Option 3 — Enabled Mode (Default)#

Table of Contents#

What It Does
Why It Exists
Visual Anatomy — Policy Evaluation Stack
How to Set It (PowerShell)
XML Representation
Interaction with Other Options
When to Enable vs Disable
Real-World Scenario — End-to-End Walkthrough
What Happens If You Get It Wrong
Valid for Supplemental Policies?
OS Version Requirements
Summary Table

1. What It Does#

Enabled:Audit Mode places an App Control for Business policy in a non-enforcing observation state. When Audit Mode is active, the Code Integrity engine evaluates every executable, DLL, script, and kernel driver against the policy rules exactly as it would in enforcement mode — but instead of blocking binaries that do not match an allow rule, it allows them to run while writing a detailed event to the Microsoft-Windows-CodeIntegrity/Operational Windows Event Log. These audit events (primarily Event ID 3076 for user-mode and Event ID 3033 for kernel-mode) capture the full file identity: name, path, hash, publisher certificate chain, and the reason the binary would have been blocked. Security and IT teams use this data to understand the real-world impact of a policy before it goes into enforcement, identify gaps in the allow rules, and refine the policy to avoid false-positive blocks of legitimate business applications. To transition from audit to enforcement, you simply remove the Enabled:Audit Mode option from the policy and redeploy — no structural changes to the rules are required.

2. Why It Exists#

The “Big Bang” Deployment Problem#

Historically, application whitelisting technologies were notorious for causing operational outages when deployed without sufficient preparation. An enforced allowlist policy deployed to a production fleet without thorough testing would immediately block any legitimate application whose publisher, hash, or file path was not covered by the policy. The resulting flood of help-desk tickets, broken business processes, and emergency rollbacks eroded confidence in the technology and caused organizations to abandon it entirely.

Enabled:Audit Mode solves this by decoupling policy learning from enforcement. Teams can:

Deploy a policy to live production endpoints with zero risk of blocking legitimate software.
Collect weeks or months of audit data representing the real workload of each endpoint.
Use the audit data to automatically generate supplemental policies that cover observed applications.
Validate the refined policy in a staging environment.
Flip to enforcement with high confidence.

The Graduated Risk Reduction Model#

1
flowchart LR
2
    classDef audit fill:#1a1a0d,color:#fde68a,stroke:#713f12
3
    classDef enforce fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef risk fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
5

6
    A([No Policy\nFull exposure]):::risk --> B([Audit Mode Policy\nLearning phase\nZero disruption]):::audit
7
    B --> C([Refined Policy\nAudit Mode\nValidation phase]):::audit
8
    C --> D([Enforced Policy\nProduction\nFull protection]):::enforce
9

10
    style A fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
11
    style B fill:#1a1a0d,color:#fde68a,stroke:#713f12
12
    style C fill:#1a1a0d,color:#fde68a,stroke:#713f12
13
    style D fill:#0d1f12,color:#86efac,stroke:#166534

3. Visual Anatomy — Policy Evaluation Stack#

1
flowchart TD
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef usermode fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef audit fill:#1a1a0d,color:#fde68a,stroke:#713f12
5
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
6
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
7
    classDef neutral fill:#1c1c2e,color:#a5b4fc,stroke:#3730a3
8

9
    A([Binary Execution Request]) --> B[Code Integrity Engine\nCI.dll / VBS]:::kernel
10
    B --> C{Evaluate against\npolicy rules}
11
    C --> D{Rule match\nresult?}
12

13
    D -- Allow rule hit --> E([Binary executes\nNo event written]):::allow
14

15
    D -- No match / Deny hit --> F{Option 3\nEnabled:Audit Mode\npresent?}:::audit
16

17
    F -- Yes AUDIT MODE --> G([Binary executes anyway\nAudit event written]):::audit
18
    G --> H[(Event Log\nEvent ID 3076 user-mode\nEvent ID 3033 kernel-mode)]:::audit
19
    H --> I([SIEM / Event Forwarding\nPolicy refinement input]):::neutral
20

21
    F -- No ENFORCEMENT --> J([Binary BLOCKED\nEnforce event written]):::block
22
    J --> K[(Event Log\nEvent ID 3077 user-mode\nEvent ID 3034 kernel-mode)]:::block

Audit Mode vs Enforcement Side-by-Side#

1
flowchart LR
2
    classDef audit fill:#1a1a0d,color:#fde68a,stroke:#713f12
3
    classDef enforce fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
5

6
    subgraph Audit_Mode["Audit Mode (Option 3 Set)"]
7
        direction TB
8
        A1([Unauthorized binary]) --> B1([Policy evaluates]):::audit
9
        B1 --> C1([Would block? YES]):::audit
10
        C1 --> D1([Binary RUNS anyway]):::allow
11
        D1 --> E1([Event 3076 logged]):::audit
12
    end
13

14
    subgraph Enforce_Mode["Enforcement Mode (Option 3 Removed)"]
15
        direction TB
16
        A2([Unauthorized binary]) --> B2([Policy evaluates]):::enforce
17
        B2 --> C2([Would block? YES]):::enforce
18
        C2 --> D2([Binary BLOCKED]):::enforce
19
        D2 --> E2([Event 3077 logged]):::enforce
20
    end

4. How to Set It (PowerShell)#

Enable Audit Mode (Add Option 3)#

1
# Place policy in Audit Mode — binaries run but violations are logged
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 3

Disable Audit Mode / Switch to Enforcement (Remove Option 3)#

1
# Remove Audit Mode — policy is now ENFORCED
2
# WARNING: After this, non-matching binaries will be BLOCKED
3
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 3 -Delete

Verify Current Mode#

1
[xml]$Policy = Get-Content "C:\Policies\MyBasePolicy.xml"
2
$ns = New-Object System.Xml.XmlNamespaceManager($Policy.NameTable)
3
$ns.AddNamespace("si", "urn:schemas-microsoft-com:sipolicy")
4
$rules = $Policy.SelectNodes("//si:Rule/si:Option", $ns) | Select-Object -ExpandProperty '#text'
5

6
if ($rules -contains "Enabled:Audit Mode") {
7
    Write-Host "Policy is in AUDIT MODE — not enforcing" -ForegroundColor Yellow
8
} else {
9
    Write-Host "Policy is in ENFORCEMENT MODE — blocking active" -ForegroundColor Red
10
}

Collecting Audit Events#

1
# Collect all audit events (would-be-blocked binaries)
2
$AuditEvents = Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
3
    Where-Object { $_.Id -in @(3076, 3033) } |
4
    Select-Object TimeCreated, Id,
5
        @{N="FilePath"; E={ $_.Properties[1].Value }},
6
        @{N="Publisher"; E={ $_.Properties[4].Value }},
7
        @{N="SHA256"; E={ $_.Properties[8].Value }}
8

9
$AuditEvents | Export-Csv "$env:USERPROFILE\Desktop\audit_events_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
10
Write-Host "Collected $($AuditEvents.Count) audit events"

Auto-Generate Supplemental Policy from Audit Log#

1
# Generate a supplemental policy covering all audited binaries
2
$AuditPolicyPath = "C:\Policies\Supplemental_FromAudit.xml"
3

4
New-CIPolicy -Audit -Level FilePublisher -Fallback Hash -UserPEs `
5
    -MultiplePolicyFormat `
6
    -FilePath $AuditPolicyPath
7

8
# Review the generated policy before merging
9
Get-Content $AuditPolicyPath | Select-String "FileRuleRef"

Full Audit-to-Enforcement Workflow#

1
# Phase 1: Deploy audit policy
2
$PolicyPath = "C:\Policies\Corp_Baseline.xml"
3
Set-RuleOption -FilePath $PolicyPath -Option 0   # UMCI
4
Set-RuleOption -FilePath $PolicyPath -Option 3   # Audit Mode
5
ConvertFrom-CIPolicy -XmlFilePath $PolicyPath -BinaryFilePath "C:\Policies\Corp_Baseline_Audit.cip"
6
# ... deploy via Intune/GPO ...
7

8
# Phase 2: Collect data (run for 2-4 weeks)
9
Start-Sleep -Seconds (60 * 60 * 24 * 14)   # Conceptual — in reality, manual review
10

11
# Phase 3: Build supplemental from audit log
12
New-CIPolicy -Audit -Level FilePublisher -Fallback Hash -UserPEs `
13
    -FilePath "C:\Policies\Supplemental_Audit.xml"
14

15
# Phase 4: Merge supplemental into base or add allow rules
16
Merge-CIPolicy -PolicyPaths $PolicyPath, "C:\Policies\Supplemental_Audit.xml" `
17
    -OutputFilePath "C:\Policies\Corp_Baseline_Refined.xml"
18

19
# Phase 5: Remove Audit Mode — transition to enforcement
20
Set-RuleOption -FilePath "C:\Policies\Corp_Baseline_Refined.xml" -Option 3 -Delete
21

22
# Phase 6: Compile enforced policy
23
ConvertFrom-CIPolicy -XmlFilePath "C:\Policies\Corp_Baseline_Refined.xml" `
24
    -BinaryFilePath "C:\Policies\Corp_Baseline_Enforced.cip"
25
# ... deploy enforced policy ...

5. XML Representation#

Audit Mode Enabled (Policy in Learning Phase)#

1
<?xml version="1.0" encoding="utf-8"?>
2
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
3

4
  <VersionEx>10.0.1.0</VersionEx>
5
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
6
  <PlatformID>{2E07F7E4-194C-4D20-B96C-1498495910E7}</PlatformID>
7

8
  <Rules>
9
    <Rule>
10
      <Option>Enabled:UMCI</Option>
11
    </Rule>
12

13
    <Rule>
14
      <Option>Enabled:Audit Mode</Option>
15
    </Rule>
16

17
  </Rules>
18

19

20
</SiPolicy>

Enforcement Mode (Option 3 Removed)#

1
<Rules>
2
  <Rule>
3
    <Option>Enabled:UMCI</Option>
4
  </Rule>
5

6

7
</Rules>

Critical Note: The only XML difference between an auditing policy and an enforcing policy is the presence or absence of the <Rule><Option>Enabled:Audit Mode</Option></Rule> element. All signers, hashes, and file rules remain identical. This makes the audit-to-enforcement transition a minimal, low-risk operation.

6. Interaction with Other Options#

Option Relationship Matrix#

Option	Name	Relationship with Audit Mode
0	Enabled	Essential pair — UMCI must be present for meaningful user-mode audit data
2	Required	Pair for kernel driver auditing — audit WHQL violations before enforcing
4	Disabled Signing	Independent — both can coexist; audit will log Flight-signed binaries
10	Enabled Audit on Failure	Related — extends audit concept to boot failures
16	Enabled Policy No Reboot	Deployment helper — combined enables hot-swap from audit to enforcement
20	Enabled Code Security	Pair — audit JIT code violations before enforcing DCS

The Audit Mode Lifecycle State Machine#

1
stateDiagram-v2
2
    direction LR
3

4
    [*] --> NoPolicyState: Endpoint with no WDAC policy
5

6
    NoPolicyState --> AuditPhase1: Deploy policy\n+ Option 3 (Audit Mode)
7
    AuditPhase1 --> DataCollection: 2-4 weeks\nevent collection
8

9
    DataCollection --> PolicyRefinement: Analyze 3076/3033 events\nGenerate supplemental
10

11
    PolicyRefinement --> AuditPhase2: Deploy refined policy\nstill with Option 3
12

13
    AuditPhase2 --> Validation: Validation period\n1-2 weeks
14

15
    Validation --> EnforcedState: Remove Option 3\nDeploy enforced policy
16

17
    EnforcedState --> [*]: Active enforcement
18

19
    EnforcedState --> AuditPhase1: New software rollout\nRe-enter audit cycle
20

21
    note right of AuditPhase1
22
        Event ID 3076 (user-mode)
23
        Event ID 3033 (kernel-mode)
24
        Binary RUNS despite violation
25
    end note
26

27
    note right of EnforcedState
28
        Event ID 3077 (user-mode)
29
        Event ID 3034 (kernel-mode)
30
        Binary BLOCKED on violation
31
    end note

7. When to Enable vs Disable#

1
flowchart TD
2
    classDef yes fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef no fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
5
    classDef question fill:#162032,color:#58a6ff,stroke:#1e3a5f
6

7
    Start([Should Audit Mode be ENABLED?]) --> Q1{Is this a new policy\nbeing rolled out?}:::question
8
    Q1 -- Yes --> ENABLE1([Enable Audit Mode\nEssential for safe rollout]):::yes
9

10
    Q1 -- No --> Q2{Are you adding significant\nnew allow rules?}:::question
11
    Q2 -- Yes --> ENABLE2([Enable Audit Mode temporarily\nValidate new rules]):::yes
12
    Q2 -- No --> Q3{Is the policy already\nrefined and tested?}:::question
13

14
    Q3 -- Yes --> DISABLE([Remove Audit Mode\nEnforce the policy]):::no
15
    Q3 -- No --> WARN1([Enable Audit Mode\nDo not enforce untested policy]):::warn
16

17
    Start2([Should Audit Mode be REMOVED?]) --> Q4{Has audit data been\ncollected for 2+ weeks?}:::question
18
    Q4 -- No --> WAIT([Wait longer\nInsufficient data]):::warn
19
    Q4 -- Yes --> Q5{Has audit data been\nanalyzed and policy refined?}:::question
20
    Q5 -- No --> ANALYZE([Analyze first\nThen remove Audit Mode]):::warn
21
    Q5 -- Yes --> Q6{Has refined policy\nbeen tested in staging?}:::question
22
    Q6 -- Yes --> ENFORCE([Remove Option 3\nDeploy enforced policy]):::no
23
    Q6 -- No --> TEST([Test in staging first]):::warn

Decision Reference Table#

Scenario	Audit Mode State
Initial policy deployment to any environment	Enable — non-negotiable best practice
New major software rollout to fleet	Enable — collect new binary data
Policy already enforced and stable	Remove — keep enforcement active
Responding to policy enforcement incident	Enable temporarily — diagnose without disruption
Compliance certification requiring enforcement	Remove — auditors expect enforcement, not audit
Dev/test machine policy	Keep enabled indefinitely for flexibility

8. Real-World Scenario — End-to-End Walkthrough#

Scenario: Enterprise-Wide WDAC Rollout via Audit-First Approach#

A 5,000-endpoint enterprise deploys WDAC for the first time across all corporate laptops. Audit Mode is used to learn the environment over 30 days before any enforcement is activated.

1
sequenceDiagram
2
    autonumber
3
    actor CISO
4
    actor Admin
5
    participant Intune as Microsoft Intune
6
    participant TestRing as Test Ring (50 endpoints)
7
    participant EventLog as Event Log / SIEM
8
    participant CIModule as ConfigCI PowerShell
9
    participant PilotRing as Pilot Ring (500 endpoints)
10
    participant ProdFleet as Production Fleet (5000 endpoints)
11

12
    CISO ->> Admin: Requirement: WDAC on all endpoints within 60 days
13
    Admin ->> CIModule: Create policy: DefaultWindows + Option 0 (UMCI) + Option 3 (Audit)
14
    Admin ->> CIModule: ConvertFrom-CIPolicy → corp_audit_v1.cip
15
    Admin ->> Intune: Deploy corp_audit_v1.cip to Test Ring (50 devices)
16
    TestRing ->> EventLog: Generate 3076 events for 2 weeks
17
    Admin ->> EventLog: Export and analyze 3076 events
18
    EventLog -->> Admin: 47 unique binaries would have been blocked
19
    Admin ->> CIModule: New-CIPolicy -Audit → supplemental_from_audit.xml
20
    Admin ->> CIModule: Merge base + supplemental → corp_audit_v2.xml
21
    Admin ->> Intune: Deploy corp_audit_v2.cip to Test Ring
22
    TestRing ->> EventLog: Generate 3076 events for 1 more week
23
    EventLog -->> Admin: 3 remaining edge-case binaries
24
    Admin ->> CIModule: Add remaining signers/hashes manually
25
    Admin ->> CIModule: Remove Option 3 → corp_enforced_v1.xml
26
    Admin ->> Intune: Deploy corp_enforced_v1.cip to Pilot Ring (500 devices)
27
    PilotRing -->> Admin: Monitor for 3077 events — 2 false positives found
28
    Admin ->> CIModule: Add 2 missing file rules → corp_enforced_v2.xml
29
    Admin ->> Intune: Staged rollout to Production Fleet (5000 devices)
30
    ProdFleet -->> CISO: 100% WDAC enforced — 0 operational incidents

Analyzing Audit Events Efficiently#

1
sequenceDiagram
2
    autonumber
3
    actor Admin
4
    participant EventLog as Windows Event Log
5
    participant PowerShell as PowerShell Analysis
6
    participant ExcelCSV as CSV / Excel Report
7
    participant PolicyXML as Policy XML
8

9
    Admin ->> EventLog: Query Event ID 3076 for past 14 days
10
    EventLog -->> PowerShell: Return raw events (potentially thousands)
11
    PowerShell ->> PowerShell: Group by Publisher → deduplicate
12
    PowerShell ->> PowerShell: Prioritize: signed > unsigned > by path
13
    PowerShell ->> ExcelCSV: Export grouped report
14
    Admin ->> ExcelCSV: Review — identify business-critical apps vs noise
15
    Admin ->> PolicyXML: Add FilePublisher rules for signed trusted apps
16
    Admin ->> PolicyXML: Add Hash rules for unsigned but required binaries
17
    Admin ->> PolicyXML: Flag unknown binaries for security review
18
    PolicyXML -->> Admin: Refined policy ready for re-audit deployment

9. What Happens If You Get It Wrong#

Scenario A: Forget to Remove Audit Mode Before Production#

The policy is deployed to production with Audit Mode still present. Enforcement never activates, but the team believes they are protected.

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4
    classDef ok fill:#0d1f12,color:#86efac,stroke:#166534
5

6
    A([Audit Mode left in production policy]) --> B{Malware executes}
7
    B --> C([Policy evaluates binary]):::warn
8
    C --> D([No allow rule match]):::warn
9
    D --> E([Audit Mode: Binary RUNS anyway]):::block
10
    D --> F([Event 3076 written to log]):::warn
11
    E --> G([Malware executes successfully]):::block
12
    G --> H([Data breach / ransomware]):::block
13
    F --> I([Alert in SIEM — too late]):::warn
14
    H --> J([Incident response triggered]):::block
15
    J --> K([Audit Mode discovered in policy review]):::warn
16
    K --> L([Policy corrected post-breach]):::block

Scenario B: Remove Audit Mode Without Sufficient Data Collection#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4

5
    A([Remove Audit Mode after only 3 days]) --> B[Insufficient audit coverage]:::warn
6
    B --> C([Policy enforced on day 4])
7
    C --> D[Monthly payroll software runs\nnot captured in 3-day audit]:::block
8
    C --> E[Quarterly compliance tool runs\nnot captured]:::block
9
    C --> F[Seasonal inventory software\nnot captured]:::block
10
    D --> G([Payroll fails on month-end]):::block
11
    E --> H([Compliance audit failure]):::block
12
    F --> I([Inventory count disrupted]):::block

Misconfig Consequences Summary#

Mistake	Impact	Severity
Leave Audit Mode in production permanently	Policy provides zero enforcement	Critical
Enforce without sufficient audit period	LOB app breaks at unexpected time	High
Ignore high-volume 3076 events	Policy gaps unaddressed before enforcement	High
Confuse audit coverage with full inventory	Seasonal/monthly apps missed	Medium
Run audit without UMCI option	Only kernel events logged; user-mode gaps invisible	High

10. Valid for Supplemental Policies?#

No. Enabled:Audit Mode is not valid in supplemental policies. The enforcement mode of the entire policy set is determined solely by the base policy. Supplemental policies cannot independently toggle between audit and enforcement — they inherit the base policy’s mode. Setting Option 3 in a supplemental policy would be silently ignored or rejected during policy merge.

This design ensures a consistent enforcement posture across the base + supplemental policy set. You cannot have a “partially auditing” configuration where the base enforces but a supplemental audits — the base policy is authoritative.

11. OS Version Requirements#

Windows Version	Audit Mode Status
Windows 10 1507 (TH1)	Basic audit logging supported
Windows 10 1607+	Full audit mode with UMCI audit (Event 3076)
Windows 10 1703+	Audit events enriched with script enforcement data
Windows 10 1903+	Structured audit event format improved
Windows 11 21H2+	Enhanced audit tooling; `citool.exe` available
Windows Server 2016+	Full support
Windows Server 2019+	Recommended; enhanced event forwarding

Event Forwarding for Scale: In enterprise environments, configure Windows Event Forwarding (WEF) or a SIEM agent to centralize Event ID 3076 events from all endpoints. Processing thousands of per-endpoint logs manually is not scalable. Tools like Microsoft WDAC Wizard and WDAC Policy Creator can ingest event exports and generate policy fragments automatically.

12. Summary Table#

Attribute	Value
Rule Option Name	`Enabled:Audit Mode`
Rule Option Index	3
Default State	Enabled in most Microsoft template policies
Effect when Enabled	Policy evaluates but does NOT block; violations logged
Effect when Disabled (Removed)	Policy ENFORCES — violating binaries are BLOCKED
Valid in Base Policy	Yes
Valid in Supplemental Policy	No
Requires Reboot on Change	No — audit/enforce switch takes effect on policy update
Primary Use Case	Safe initial deployment; policy validation; troubleshooting
Recommended Audit Duration	2–4 weeks minimum; 4–8 weeks for complex environments
Event ID (Audit — User-Mode)	3076 — would-be-blocked user-mode binary
Event ID (Audit — Kernel-Mode)	3033 — would-be-blocked kernel-mode driver
Event ID (Enforce — User-Mode)	3077 — blocked user-mode binary
Event ID (Enforce — Kernel-Mode)	3034 — blocked kernel-mode driver
Event Log	`Microsoft-Windows-CodeIntegrity/Operational`
PowerShell Cmdlet (Enable)	`Set-RuleOption -FilePath <xml> -Option 3`
PowerShell Cmdlet (Disable)	`Set-RuleOption -FilePath <xml> -Option 3 -Delete`
Policy Generation from Audit	`New-CIPolicy -Audit -Level FilePublisher -Fallback Hash -UserPEs`
Critical Warning	Leaving Audit Mode in production = zero enforcement
Security Framework Alignment	NIST SP 800-167 (Phased deployment), CIS Controls (baseline scanning)