This post aims to explore and gain knowledge about how to Control Event Log Behavior Using Intune. Our objective is to Control Event Log Behavior when the log file reaches its maximum size by utilizing the Configuration Profiles available in Intune.
Control Event Log Behavior using Intune policy setting manages the behavior of the Event Log when the log file reaches its maximum size. Enabling this policy setting results in new events not being written to the log and getting lost when a log file reaches its maximum size.
Disabling or not configuring this policy setting allows new events to overwrite old events when a log file reaches its maximum size. Please note that the retention of old events depends on the configuration of the “Backup log automatically when full” policy setting.
It’s worth noting that the behavior of retaining old events when a log file is full may depend on the configuration of the “Backup log automatically when full” policy setting. This separate policy setting determines whether the log file is automatically backed up when it reaches its maximum size, allowing the retention of old events.
By understanding and configuring this policy setting, you can control how the Event Log behaves when its log file reaches its maximum size, ensuring the appropriate handling of new events and managing the retention of old events based on your organization’s requirements.
Windows CSP Details ControlEventLogBehavior
Let’s go through Windows CSP Details for this Policy setting ControlEventLogBehavior. If you enable this policy setting, when a log file reaches its maximum size, new events will not be written to the log. This means that any new events generated after reaching the maximum size will be lost. It’s important to consider this potential data loss when enabling this policy.
If you disable or do not configure this policy setting, the default behavior is for new events to overwrite old events when a log file reaches its maximum size. This means that when the log file is full, new events will replace the oldest events in the log.
CSP URI – ./Device/Vendor/MSFT/Policy/Config/EventLogService/ControlEventLogBehavior
Control Event Log Behavior using Intune
To create Control Event Log Behavior Using Intune, follow the steps stated below:
- Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Devices > Windows > Configuration profiles > Create a profile.
In Create Profile, Select Windows 10 and later in Platform, and Select Profile Type as Settings catalog. Click on Create button.
|Windows 10 and later||Settings Catalog|
On the Basics tab pane, provide a name for the policy as “Control Event Log Behavior when the log file reaches its maximum size Policy.” Optionally, you can enter a description for the policy and then proceed by selecting “Next.”
Now in Configuration settings, click Add Settings to browse or search the catalog for the settings you want to configure.
In the Settings Picker windows, search by the keyword Control Event Log, among many, you will see Administrative Templates\Windows Components\Event Log Service\Application, and select this.
When you select the option as stated above, you will see only one setting, which is Control Event Log behavior when the log file reaches its maximum size. After selecting your setting, click the cross mark in the right-hand corner.
Now, in the Administrative Templates, Disabled the Control Event Log behavior when the log file reaches its maximum size, as shown below in the image.
Using Scope tags, you can assign a tag to filter the profile to specific IT groups. One can add scope tags (if required) and click Next to continue. Now in Assignments, in Included Groups, you need to click on Add Groups, choose Select Groups to include one or more groups, and click Next to continue.
In the Review + Create tab, you need to review your settings. After clicking on Create, your changes are saved, and the profile is assigned.
An automatic notification will be displayed in the top right-hand corner to indicate the successful creation of the “Control Event Log behavior when the log file reaches its maximum size Policy.” Additionally, you can verify its presence by checking the Configuration Profiles list, where the policy will be clearly visible.
Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.
Intune Report for Control Event Log Behavior Policy
To monitor the assignment of the policy, you must choose the appropriate policy from the list of Configuration Profiles. You can check the device and user check-in status to see if the policy has been successfully applied. If you wish to view more information, you can click on “View Report” to see additional details.
Intune MDM Event Log
To ascertain the successful application of String or integer policies on Windows 10 or 11 devices using Intune, event IDs 813 and 814 can be utilized. By analyzing these event IDs, you can identify both the policy’s application status and the specific value associated with the applied policy on those devices. For this specific policy, the value is a string and is associated with event ID 814.
To confirm this, you can check the Event log path – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
MDM PolicyManager: Set policy string, Policy: (ControlEventLogBehavior), Area: (EventLogService), EnrollmentID requesting merge: (E874113F-6CF1-4718-8730-0553BDF7C4AC), Current User: (Device), String: (<disabled/>), Enrollment Type: (0x6), Scope: (0x0).
Upon examining the above-mentioned log in the Event Viewer, you will discover crucial details such as the Area and Enrollment ID. These pieces of information are instrumental in identifying the registry path. To find the relevant information, kindly refer to the table provided below:
The information provided in the above table for Control Event Log Behavior Using Intune can be utilized to access the registry settings storing group policy configurations on a target computer. By running “REGEDIT.exe” on the target computer, you can navigate to the specific registry path where these settings are stored.
When you navigate to the above path in the Registry Editor, you will find the registry key with the name ControlEventLogBehavior. Refer to the table and image below.
Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.