How to Change Windows 11 Security Event Retention

This guide explains how to change how long Windows Security Protection history keeps a record of your past security events on Windows 11.

The Protection history page in the Windows Security app tracks actions taken by Microsoft Defender Antivirus. This includes things like removing unwanted apps or blocking risky services.

Why change this? By default, Protection history only keeps these records for 15 days. If you want to look back further, you need to change this setting.

What happens when done? Your computer will keep these security logs for the exact number of days you choose. If you set it to zero, the records will never be deleted automatically.

Change Protection History Retention

You can adjust how long these events stay on your computer using PowerShell.

Note: You must have administrator privileges to perform these steps.

1. Open the Start menu and search for PowerShell.
2. Right-click it and select Run as administrator.
3. To see your current setting, type the following command and press Enter:

Get-MpPreference | Select-Object -Property ScanPurgeItemsAfterDelay

The default value is 15.

To change the number of days, use this command format:

Set-MpPreference -ScanPurgeItemsAfterDelay <days>

Replace <days> with your preferred number. For example, to keep records for 100 days, type:

Set-MpPreference -ScanPurgeItemsAfterDelay 100

Summary

Windows 11 automatically clears your Microsoft Defender security logs every 15 days. By using the PowerShell command Set-MpPreference -ScanPurgeItemsAfterDelay, you can customize this duration or stop the logs from being deleted entirely by setting the value to 0. This gives you more control over your security audit trails using PowerShell.