Share via

CFA Audit mode

Nayak, Jitendra 0 Reputation points
2026-04-06T18:18:53.6866667+00:00

Controlled Folder Access has been deployed via SCCM in Audit mode, reflected internally as value **4

Could you please confirm what should be the value for audit?**

Microsoft Security | Intune | Configuration Manager | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Prathista Ilango 1,075 Reputation points Microsoft Employee
    2026-04-08T13:32:09.14+00:00

    Hello Nayak, Jitendra,

    4 is Audit disk modification only.

    Refer to: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#enablecontrolledfolderaccess
    The equivalent SCCM policy setting would be - Audit disk sectors only. Refer to: https://learn.microsoft.com/en-us/intune/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy#bkmk_CFA

    Hope this helps!

    If you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    Was this answer helpful?

  2. AI answer

    2026-04-06T18:19:03.57+00:00

    For Controlled Folder Access, the numeric values for the EnableControlledFolderAccess rule state are:

    • 0 = Disabled (Off)
    • 1 = Enabled (Block mode)
    • 2 = Audit mode

    So the correct value for Audit mode is 2.

    Note: In some management tools (such as Configuration Manager/Intune), additional internal or UI-specific values can appear, but per the documented CFA rule states, Audit mode corresponds to value 2.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.