Remove From My Forums

Windows 10 1803 - Removable storage inspection does not work, the system does not generate 4663 events

Question
0

Sign in to vote

We are trying to set up a domain inspection of access to removable storage hubs using GPO. The policy is used on client computers running Windows 10 1803, but after connecting a swap device (pendrive) and copying any file, the system does not generate any 4663 events. On the other hand, events 4663 are generated eg when reading data from DVDs. For checking on one client, we installed Windows 10 1607 and events 4663 were logged in for a connected removable device (pendrive). Is there any additional configuration required on Windows 10 1803? I would ask for help in this matter.

Domain controllers: Windows Server Standard 2012 R2 and Windows Server Standard 2008 R2,

Enabled Security option: Audit: Force auditing policy subcategory settings to override Audit Policy category settings.

Client: Windows 10 Pro x64 1803

Thursday, September 20, 2018 9:08 AM

Answers

0

Sign in to vote
SteveJohnson_284 helps me.

To fix this issue, change the following registry value to 1 (DWORD):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen

Regards
- Marked as answer by Lukasz Handy Tuesday, December 11, 2018 12:31 PM
Thursday, November 15, 2018 1:46 PM

All replies

0

Sign in to vote

Hi Lukasz Handy,

Does the issue occur on multiple Windows 10 1803 devices?

If all the events occur correctly on Windows 10 1607 after you reproduct same action on Windows 10 1803, would you upload the event logs which genereted on Windows 10 1607 and Windows 10 1803 to One Drive and paste the link here for checking?

Bests,
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, September 21, 2018 7:49 AM
0

Sign in to vote

Hi Joy-Qiao.
The problem occurs on all devices with the Windows 10 1709 and 1803 versions.
The equipment is from various manufacturers. Stackable computers and laptops. Also, portable devices (pendrives) are from different manufacturers.
All procedures were performed in accordance with Microsoft's recommendations.

Sending logs, in this case, will not do anything. Simply in 1607 events are generated and in 1709 and 1803 they are gone.

If you can help, confirm or deny that it works for you.

I think the problem is global and Microsoft pretends that it is not there.

Regards

Wednesday, September 26, 2018 5:32 AM
0

Sign in to vote
Hi Lukasz,

I would apologize for my late reply. As it is a specific issue on all specific system version, I recommend to feedback the issue through build-in "Feedback hub" application. I would appreciate for you action which can improve any aspect on Windows product.

Bests,

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Marked as answer by Lukasz Handy Thursday, October 18, 2018 8:00 AM
- Unmarked as answer by Lukasz Handy Thursday, October 18, 2018 8:03 AM
- Marked as answer by Lukasz Handy Thursday, October 18, 2018 8:03 AM
- Unmarked as answer by Lukasz Handy Thursday, November 15, 2018 1:43 PM
Thursday, October 18, 2018 6:39 AM
0

Sign in to vote

I did it

Regards

Thursday, October 18, 2018 8:00 AM
0

Sign in to vote
SteveJohnson_284 helps me.

To fix this issue, change the following registry value to 1 (DWORD):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen

Regards
- Marked as answer by Lukasz Handy Tuesday, December 11, 2018 12:31 PM
Thursday, November 15, 2018 1:46 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Windows 10 1803 - Removable storage inspection does not work, the system does not generate 4663 events

Question

Answers

All replies