Event ID 4944

The following policy was active when the Windows Firewall started

The following policy was active when the Windows Firewall started.

Group Policy Applied:                                   %1
Profile Used:                                           %2
Operational mode:                                       %3
Allow Remote Administration:                            %4
Allow Unicast Responses to Multicast/Broadcast Traffic: %5
Security Logging:
    Log Dropped Packets:        %6
    Log Successful Connections: %7

This event generates every time Windows Firewall service starts.

This event shows Windows Firewall settings that were in effect when the Windows Firewall service started.

Auditing: Always

Volume: Low

Microsoft Documentation

Event ID - 4944

	Field	Insertion String	OS	Example
Group Policy Applied	GroupPolicyApplied	%1	Any	No
Profile Used	Profile	%2	Any	Public
Operational mode	OperationMode	%3	Any	Off
Allow Remote Administration	RemoteAdminEnabled	%4	Any	Disabled
Allow Unicast Responses to Multicast/Broadcast Traffic	MulticastFlowsEnabled	%5	Any	Enabled
Log Dropped Packets	LogDroppedPacketsEnabled	%6	Any	Disabled
Log Successful Connections	LogSuccessfulConnectionsEnabled	%7	Any	Disabled

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"MPSSVC Rule-Level Policy Change"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:

Audit Success

Audit Category:

Policy Change

Audit Subcategory:

MPSSVC Rule-Level Policy Change

Legacy Events:

848

LEFT/RIGHT arrow keys for navigation

Back to List