Although nowadays you could (err…should) configure event viewer (or centralized logging) for your Windows Defender Firewall, here’s a tip for something I’ve noticed when changed the default Windows Defender Firewall location.
When applying a GPO to do this, you must keep in mind that MpsSvc service account is responsible to write down the Windows Firewall log, so, if you change the default location (%windir%\System32\LogFiles\Firewall) you need to give it the right NTFS permissions.
So basically what you need to do:
- Change the default location for the Windows Firewall log
- Go to the new location
- Right-click the folder and then Properties
- Click the Security tab and Edit
- Now, click Add
- Make sure that you’ve select the local computer and not the domain (in “Locations…”)
- Now type NT Service\MpsSvc and click OK
- Make sure MpsSvc has Write Access and click OK again