Event ID 4948 - A change was made to the Windows Firewall exception list. A rule was deleted

Event ID: 4948

A change was made to the Windows Firewall exception list. A rule was deleted

A change was made to the Windows Firewall exception list. A rule was deleted.

Profile Changed:    %1

Deleted Rule:
    Rule ID:    %2
    Rule Name:  %3

Microsoft Documentation

Event ID - 4948

This event generates when Windows Firewall rule was deleted.

This event doesn't generate when the rule was deleted via Group Policy.

	Field	Insertion String	OS	Example
Profile Changed	ProfileChanged	%1	Any	All
Rule ID	RuleId	%2	Any	{F2649D59-1355-4E3C-B886-CDD08B683199}
Rule Name	RuleName	%3	Any	Allow All Rule

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"MPSSVC Rule-Level Policy Change"

How to enable Windows Auditing

Operating Systems:

Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019

Audit Category:

Policy Change

Audit Subcategory:

MPSSVC Rule-Level Policy Change

Legacy Events:

851 852

LEFT/RIGHT arrow keys for navigation

Back to List