4.6 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author, ms.date
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Test how Windows Defender EG features work | Audit mode lets you use the event log to see how Windows Defender Exploit Guard would protect your devices if it were enabled | exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | iaanw | iawilt | 12/12/2017 |
Use audit mode to evaluate Windows Defender Exploit Guard features
Applies to:
- Windows 10, version 1709
Audience
- Enterprise security administrators
You can enable each of the features of Windows Defender Exploit Guard in audit mode. This lets you see a record of what would have happened if you had enabled the feature.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
You can use Windows Defender Advanced Threat Protection to get greater granularity into each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you investigate issues as part of the alert timeline and investigation scenarios.
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
You can use Group Policy, PowerShell, and configuration servicer providers (CSPs) to enable audit mode.
Tip
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the features are working and see how they work.
Audit options | How to enable audit mode | How to view events
- | - | - Audit applies to all events | Enable Controlled folder access | Controlled folder access events Audit applies to individual rules | Enable Attack surface reduction rules | Attack surface reduction events Audit applies to all events | Enable Network protection | Network protection events Audit applies to individual mitigations | Enable Exploit protection | Exploit protection events
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
-
Download the Exploit Guard Evaluation Package and extract the file Enable-ExploitGuardAuditMode.ps1 to an easily accessible location on the machine.
-
Type powershell in the Start menu.
-
Right-click Windows PowerShell, click Run as administrator and click Yes or enter admin credentials at the prompt.
-
Enter the following in the PowerShell window to enable Controlled folder access and Attack surface reduction in audit mode:
Set-ExecutionPolicy Bypass -Force <location>\Enable-ExploitGuardAuditMode.ps1Replace <location> with the folder path where you placed the file.
A message should appear to indicate that audit mode was enabled.