diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 9c173860f4..dc79e60f50 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -77,13 +77,13 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -137,7 +137,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ - **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object). - SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following: + SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps: 1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container. @@ -166,11 +166,11 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ |-------|--------------------------------------|-------|---------------------------------| | "AO" | Account operators | "PA" | Group Policy administrators | | "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | -| "AN" | Anonymous logon | "LA" | Local administrator | +| "AN" | Anonymous sign in | "LA" | Local administrator | | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -182,7 +182,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -202,7 +202,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -228,7 +228,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -239,7 +239,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -261,7 +261,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , . @@ -277,7 +277,7 @@ For 4913(S): Central Access Policy on the object was changed. - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 2899b77a51..64481ef466 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -97,12 +97,12 @@ Failure event generates if an error occurs (**Status Code** != 0). Directory Replication Service options in AD Sites and Services -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4928(S, F): An Active Directory replica source naming context was established. -- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 8d4802ca42..bd67b19fac 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -89,18 +89,18 @@ Failure event generates if an error occurs (**Status Code** != 0). - **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was removed. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was removed. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4929(S, F): An Active Directory replica source naming context was removed. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index ad5d6086a1..c63813a961 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica source naming context w Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,18 +91,18 @@ It is not possible to understand what exactly was modified from this event. - **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4930(S, F): An Active Directory replica source naming context was modified. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 39a7be5a64..46b91b742c 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica destination naming cont Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,13 +91,13 @@ It is not possible to understand what exactly was modified from this event. - **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index f5581407ab..cc7ffb2eec 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates every time Windows Firewall service starts. -This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile. +This event shows the inbound and/or outbound rule that was listed when the Windows Firewall started and applied for “Public” profile. This event generates per rule. @@ -75,11 +75,11 @@ This event generates per rule. - **Rule ID** \[Type = UnicodeString\]: the unique firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -89,5 +89,5 @@ For 4945(S): A rule was listed when the Windows Firewall started. - Typically this event has an informational purpose. -- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same. +- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration isn't the same. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 505cec18fb..5a3a44929a 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -71,11 +71,11 @@ This event doesn't generate when new rule was added via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when new rule was added via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique new firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when new rule was added via Group Policy. For 4946(S): A change has been made to Windows Firewall exception list. A rule was added. -- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all creations of new Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 65c71e3cd4..ecc34d3112 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -71,11 +71,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique identifier for deleted firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when the rule was deleted via Group Policy. For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. -- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all deletions of Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 69db4a04e2..8c7148eb98 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -77,7 +77,7 @@ This event doesn't generate when Windows Firewall setting was changed via Group **New Setting:** -- **Type** \[Type = UnicodeString\]: the name of the setting which was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: +- **Type** \[Type = UnicodeString\]: the name of the setting that was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: Netsh advfirewall command illustration @@ -89,5 +89,5 @@ For 4950(S): A Windows Firewall setting has changed. - If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline. -- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally. +- This event can be helpful in case you want to monitor all changes in Windows Firewall settings that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 060b9c4b83..6f7ede1970 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -1,6 +1,6 @@ --- -title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) -description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. +title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. (Windows 10) +description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +# 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. Event 4951 illustration @@ -25,7 +25,7 @@ ms.technology: windows-sec When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions. -If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule. +If you create a firewall rule on a newer version of Windows that references firewall settings that aren't available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it can't process the rule. The only solution is to remove the incompatible rule, and then deploy a compatible rule. @@ -73,11 +73,11 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -89,17 +89,17 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration ## Security Monitoring Recommendations -For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +For 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues.