Event ID: 4948

A change was made to the Windows Firewall exception list. A rule was deleted 

A change was made to the Windows Firewall exception list. A rule was deleted.

Profile Changed:    %1

Deleted Rule:
    Rule ID:    %2
    Rule Name:  %3


This event generates when Windows Firewall rule was deleted.

This event doesn't generate when the rule was deleted via Group Policy.

Auditing:     Always


Volume:     Low


Microsoft Documentation

Event ID - 4948



Name Field Insertion String OS Example
Profile Changed ProfileChanged %1 Any All
Rule ID RuleId %2 Any {F2649D59-1355-4E3C-B886-CDD08B683199}
Rule Name RuleName %3 Any Allow All Rule

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Tags:
Audit Success
Audit Category:
Policy Change

Audit Subcategory:
MPSSVC Rule-Level Policy Change
Legacy Events:
851 852

LEFT/RIGHT arrow keys for navigation

Back to List