Event ID 3076 and 3077 — CodeIntegrity driver audit and enforcement

Open Event Viewer and navigate to:

Applications and Services Logs → Microsoft → Windows → CodeIntegrity → Operational

Right-click the log and choose Filter Current Log. Enter 3076 or 3077 in the Event ID field. You can filter for both at once by entering 3076,3077.

Click on a 3076 or 3077 event to expand it. In the Details tab (switch to XML view for the cleanest read), look for the File Name field — it contains the full Windows device-object path to the blocked driver, for example:

\Device\HarddiskVolume3\Windows\System32\drivers\example.sys

The last segment is the driver filename. Cross-reference it against the device in Device Manager or the application logs of the software that stopped working.

The event also includes a Policy GUID (under PolicyGuid in the XML). This identifies which code integrity policy triggered the block. For drivers blocked by the Vulnerable Driver Blocklist via KB5083769, the policy GUID will match Microsoft's driver block policy; consult Microsoft's recommended driver block rules to confirm.

The Windows Driver Policy document describes the transition mechanic. After KB5083769 installs:

1. The policy enters audit mode. Affected drivers still load. Event 3076 is logged on each load attempt.
2. After approximately 100 hours of active system uptime and 3 reboots (2 on Windows Server), the policy transitions to enforcement mode automatically.
3. From enforcement onward, the driver is blocked. Event 3077 is logged. The device or application that depends on the driver stops functioning.

For machines that received KB5083769 in April 2026, the transition has almost certainly already occurred. Systems seeing 3076 now likely received the update recently (e.g., through a delayed update cycle or a fresh Windows install).

If the File Name in the event belongs to a USB peripheral — a lab instrument, measurement device, programmer, legacy dongle, or custom USB hardware — and the vendor is not actively maintaining the driver, the WinUSB-rebind path is a viable engineering remediation.

The approach replaces the vendor's kernel driver with Microsoft's in-box winusb.sys and a user-mode implementation of the device protocol. No kernel signing, no WDAC policy edits.

The decision tree checks the seven conditions that determine whether your specific device is a rebind candidate. It takes about two minutes and produces a clear verdict.

The pattern page explains the full technical approach — INF, user-mode protocol shim, and scheduled-task persistence.

The WinUSB-rebind pattern only applies to USB device drivers. If the blocked driver is:

• A backup software driver (e.g., psmounterex.sys used by Macrium Reflect, Acronis, NinjaOne, UrBackup) — the fix comes from the vendor. Check the vendor's support site for an updated version with a re-signed driver.
• A filesystem, storage, or network driver— these require vendor re-signing through Microsoft's Partner Center attestation, or a WDAC policy change processed through your Change Advisory Board.
• A driver in a regulated or safety-critical environment— follow your organisation's change management process. The supported path is vendor re-signing, not a workaround toolkit.

• The Windows Driver Policy — Microsoft Support — audit/enforcement mechanic, transition threshold, Event IDs 3076 and 3077
• April 2026 Windows security updates introduce protections to known vulnerable kernel drivers — Microsoft Support — KB5083769 affected driver list
• Microsoft recommended driver block rules — Microsoft Learn — full Vulnerable Driver Blocklist with policy GUIDs
• WinUSB Installation — Microsoft Learn — INF generation for winusb.sys binding