Enough is enough. I’ll turn it on when I need it or have infinitely resources to manage the logs when I have Filtering Platform logging enabled. In my case, I was getting a lot messages for event ID 5157 (“The Windows Filtering Platform has blocked a connection.”). For now, how do you turn this off in Windows Server 2012 R2?

To list all the categories:

C:\>auditpol /list /category
Category/Subcategory
Account Logon
Account Management
Detailed Tracking
DS Access
Logon/Logoff
Object Access
Policy Change
Privilege Use
System

To get a list of any sub-categories for a category:

auditpol /get /category:”Account Logon”
auditpol /get /category:”Account Management”
auditpol /get /category:”Detailed Tracking”
auditpol /get /category:”DS Access”
auditpol /get /category:”Logon/Logoff”
auditpol /get /category:”Object Access”
auditpol /get /category:”Policy Change”
auditpol /get /category:”Privilege Use”
auditpol /get /category:”System”

I have picked on the sub-categories under the “Object Access” category, because that is where the Filtering Platform settings exist. To see the current settings for a sub-category:

auditpol /get /subcategory:”Filtering Platform Packet Drop”
auditpol /get /subcategory:”Filtering Platform Connection”
auditpol /get /subcategory:”IPsec Driver”
auditpol /get /subcategory:”IPsec Main Mode”
auditpol /get /subcategory:”IPsec Quick Mode”
auditpol /get /subcategory:”IPsec Extended Mode”

Example:

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection Success and Failure

To disable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:disable /failure:disable
auditpol /set /subcategory:”Filtering Platform Connection” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Driver” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Main Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Quick Mode” /success:disable /failure:disable
auditpol /set /subcategory:”IPsec Extended Mode” /success:disable /failure:disable

C:\>auditpol /get /subcategory:”Filtering Platform Connection”
System audit policy
Category/Subcategory Setting
Object Access
Filtering Platform Connection No Auditing

Or to enable all audit logging for some sub-categories:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:enable /failure:enable
auditpol /set /subcategory:”Filtering Platform Connection” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Driver” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Quick Mode” /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Extended Mode” /success:enable /failure:enable