diff --git a/CHANGELOG.md b/CHANGELOG.md
index 66f33653..deb6642c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,9 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Fixed
 
+* evolinux-base : Update PermitRootLogin task to work on Debian 11
+* evolinux-user : Update PermitRootLogin task to work on Debian 11
+
 ### Removed
 
 ### Security
diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index df50d977..3e3d6add 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -91,7 +91,7 @@
 - name: disable SSH access for root
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    regexp: '^#?PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index ac2fdf12..b0bf8b58 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -56,7 +56,7 @@
 - name: disable root login
   replace:
     dest: /etc/ssh/sshd_config
-    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
+    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
   notify: reload sshd
   when: evolinux_root_disable_ssh | bool