Key Takeaways:
- Helps to Detecting Log-Filling Attacks
- To prevent the loss of new security data.
- Prevents emergency shutdowns in high-security environments.
- Allows SIEMs (like Sentinel) to trigger tickets based on Event ID 1104.
Let’s discuss Enable Percentage Threshold for Security Event Log at which System will Generate a Warning using Intune. This setting tells the system to monitor the capacity of the Security Event Log. When the log file reaches the specified percentage (e.g., 90%), the system generates a warning event (Event ID 1104).
Table of Contents
Table of Contents
Enable Percentage Threshold for Security Event Log at which System will Generate a Warning using Intune
Admins can configure this policy for o act as an Early Warning System for your device’s security audit trail. Admins can choose different percentage level to gets an alert before the log hits to 100%. This allows them to archive and clear the log so that critical security data is never missed or “dropped.”
- Enable HTTPS Warning Page Policy for MS Edge Browser to Control User Access from SSL Errors using Intune
- Stop Microsoft From Changing your Windows Settings Without Warning using Intune
- How to Establish the Allow Warning for Other Disk Encryption through Intune Setting Catalog
Create Profile
Creating Profile is the next step after clicking on Create button. On this step you can choose platform and profile type. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Beginning Step
Basic Tab is the first tab that used to add Name and Description for the policy. This is very important step that gives an identity for your policy. Here Name is Mandatory and Description is optional. After adding this, click on the Next button.
Configuration Tab for Selecting Setting
Configuration tab is the crucial step that helps you to choose a settings from different categories available on Microsoft Intune portal. Click on the +Add settings on the Configuration Settings tab. Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warnings.
Disable Percentage Threshold for Security Event Log at which System will Generate a Warning
By default this policy is disabled. If you want to go with this value click on the Next button to continue. Logs are streamed in real-time to the cloud, so the local log filling up is less of a risk.
Enable Percentage Threshold for Security Event Log at which System will Generate a Warning
By enabling this policy admins can ensures that an attacker cannot “roll” the logs (fill them with junk data to overwrite evidence of their entry) without an alert being triggered immediately. After enabling this policy you can choose percentages level to get warning.
| Percentage Value | Details |
|---|---|
| 50% | Get Warning level at 50% |
| 60% | Get Warning level at 60% |
| 70% | Get Warning level at 70% |
| 80% | Get Warning level at 80% |
| 90% | Get Warning level at 90%(most recommended) |
Scope Tags
The next section is the Scope tag and which is not a compulsory step. It helps to assign this policy to a defined group of users or devices. Here, I skip the section and click on the next button.
Assignments
The next step is Assignments. In this section, you can specify which group the policy should be applied to. Our aim is to deploy this policy to a specific group; this step is essential. Look for the Add Groups option under the Include Groups section and click on it.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Device and User Check in Status
After creating a policy, we have to monitor that whether the policy was created successfully or not. To check this, you can either wait for up to 8 hours for the policy to apply automatically, or you can reduce the waiting time by manually syncing the policy through the Company Portal.
Event Viewer Details
Event Viewer helps you check the client side and verify the policy status. Open the Client device and open the Event Viewer. Go to Start > Event Viewer. Navigate to Logs: In the left pane, go to Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.
| Event Viewer Details |
|---|
| MDM PolicyManager: Set policy string, Policy: (Pol_MSS_WarningLevel), Area: (ADMX_MSS- legacy), EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User: (Device), String: (), Enrollment Type: (0x6), Scope: (0x0). |
Removing the Assigned Group from Percentage Threshold for Security Event Log at which System will Generate a Warning Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Percentage Threshold for Security Event Log at which System will Generate a Warning
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
Percentage threshold for the security event log at which the system will generate a warning. This policy is applicable for Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later, Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later, Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later, Windows 11, version 21H2 [10.0.22000] and later.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.