Event ID 4952

Windows Firewall ignored parts of a rule because its minor version number is not recognized 

Windows Firewall ignored parts of a rule because its minor version number is not recognized. Other parts of the rule will be enforced.

Profile:    %1

Partially Ignored Rule:
    ID: %2
    Name:   %3


When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to newer versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows.

If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule.

The only solution is to remove the incompatible rule, and then deploy a compatible rule.

Auditing:     Always

Usually indicates a configuration issue, not a security issue.


Volume:     Low


Microsoft Documentation

Event ID - 4952



Name Field Insertion String OS Example
Profile Profile %1 Any All
ID RuleId %2 Any {08CBB349-D158-46BE-81E1-2ABC59BDD523}
Name RuleName %3 Any New Test Rule

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Failure
Audit Category:
Policy Change

Audit Subcategory:
MPSSVC Rule-Level Policy Change

LEFT/RIGHT arrow keys for navigation

Back to List