Test how Microsoft Defender for Endpoint features work in audit mode

Applies to:

You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what would have happened if you had enabled the feature.

You may want to enable audit mode when testing how the features will work in your organization. This will help make sure your line-of-business apps aren't affected. You can also get an idea of how many suspicious file modification attempts occur over a certain period of time.

The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.

To find the audited entries, go to Applications and Services > Microsoft > Windows > Windows Defender > Operational.

You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you investigate issues as part of the alert timeline and investigation scenarios.

You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.


You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the features are working and see how they work.

Audit options How to enable audit mode How to view events
Audit applies to all events Enable controlled folder access Controlled folder access events
Audit applies to individual rules Enable attack surface reduction rules Attack surface reduction rule events
Audit applies to all events Enable network protection Network protection events
Audit applies to individual mitigations Enable exploit protection Exploit protection events