For example when you need to troubleshot SceCli events.Event ID 1202 tells you to use:
FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log
But, hey! There are no winlogon.log file!
This is by design :).
To create it, go to regedit and track following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and enter 2 as a Data.
After refreshing AD policies with gpupdate you should see your winlogon.log file
