4.2 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Test how the features will work in your organization | Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled | exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | iaanw | iawilt |
Use audit mode to evaluate Windows Defender Exploit Guard features
You can enable each of the features of Windows Defender Explot Guard in audit mode. This lets you see a record of what would have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack Surface Reduction rules. Using the Windows Defender ATP console lets you investigate issues as part of the alert timeline and investigation scenarios.
This topic links to topics that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
Audit options | How to enable audit mode | How to view events
- | - | - Audit applies to all events | Enable Controlled Folder Access | Controlled Folder Access events Audit applies to individual rules | Enable Attack Surface Reduction rules | Attack Surface Reduction events Audit applies to all events | Enable Network Protection | Network Protection events Audit applies to individual mitigations | Enable Exploit Protection | Exploit Protection events
Related topics
| Topic | Description |
|---|
- Protect devices from exploits with Windows Defender Exploit Guard
- Reduce attack surfaces with Windows Defender Exploit Guard
- Protect your network with Windows Defender Exploit Guard
- Protect important folders with Controlled Folder Access
Enabling Windows Defender EG rules in audit mode
Use the script Enable-ExploitGuardAuditMode.ps1 to turn on the ASR rules and Controlled Folder Access into audit mode via Local GP on a device. This allows one to observe how the rules would perform across various machines in your system, and determine which can be turned on in Block mode and if any exclusions need to be applied. Note: Rename Enable-ExploitGuardAuditMode.rename to Enable-ExploitGuardAuditMode.ps1 Run the following in an elevated powershell prompt:
- Set-ExecutionPolicy Bypass -Force
- .\Enable-ExploitGuardAuditMode.ps1 Successful output should indicate ASR and Controlled Folder Access were turned on in audit mode