Windows 10 System Event Log Error 40

I have found error ID 40, with the description “The event logging service encountered an error when attempting to apply one or more policy settings.” is written to the System event log when the Group Policy setting “Specify the maximum log file size (KB)” under “Windows Components/Event Log Service/System” is configured (either enabled and set to a valid size or disabled).

Log Name:      System
Source:        Microsoft-Windows-Eventlog
Date:          2/18/2016 11:44:46 AM
Event ID:      40
Task Category: None
Level:         Error
Keywords:      Service availability
User:          LOCAL SERVICE
Computer:      mycomputer.mydomain.com
Description:
The event logging service encountered an error when attempting to apply one or more policy settings.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Eventlog" Guid="{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}" />
    <EventID>40</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000020000</Keywords>
    <TimeCreated SystemTime="2016-02-18T17:44:46.789855700Z" />
    <EventRecordID>1837</EventRecordID>
    <Correlation />
    <Execution ProcessID="1140" ThreadID="5600" />
    <Channel>System</Channel>
    <Computer>mycomputer.mydomain.com</Computer>
    <Security UserID="S-1-5-19" />
  </System>
  <UserData>
    <ChannelPolicyApplicationError xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
      <Error Code="5">
      </Error>
      <ChannelPath>
      </ChannelPath>
    </ChannelPolicyApplicationError>
  </UserData>
</Event>

The same error will appear when the Group Policy setting “Specify the maximum log file size (KB)” is configured under “Windows Components/Event Log Service/Application” or “Windows Components/Event Log Service/Security”.

Unfortunately, the SCM Windows 10 TH2 – Computer GPO (which I like to use as a baseline security GPO) sets the maximum log size for the Application, Security and System logs, and because disabling the setting in a GPO with a lower link order does not prevent the errors from appearing, I have to choose between changing the Microsoft security baseline GPO and living with the errors in the event log. I have decided to modify the GPO and set the three maximum log size settings to Not Configured, and then change the size of the System event log using the command “wevtutil sl System /ms:33554432”, the Application event log with “wevtutil sl Application /ms:33554432” and the Security event log with “wevtutil sl Security /ms:201326592” during the SCCM OSD task sequence.

The outcome is that the logs are configured to their recommended sizes, as specified in the SCM GPO, but GP is not enforcing the log size. I feel like this is an acceptable workaround, as it avoid the errors in the System event logs, sets the logs to the Microsoft-recommended size, and standard users will not be able to change the maximum log size via the Log Properties page.

Leave a Reply

Your email address will not be published. Required fields are marked *