enabled: yes
+    state: present
+    action: allow
+    direction: in
+    protocol: tcp
+    program: '%SystemRoot%\system32\svchost.exe'
+  register: add_firewall_rule_with_var_expand_path
+
+- name: Check that creating same firewall rule with expanded vars identified
+  assert:
+    that:
+    - add_firewall_rule_with_var_expand_path.changed == false
\ No newline at end of file