locked
Windows 10 1809 - Removable storage inspection does not work, the system does not generate 4663 events. RRS feed

  • Question

  • We are trying to set up a domain inspection of access to removable storage hubs using GPO. The policy is used on client computers running Windows 10 1809, but after connecting a swap device (pendrive) and copying any file, the system does not generate any 4663 events. On the other hand, events 4663 are generated eg when reading data from DVDs. For checking on one client, we installed Windows 10 1607 and events 4663 were logged in for a connected removable device (pendrive). Is there any additional configuration required on Windows 10 1809? I would ask for help in this matter.

    Domain controllers: Windows Server Standard 2012 R2 and Windows Server Standard 2008 R2,

    Enabled Security option: Audit: Force auditing policy subcategory settings to override Audit Policy category settings.

    Client: Windows 10 Pro x64 1809
    Thursday, October 4, 2018 6:24 AM

Answers

  • SteveJohnson_284 helps me.

    To fix this issue, change the following registry value to 1 (DWORD): 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen

    Regards

    • Marked as answer by Lukasz Handy Friday, November 16, 2018 8:55 AM
    Thursday, November 15, 2018 1:46 PM

All replies

  • Hi Lukasz, 

    Does the issue symptom on a specify Windows 10 1809 device? Try to check if it occur on other Windows 10 1809 devices. 

    As 4663 event log will recorded if user access sources. As the event ID occur when read data from DVD, so it seems there is no error with system healthy. As there is no official article states any changes about event ID 4663 in Windows 10 1809, so we can't confirm if it is an expect behavior or a issue. Try to check it on multiple Windows 10 1809 devices, and kindly feedback the result with us. We will also try to check on our side. 

    By the way, if the event logs generated on Windows 10 1809 and Windows 10 1607 uploaded here will be helpful for feedback the issue. 

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Joy-Qiao Thursday, October 18, 2018 7:19 AM
    Monday, October 8, 2018 1:39 AM
  • Hi Lukasz, 

    We would like to know the existing status of your issue. If you need further assistance, please contact us at any time. 

    Bests,

    Joy.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 18, 2018 7:22 AM
  • Hi Joy-Qiao
    The problem still occurs and probably applies to all versions of Windows 10 since 1709.
    I do not know where to report it in such a way that someone can confirm or deny if the problem occurs in his environment.
    It is possible that this does not work in the above versions of Windows and everything indicates that Microsoft did not notice this error.
    greetings
    Thursday, October 18, 2018 7:31 AM
  • Hi Lukasz,

    Sorry for my late reply.

    I also tested the issue on my side with Windows 10 1803, and found the same symptom with you. So it would be caused by the design after Windows 10 1709. Since there is no official article referred this behavior, I recommend to feedback it to Microsoft through "Feedback Hub" application as a user voice.

    At last, I would thank you for your efforts in this thread, it would be helpful and provided another information for others customers.

    Bests,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 8, 2018 1:33 PM
  • SteveJohnson_284 helps me.

    To fix this issue, change the following registry value to 1 (DWORD): 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen

    Regards

    • Marked as answer by Lukasz Handy Friday, November 16, 2018 8:55 AM
    Thursday, November 15, 2018 1:46 PM
  • Hi Lukasz, 

    I am very appreciate you are such a kindhearted man and could share your information with us after pending a long time. It is very useful for other customers who encounter same issue with you. Thank you very much. 

    Bests, 

    Joy. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 16, 2018 1:52 AM
  • Hello, 

    Yes it fixes the issue but what this setting does? I couldn't find documentation regarding this. It is very unfortunate that MS doesn't provide any information regarding this in audit settings documentation.

    Regards,

    Batuhan

    Tuesday, December 18, 2018 6:21 PM
  • Do you know what this actually does anyone?

    Mark

    Wednesday, May 22, 2019 7:22 AM