Use audit mode

Applies to:

You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what would have happened if you had enabled the feature.

You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.

While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.

You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you investigate issues as part of the alert timeline and investigation scenarios.

This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.

You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.


You can also visit the Windows Defender Testground website at to confirm the features are working and see how they work.

Audit options How to enable audit mode How to view events
Audit applies to all events Enable controlled folder access Controlled folder access events
Audit applies to individual rules Enable attack surface reduction rules Attack surface reduction rule events
Audit applies to all events Enable network protection Network protection events
Audit applies to individual mitigations Enable exploit protection Exploit protection events

You can also use the a custom PowerShell script that enables the features in audit mode automatically:

  1. Download the Exploit Guard Evaluation Package and extract the file Enable-ExploitGuardAuditMode.ps1 to an easily accessible location on the machine.

  2. Type powershell in the Start menu.

  3. Right-click Windows PowerShell, click Run as administrator and click Yes or enter admin credentials at the prompt.

  4. Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode:

    Set-ExecutionPolicy Bypass -Force

    Replace <location> with the folder path where you placed the file.

    A message should appear to indicate that audit mode was enabled.