I have a Windows 10 system on which I have enabled removable storage audits (via GPO: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Object Access -> Audit Removable Storage: Success and Failure), and also set the registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotPlugSecureOpen = 1).
I am getting event 4663 related to ReadData and AppendData when I create or modify a file; but I am not getting any events when I delete a file.
The device I am using is an Ivanti-encrypted USB flash drive, which does not show me the Security tab when I right click the drive in Windows Explorer. I believe that this precludes me from using File System audits.
How can I get Windows to log file deletion too?
