Windows Firewall, by default, allows all outgoing connections. In order to block an outgoing connection you have to specify exactly which one you want to block. How do you do that if you don't know which program is making the connections? What if Windows Update adds something that you don't even know exists?
Why ask these questions if you have already given the answer yourself? You simply change the firewall profile from its default setting to block all outgoing connections except those specified by a rule. This is not a missing feature from the Windows Firewall.
The big problem is that installers and services that run as admin can add their own entries to the firewall without notification. Steam does this for its own client and for any games that it installs. If it can't access the Internet for any reason, the client adds another entry for itself into the firewall. I eventually added another administrator account for the Steam service to run as and then denied it access to the firewall with the registry editor.
That's works for a third-party program, but Microsoft services could always bypass the security if they wanted. This isn't a limitation of the firewall per se, but rather a consequence of us not trusting the OS that actually provides the protection in the first place.