Hi @Boopathi S ,
On one side of sccm, there may be no logs on the details of the reduction of the attack surface, more of endpoint protection.
Yes, you are right. It is suggested to check event viewer. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.
Here is the screenshot we could refer to:
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.