From 28ec7f0381a5ae4fd12082700c57b42eab4c1745 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Fri, 8 Apr 2022 15:08:53 +0530 Subject: [PATCH] changes as per 5916892 --- .../auditing/monitor-the-use-of-removable-storage-devices.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md index ac76e18a1a..2e7159f3d2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md +++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md @@ -56,9 +56,14 @@ After you configure the settings to monitor removable storage devices, use the f 4. In Server Manager, click **Tools**, and then click **Event Viewer**. 5. Expand **Windows Logs**, and then click **Security**. 6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**. + + For more information, see [Audit Removable Storage](audit-removable-storage.md) Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. + > [!NOTE] + > Even after configuring settings to monitor removable storage devices, some versions of Windows 10 may require registry key **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotPlugSecureOpen** to be set to **1** to start logging the removable storage audit events. + > [!NOTE] > We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.