Policy
Windows Defender Firewall: Allow logging
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016, WindowsVista, WindowsXP
Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Defender Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to log successful incoming messages. If you are configuring the log file name, ensure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log. If you disable this policy setting, Windows Defender Firewall does not record information in the log file. If you enable this policy setting, and Windows Defender Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Defender Firewall leaves the log file intact. If you do not configure this policy setting, Windows Defender Firewall behaves as if the policy setting were disabled.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogDroppedPackets | REG_SZ | HKLM — | HKLM 0 | |
| Computer | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogSuccessfulConnections | REG_SZ | HKLM — | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Log file path and name: ID WF_Logging_LogFilePathAndName | text | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogFilePath Type REG_SZ | None | |
| Computer | Size limit (KB): ID WF_Logging_SizeLimit | decimal | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogFileSize Type REG_DWORD | Range: 128 to 32767 | |
| Computer | Log dropped packets ID WF_Logging_LogDroppedPackets | boolean | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogDroppedPackets Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 | |
| Computer | Log successful connections ID WF_Logging_LogSuccessfulConnections | boolean | Path SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging Value name LogSuccessfulConnections Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |