The customer is unable to track when a device was booted into safe mode. They need to track this for security purposes.

Have the customer set the boot logs to write. This will only create three events when a machine is rebooted normally or into safe mode: the shutdown event and two boot-up events.

To turn on boot logging:

1. Press Win+R to open the Run dialog box.
2. Type msconfig and press Enter.
3. Click on the Boot tab.
4. Check the box labeled Boot Log.
5. Turning on the logs will require a reboot.

Once rebooted, you will see the events in the System event logs.

Here is an example of the events. The BootMode section shows the state of the OS: 0 is normal boot, 1, 2, and 3 are safe mode.

Once these events are in the Event Logs then the customer can edit their policy to watch for these events.

 **There is also the option to disable SafeBoot on the device.  This can be done multiple ways per OS, please check with your documentation to disable this if that is a preferred.