Follow
Windows

How to Change Windows 11 Security Event Retention

Richard
Written by
Richard
Jul 2, 2022 Updated Apr 29, 2026 3 min read
How to Change Windows 11 Security Event Retention

This guide explains how to change how long Windows Security Protection history keeps a record of your past security events on Windows 11.

Understanding Windows 11 Protection History

Windows 11 Protection history is a built-in log that shows you what Microsoft Defender Antivirus has been doing to keep your computer safe. It tracks actions like blocking Potentially Unwanted Apps (PUA), quarantining suspicious files, and stopping malicious services. Think of it as a security diary for your PC.

Why check your Protection History?

You check this history to see if your antivirus has caught any threats recently. It helps you understand if a program you downloaded was blocked or if a file was moved to quarantine because it looked dangerous.

What happens when you review it?

Reviewing this list helps you spot false positives. A false positive happens when Windows Defender thinks a safe file is a virus. If you see something you know is safe, you can restore it from the quarantine list.

Quarantined vs. Blocked vs. Remediated

StatusMeaning
QuarantinedThe file is moved to a safe folder so it cannot run.
BlockedThe app or action was stopped before it could start.
RemediatedThe threat was cleaned or deleted by the antivirus.

How to Change Windows 11 Security Event Retention

By default, Windows keeps these records for 15 days. You can change this using PowerShell.

Note: You must have administrator privileges to perform these steps.

  1. Open the Start menu and search for PowerShell.
  2. Right-click it and select Run as administrator.
  3. To see your current setting, type the following command and press Enter:
PowerShell
Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay
Windows 11 Protection history overview screen

The default value is 15. To change the number of days, use this command format:

PowerShell
Set-MpPreference -ScanPurgeItemsAfterDelay <days>

Replace <days> with your preferred number. For example, to keep records for 100 days, type:

PowerShell
Set-MpPreference -ScanPurgeItemsAfterDelay 100
Changing Windows Security Protection history event logs

How to Manually Clear Protection History

Warning: Always back up your system before modifying system folders. Deleting these files will remove your visible history, but it does not remove the actual viruses or threats from your computer. The actual threats are already handled by the Windows Defender Service.

To clear the history manually, you must delete the contents of the detection folder. This requires administrator privileges.

  1. Open File Explorer and navigate to: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory
  2. You may need to enable ‘Hidden items’ in the View menu to see the ProgramData folder.
  3. Delete all files inside the DetectionHistory folder.

Summary

Windows 11 Protection history helps you monitor security events. You can change how long these logs are kept using the Set-MpPreference command in PowerShell. For more information on managing security, visit the official Microsoft Support website.” }

Why does Windows keep showing old threats in Protection History?

Windows keeps these records to provide an audit trail of security events. By default, it clears them every 15 days. If you see old threats, it is because the retention period is set to a high number or the system has not yet reached the automatic purge date.

Is it safe to delete the Protection History folder?

Yes, it is safe to delete the contents of the DetectionHistory folder. This action only clears the visual log of past events in the Windows Security app. It does not affect your computer’s actual security status or remove any active threats that are currently being managed.

Does clearing history remove the actual virus?

No, clearing the Protection history does not remove the actual virus or malware. The history is just a list of past actions. If a file was already quarantined or remediated, the threat is already neutralized. Clearing the list simply hides the record of that event from your view.

Was this guide helpful?

Tags: #Windows 11
Was this helpful?
Richard

About the Author

Richard

Tech Writer, IT Professional

Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.

📚 Related Tutorials

How to Clear Windows Security History in Windows 11
Windows How to Clear Windows Security History in Windows 11
How to Check Microsoft Defender Updates in Windows 11
Windows How to Check Microsoft Defender Updates in Windows 11
How to Access Protection History in Windows 11
Windows How to Access Protection History in Windows 11
How to Run Microsoft Defender Offline Scan on Windows 11
Windows How to Run Microsoft Defender Offline Scan on Windows 11

No comments yet — be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *