This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 57.99999999999999%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
In the most recent laptops that I installed the latest update of Windows 11 (22H2) every so often that I restart the computer I get the message "The security log on this system is full". I enter the event viewer with another credentials and choose the "Overwrite events" option but after a while it doesn't allow me to log in showing the same previous message and changing back to the "don't overwrite events" option.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 25%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Having similar issues where the Overwrite security logs keeps reverting causing non-privileged users not to be able to login to their machines. All users with the issue are on 22H2...fun times.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 85%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Getting the same issue.If anybody have a fix please provide.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 99%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Having this same issue on a new Windows 11 Surface.
We've cleared the logs, increased the maximum log size, and changed the settings to "Overwrite event as needed (oldest vents first)", but it just keeps reverting to "Do not overwrite events (Clear logs manually)".
We've also carried out a clean install of Windows and applied the latest updates, but the issue keeps resurfacing.
Really need a lasting fix as this new Surface is all but unusable for the end user.
Hi All,
Anyone get permanent solution for this issue. We are also facing the same when the windows 11 22H2 machine comes in Intune infra and the issue comes.
Please explain why this happening if anyone find the RCA.
Thanks,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 80%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Also completely lost... Windows 11 22H2 reverts to "Do not overwrite events" after every reboot... So, we can basically brick a workstation for our non-admin users... by rebooting (allowing Windows to reboot, allowing Windows to reboot for an update, etc...)!?! What a nightmare.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 38%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHC%3C/text%3E%3C/svg%3E)
Hi Team,
Its almost been more than 20 days I still haven't experienced the issue again with the solution I posted in this forum. Please test it and let me know.
My GPO is set to overwrite for a rolling 15 days, and it isn't being respected at all on Windows 11 22H2 workstations.
Every reboot results in this:
@Hitesh Chaudhary , I did as you said, and disabled "Retention method for security log" in GPO. It seems your solution works, but I wouldn't really call it a solution... kind of defeats the purpose of "Group Policy..."
With GPO "Retention method for security log" disabled, reboots revert the setting to "Overwrite events as needed (oldest events first)", however, interestingly, gpupdate /force doesn't change the setting, only rebooting the workstation does (but perhaps this is due to the nature of event logs and maybe it only sets the event log policy once on boot/login, etc).
Having said all that, I am reverting my GPO settings back to their original settings. I shouldn't have to change GPO to align with an obvious bug... smh...
Hi Bill,
Do you find any root cause for this?
We are also facing this issue in windows 11 (22H2).
Our GPO settings:
By days || 7days
Size: 512 MB
Whether Microsoft will admit it or not (not listed at [https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2), it seems like a bug in 22H2.
Unfortunately, my "workaround" is to manually set "overwrite events as needed" on the security log every reboot... and one day I am hoping the issue will be fixed :/