Hi, Thanks for posting in Microsoft TechNet forums. If we enable the "Filtering Platform Connection" audit policy on a Windows Server 2008 R2 computer and stop the Windows Firewall service, the Windows Filtering Platform (WFP) will incorrectly set the value of the ActionType property to FWP_ACTION_BLOCK and thus a "The Windows Filtering Platform has blocked a connection" event will be logged in the Security log incorrectly. WFP does not actually block the traffic. However, it can cause confusion in auditing log. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Thank you

http://support.microsoft.com/kb/2654852 I am unsure what this KB article actually means is it a false alarm, or is it actually blocking the traffic?

Hi, Thanks for posting in Microsoft TechNet forums. If we enable the "Filtering Platform Connection" audit policy on a Windows Server 2008 R2 computer and stop the Windows Firewall service, the Windows Filtering Platform (WFP) will incorrectly set the value of the ActionType property to FWP_ACTION_BLOCK and thus a "The Windows Filtering Platform has blocked a connection" event will be logged in the Security log incorrectly. WFP does not actually block the traffic. However, it can cause confusion in auditing log. Regards Kevin TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.