Setting registry audit settings System access control lists (SACLs) via GPO without modifying existing registry key Discretionary access control lists (DACLs)

Hello and Merry Christmas,

I want to be notified  via security eventlog when a new registry key is created under the following branch and some others 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates

What I first did was activating auditing via GPO

So far so clear no problems. 

Now I configured a new GPO with the System access control lists (SACLs) and  Discretionary access control lists (DACLs). The problem is I do not want to configure any DACLs. I just want to configure SACLs for audit and want the DACLs on the configured servers untouched. 

Here my configuration of the second GPO.

My Problem is I can not find a way to configute just the audit part in the GPO (red part in the screenshot), without setting any DACLs (green part in screenshot):