How To Enable Shutdown Event Tracker in Windows
In this article, you’ll learn how to enable shutdown event tracker in Windows 10 or Windows 11. When the Shutdown Event Tracker is enabled in Windows, users cannot restart or shut down the computer without giving a reason. This helps you log the details of why the computer restart was done with a valid reason.
Shutdown Event Tracker is a feature that you can use to track the reason for system shutdowns. You can then use this information to analyze shutdowns and to develop a more comprehensive understanding of your system environment.
A common misconception is that Windows servers are the only devices that can display the shutdown event tracker. This is not true. Even for client OS like Windows 10, Windows 11, you can enable shutdown event tracker.
By default, Windows 10 or Windows 11 doesn’t display the shutdown event tracker. You have to enable the local policy to display the event tracker during shutdown action. When you attempt to shut down your Windows 11 computer, notice that the shutdown options appear when you press Alt+F4, but the event tracker is not displayed.
Listed below are some useful guides that might be of your interest.
- Configure Shutdown Event Tracker on Local Computer
- Disable or Prevent Shutdown Option using Group Policy
- Quickly Turn Off Auto-Shutdown of Azure VM
- How to Auto Shutdown Azure Virtual Machines
Should I enable Shutdown Event Tracker?
In some of the organizations, the IT team closely monitors the reasons for shutdowns and restarts. For example, you can find who restarted Windows server using event logs.
When you have a team of system admins managing Windows Servers, restarting the server is a common troubleshooting step. To let other admins know why the server was restarted, displaying a shutdown event tracker is useful.
The user who logs in following the restart is prompted to provide a reason in the Shutdown Event Tracker in the event of a hardware malfunction or power outage.
I would recommend enabling the shutdown event tracker on Servers, especially the domain controllers which are very critical in your setup. Restarting the AD Domain Controllers should be typically performed during weekends and with a proper business approval. It is not mandatory to display the shutdown event tracker unless you want to keep a record of machines that were shutdown or restarted.
Where can I find the message that was entered in the shutdown event tracker, then? The Event Log can be used to retrieve the user-entered data.
Enable Shutdown Event Tracker in Windows
Perform the below steps to enable Shutdown Event Tracker in Windows:
- Use an account with administrative rights to log into a Windows 10 computer.
- Click on Start > Run. Enter Gpedit.msc into the text box and press the enter key.
- Expand Computer Configuration > Administrative Templates and click System.
- In the console pane, look for the policy setting Display Shutdown Event Tracker.
- Edit the policy settings and configure the shutdown event tracker.
To enable this policy setting, click Enabled.
Shutdown Event Tracker Options:
- Always: Displays shutdown event tracker during shutdown.
- Server Only: Displays a shutdown event tracker when you shut down a Windows Server.
- Workstation Only: Displays shutdown event tracker when you shut down a Windows workstation.
Select Always and click Apply and OK.
Launch the command prompt and run gpupdate /force. Now press Alt+F4 and you should see the Shutdown Event Tracker on the screen. The user can now select a valid option while restarting or shutting down the computer. A brief description or a note can be added in the comment box to indicate the purpose of the shutdown or restart.
From the below screenshot, we see how useful the Shutdown Event Tracker is especially on Windows Server and even on Windows 10.
I enabled this to prevent me from accidentally rebooting or shutting down a remote system when logging out from an RDP session.
This seems like the easiest way to annoy your end users. What possible data can be gleaned from this? We turn it off on servers first thing as they’re built, otherwise people just pick the first option and a . Or gibberish.
Seems about as useful as prompting a user with “why do you want to log in?” After they enter their creds.
It seems likely this wouldn’t be a solution for your entire domain, rather, unique scenarios: labs, 24/7 ops center with shared devices, financial devices such Bloomberg PCs, warehouse tablets operating SAP or an equivalent, etc. I see a lot of reasons why you wouldn’t want devices that should be up 24/7 to be shutdown. Forces someone to be accountable for their actions.