Policy
Limit remote access to the Event Log Service
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows11
This policy setting controls which remote users will be allowed to connect to the Event Log service on this machine. If you enable this policy, you can restrict which group remote users must be a member of in order to connect to the Event Log Service on this machine. You can require that remote users be a member of one of the following builtin groups: • Authenticated Users • EventLog Readers • Administrators If you disable or do not configure this policy, the default value will be Authenticated Users. For prior versions of Windows, only Authenticated Users was supported. To maintain backwards compatability, local connections to the service will always be allowed from Authenticated Users. This setting does not control access to individual logs. Once a remote connection is allowed, it will still need access to the specific resources it is attempting to use.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\Windows\EventLog\EnableRemoteRpcAccessRestrictions | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Pick one of the following settings: ID RpcAccess_Remote_Setting | enum | HKLM\Software\Policies\Microsoft\Windows\EventLog\RpcAccess_Remote_Setting Type REG_DWORD | Options: Authenticated Users (0), Event Log Readers (1), Administrators (2) |