Discovered windows Firewall outputs its IPv4 permitted networks in full decimal notation, but it accepts them in CIDR. This has fooled our config manager as it considers this a difference and so re-applies the rule. Strange little things you discover in the logs.