This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 57.99999999999999%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
In the most recent laptops that I installed the latest update of Windows 11 (22H2) every so often that I restart the computer I get the message "The security log on this system is full". I enter the event viewer with another credentials and choose the "Overwrite events" option but after a while it doesn't allow me to log in showing the same previous message and changing back to the "don't overwrite events" option.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 25%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Having similar issues where the Overwrite security logs keeps reverting causing non-privileged users not to be able to login to their machines. All users with the issue are on 22H2...fun times.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 85%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Getting the same issue.If anybody have a fix please provide.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 99%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Having this same issue on a new Windows 11 Surface.
We've cleared the logs, increased the maximum log size, and changed the settings to "Overwrite event as needed (oldest vents first)", but it just keeps reverting to "Do not overwrite events (Clear logs manually)".
We've also carried out a clean install of Windows and applied the latest updates, but the issue keeps resurfacing.
Really need a lasting fix as this new Surface is all but unusable for the end user.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 31%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
as a workaround I've configured a GPO for the settings of security event log and applied it to the affected machines. This seems to work.
However I agree that this is something Microsoft should look into.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 66%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Hi Armin,
Can you write a little more about what GPO settings you configured? I already had retention set to overwrite at 7 days, but my single Windows 11 22H2 workstation continues to revert to "Do not overwrite events"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 62%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Hi, please can you work me through how the GPO was created. and applied. I am fairly new in windows environment. I know to clear it manually and also to increase the log size. but using GPO will be a good work around.
Hi, I've created the GPO on an Domain-Controller of our companies Active Directory domain.
Her is a tutorial to create a GPO if you have an Active Directory:
https://www.windows-active-directory.com/create-enable-disable-gpo.html
Here is a tutorial if you do not have an Active Directory but want to make the setting ion your local computer only:
https://www.howtogeek.com/736545/how-to-open-the-group-policy-editor-on-windows/
The setting I configured was
Computer Configuration -> Policies -> Windows Settings -> Security Settings ->Event Log
MaximumLogSize = 40960 (Size in kilobytes, you my chose a different value)
AuditLogRetentionPeriod = As needed (will be set to 0)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 38%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHC%3C/text%3E%3C/svg%3E)
Hi All,
I am also experiencing the same issue with the new laptops we setup which are practically Windows 11 out of the box.
One thing I found out as a Fix is that if you set the following group policy to Disabled and do a gpupdate /force it changes to Overwrite events as needed on event viewer.
Go to Edit Group policy on the target computer
Select Computer Configuration > Administrative Templates > Windows Component > Event Log Service > Security > Control Event Log Behavior when the log file reaches its maximum size, Ser it to Disable.
For now my log size is 100096KB and is already reached to its maximum size but still the option on my Event Viewer is set to Overwrite events as needed with the above change I made.
Please try the Fix I suggested and let me know the results.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 99%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYK%3C/text%3E%3C/svg%3E)
Hi Hitesh,
I agree with your solution it works for workgroup machines if any GPO is deployed on domain machines for controlling these settings.
it's not working because GPO overwrites manual GPO settings.
We are also facing this issue let's explain the issue:
In the windows version, 22H2 GPO is not working because it's creating log files not the expected size during the duration of archiving time.
In Our infra we set GPO
Security logs file size: 512 MB
By days: 7 days.
now the logs file size reached 512 MB before 7 days and the mark doesn't override settings in the event viewer.
After updating policies.
Hi Yusuf Khan,
Thank you for your feedback on my solution.
I have the same issue, and when I found out this solution I applied on mine first and for past 4 months I havent faced this issue and my settings are still on Overwrites events as needed. My device is domain joined.
We also have same GPO settings on domain.
Please try the solution again and let me know how it works for you.
Thanks
Hitesh
I have tried above, and I will keep an eye out for it if it works.
Hello
You can try to check if you have the following policy enabled:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits
If so, please consider disabling the policy.
You can also clear log, increase the maximum log size or let it overwrite older entries. Refer to: Start --> Run --> EVENTVWR.MSC --> Right click Security log, go to Properties. Then, you can clear log, increase maximum log size or choose “Overwrite events as needed (oldest events first).
Best Regards,
Wesley Li
Hi there,
we do have the same problem on different Computers with Win11 22H2. Regardless of the settings we make in even log's properties, the settings switch back to "do not overwrite" when the computer reboots. As a result the user cannot log it.
Any other ideas?
Armin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 49%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
We are also experiencing this error on our domain. So far, we've identified four machines with the issue, all running 22H2 (one was a clean install and the other three were upgrades). I think it's safe to say at this point that Microsoft needs to look into this. The fix posted does not apply to us; our domain functionality level is 2016 and we do not have that policy enabled on our DCs. I also came across a reddit post that had the same issue where they resolved it by upgrading their domain level to 2022, but that should not be a fix for a problem that clearly was introduced by 22H2. All of the machines were running 21H2 and had no issues until upgrading to 22H2 within the last two weeks, so something has triggered this for systems that are domain joined.