客户问题概括：

客户称在域控上发现大量ID 为5152的安全日志，几乎每秒3个，希望给予相关检查。

日志如下:

The Windows Filtering Platform has blocked a packet.

Application Information:
Process ID: 0
Application Name: -

Network Information:
Direction: Inbound
Source Address: 0.0.0.0
Source Port: 68
Destination Address: 255.255.255.255
Destination Port: 67
Protocol: 17

Filter Information:
Filter Run-Time ID: 437032
Layer Name: Transport
Layer Run-Time ID: 13

解决方法:

分析日志得知,此日志为Windows 防火墙审计日志，根据源和目的端口及WFP二层过滤，判断可能为DHCP广播相关数据。并且客户启用了WFP 过滤日志。关闭此日志记录即可.

举例:
使用以下命令关闭此日志即可:

auditpol /set /category:"system" /subCategory:"Filtering Platform Connection" /Failure:Disable
auditpol /set /category:"system" /subCategory:"Filtering Platform Packet Drop" /Failure:Disable

然后 gpupdate /force 刷新组策略