The command ports of the schedd and the startd are bound in the master
and inherited by the child processes. This means that as long as the
Master is an exception, these sockets should not be interfered with by
the firewall (and in a similar fashion, the Schedd and Startd are listed
as exceptions to enable incoming connections on the command ports of the
shadow and the starter).
If you've verified that the master is properly enabled as an exception,
there's only a few other possibilities that I can think of:
1. Exceptions are disabled - see netsh firewall show config output and
look for 'Exception Mode'. It should be enabled in the standard profile.
2. Somehow the exceptions are not applying to the particular network
interface or profile you have in use.