Have the customer set the boot logs to write, this will only create 3 events when a machine is rebooted normally or to safe mode. The shutdown event and two boot up events.
To turn on boot logging:
1. Press Win+R to summon the Run dialog box
2. Type msconfig and press enter
3. Click on the Boot tab
4. Check the box called Boot Log
To turn on the logs will require a reboot.
Once rebooted you will see the events in the System event logs.
Here is an example of the events, The BootMode section shows the state of the OS. 0 is normal boot, 1,2 and 3 are safe mode.
Once these events are in the Event Logs then the customer can edit their policy to watch for these events.
**There is also the option to disable SafeBoot on the device. This can be done multiple ways per OS, please check with your documentation to disable this if that is a preferred.