Forum Discussion

Warren212's avatar
Warren212
Copper Contributor
Jun 12, 2026

Microsoft Defender for Endpoint and WDAC audit logs not include kernel audit/blocks

While testing WDAC on a fully patched Win11 pro machine - I noticed that kernel audit/block events do not get collected by MDE in the advanced hunting portal, only user mode audit/blocks are collected. Can anyone confirm they see this too and is this by design?

My test case is to use a Strict Kernel Mode WDAC policy (as per:

https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) which is active, using the global secure access client as my test, when the machine boots, the below event is generated locally on the machine: 

This event is never shown on the MDE advanced hunting portal, though user events do show. Examples of events that are coming through:

 

Not receiving these events centrally for auditing would make deploying a kernel mode wdac control impossible. Would be amazing if Microsoft product team could look into this and resolve as these alerts should be captured as well please to facilitate deployment of more secure controls.

2 Replies

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Jun 14, 2026

    Hi Warren212,

     

    This is indeed a known limitation/behavior by design in how MDE collects WDAC telemetry.

     

    Kernel Mode WDAC events are not forwarded to MDE Advanced Hunting. The MDE sensor collects WDAC-related events primarily from user-mode Code Integrity operations. Kernel-mode events (such as Event ID 3076 generated by the kernel Code Integrity component) are not ingested into the DeviceEvents or DeviceImageLoadEvents tables in Advanced Hunting at this time.

     

    Here are some workarounds you can use:

     

    1. Use Windows Event Forwarding (WEF): Configure WEF to forward Microsoft-Windows-CodeIntegrity/Operational events from the local machine to a central Windows Event Collector, then ingest them into Microsoft Sentinel via the Windows Security Events connector.

    2. Microsoft Sentinel + Azure Monitor Agent (AMA): With AMA and the proper DCR (Data Collection Rule), you can capture CodeIntegrity events (Event ID 3076, 3077, 3033, etc.) and query them via Sentinel custom tables.

     

    3. Intune + WDAC Reporting: If devices are enrolled in Intune and you are using WDAC policies deployed via Intune, you can leverage the built-in WDAC reporting in Endpoint Manager for policy compliance data.

     

    Microsoft has been gradually improving WDAC telemetry in MDE. It is worth submitting feedback via the Microsoft Feedback Portal so the product team can track demand for full kernel-mode WDAC event ingestion.

     

    Hope this helps clarify the behavior and gives you a path forward!

    • Warren212's avatar
      Warren212
      Copper Contributor
      Jun 14, 2026

      Thanks for the reply. I will try submitting feedback as this would be required to deploy to an estate of 15000 devices.