Policy CSP - ADMX_EventLog
Tip
This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>
. For details, see Understanding ADMX-backed policies.
The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see CDATA Sections.
Channel_Log_AutoBackup_1
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_1
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_AutoBackup_1 |
Friendly Name | Back up log automatically when full |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Application |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application |
Registry Value Name | AutoBackupLogFiles |
ADMX File Name | EventLog.admx |
Channel_Log_AutoBackup_2
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_2
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_AutoBackup_2 |
Friendly Name | Back up log automatically when full |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Security |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security |
Registry Value Name | AutoBackupLogFiles |
ADMX File Name | EventLog.admx |
Channel_Log_AutoBackup_3
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_3
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_AutoBackup_3 |
Friendly Name | Back up log automatically when full |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
Registry Value Name | AutoBackupLogFiles |
ADMX File Name | EventLog.admx |
Channel_Log_AutoBackup_4
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_AutoBackup_4
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it's full. A new file is then started.
If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
If you don't configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_AutoBackup_4 |
Friendly Name | Back up log automatically when full |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > System |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System |
Registry Value Name | AutoBackupLogFiles |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_1
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_1
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log.
Note
If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_1 |
Friendly Name | Configure log access |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Application |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_2
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_2
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
If you disable or don't configure this policy setting, only system software and administrators can read or clear this log.
Note
If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_2 |
Friendly Name | Configure log access |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Security |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_3
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_3
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable or don't configure this policy setting, all authenticated users and system services can write, read, or clear this log.
Note
If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_3 |
Friendly Name | Configure log access |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_4
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_4
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
If you disable or don't configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
Note
If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_4 |
Friendly Name | Configure log access |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > System |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_5
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_5
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_5 |
Friendly Name | Configure log access (legacy) |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Application |
Registry Key Name | System\CurrentControlSet\Services\EventLog\Application |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_6
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_6
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You can't configure write permissions for this log.
If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
If you disable this policy setting, only system software and administrators can read or clear this log.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_6 |
Friendly Name | Configure log access (legacy) |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Security |
Registry Key Name | System\CurrentControlSet\Services\EventLog\Security |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_7
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_7
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
If you enable this policy setting, only those users matching the security descriptor can access the log.
If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_7 |
Friendly Name | Configure log access (legacy) |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | System\CurrentControlSet\Services\EventLog\Setup |
ADMX File Name | EventLog.admx |
Channel_Log_FileLogAccess_8
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_FileLogAccess_8
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
If you don't configure this policy setting, the previous policy setting configuration remains in effect.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_FileLogAccess_8 |
Friendly Name | Configure log access (legacy) |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > System |
Registry Key Name | System\CurrentControlSet\Services\EventLog\System |
ADMX File Name | EventLog.admx |
Channel_Log_Retention_2
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_2
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note
Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_Retention_2 |
Friendly Name | Control Event Log behavior when the log file reaches its maximum size |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Security |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security |
Registry Value Name | Retention |
ADMX File Name | EventLog.admx |
Channel_Log_Retention_3
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_3
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note
Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_Retention_3 |
Friendly Name | Control Event Log behavior when the log file reaches its maximum size |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
Registry Value Name | Retention |
ADMX File Name | EventLog.admx |
Channel_Log_Retention_4
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_Log_Retention_4
This policy setting controls Event Log behavior when the log file reaches its maximum size.
If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost.
If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
Note
Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_Log_Retention_4 |
Friendly Name | Control Event Log behavior when the log file reaches its maximum size |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > System |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System |
Registry Value Name | Retention |
ADMX File Name | EventLog.admx |
Channel_LogEnabled
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogEnabled
This policy setting turns on logging.
If you enable or don't configure this policy setting, then events can be written to this log.
If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogEnabled |
Friendly Name | Turn on logging |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
Registry Value Name | Enabled |
ADMX File Name | EventLog.admx |
Channel_LogFilePath_1
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_1
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogFilePath_1 |
Friendly Name | Control the location of the log file |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Application |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Application |
ADMX File Name | EventLog.admx |
Channel_LogFilePath_2
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_2
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogFilePath_2 |
Friendly Name | Control the location of the log file |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Security |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Security |
ADMX File Name | EventLog.admx |
Channel_LogFilePath_3
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_3
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogFilePath_3 |
Friendly Name | Control the location of the log file |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
ADMX File Name | EventLog.admx |
Channel_LogFilePath_4
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogFilePath_4
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
If you enable this policy setting, the Event Log uses the path specified in this policy setting.
If you disable or don't configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogFilePath_4 |
Friendly Name | Control the location of the log file |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > System |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\System |
ADMX File Name | EventLog.admx |
Channel_LogMaxSize_3
Scope | Editions | Applicable OS |
---|---|---|
✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 with KB5005101 [10.0.19041.1202] and later ✅ Windows 10, version 20H2 with KB5005101 [10.0.19042.1202] and later ✅ Windows 10, version 21H1 with KB5005101 [10.0.19043.1202] and later ✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/ADMX_EventLog/Channel_LogMaxSize_3
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments.
If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
Description framework properties:
Property name | Property value |
---|---|
Format | chr (string) |
Access Type | Add, Delete, Get, Replace |
Tip
This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to Enabling a policy.
ADMX mapping:
Name | Value |
---|---|
Name | Channel_LogMaxSize_3 |
Friendly Name | Specify the maximum log file size (KB) |
Location | Computer Configuration |
Path | Windows Components > Event Log Service > Setup |
Registry Key Name | Software\Policies\Microsoft\Windows\EventLog\Setup |
ADMX File Name | EventLog.admx |