Use audit mode

Applies to:

You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what would have happened if you had enabled the feature.

You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.

While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.

To find the audited entries, go to Applications and Services > Microsoft > Windows > Windows Defender > Operational.

You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you investigate issues as part of the alert timeline and investigation scenarios.

This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.

You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.


You can also visit the Windows Defender Testground website at to confirm the features are working and see how they work.

Audit options How to enable audit mode How to view events
Audit applies to all events Enable controlled folder access Controlled folder access events
Audit applies to individual rules Enable attack surface reduction rules Attack surface reduction rule events
Audit applies to all events Enable network protection Network protection events
Audit applies to individual mitigations Enable exploit protection Exploit protection events