How to configure USB storage auditing for workstations in ADAudit Plus
In this article:
Objective
Prerequisites
Steps to follow
Validation and confirmation
Tips
Related topics and articles
Objective
This article explains how to configure USB storage auditing on Windows workstations so that ADAudit Plus can monitor and report on USB device activity, including connection and usage events.
Prerequisites
Ensure the following before you begin:
The workstations are part of the domain.
The ADAudit Plus agent is installed and running on the target machines.
You have administrative privileges to configure audit policies and registry settings.
Steps to follow
Configure audit policies via Group Policy
Log in to a domain-joined machine that has the Group Policy Management Console installed.
Open Group Policy Management from Start > Windows Administrative Tools.
Right-click the GPO named <domain name>_ADAuditPlusWSPolicy and select Edit.
In the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Under Object Access, enable Audit Removable Storage and set it to Success and Failure.
Under Detailed Tracking, enable Audit PNP Activity and set it to Success and Failure.
Modify registry settings (for Windows 11 and above)
Press Windows + R, type regedit.exe, and click OK.
In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage.
In the right-hand pane, locate HotplugSecureOpen. If it doesn't exist, create a new DWORD (32-bit) Value named HotplugSecureOpen.
Set its value to 1.
Click OK and close the Registry Editor.
Restart the workstation to apply the changes.
Validation and confirmation
To verify that USB storage auditing is working:
Insert a USB device into a monitored workstation.
In ADAudit Plus, navigate to the Server Audit > USB Storage Audit report.
Confirm that related events (USB detection, usage, and removal) are logged and visible in the report.
Tips
To apply registry changes across multiple machines, use Group Policy Preferences or PowerShell scripts.
Always back up the registry before making changes.
Related topics and articles
New to ADSelfService Plus?
Related Articles
No data is available under the USB storage auditing report in ADAudit Plus
In This Article: Issue Description Prerequisites Possible Causes Resolution Related Topics and Articles How to Reach Support Issue description ADAudit Plus monitors and reports on the use of removable storage devices in a network, including USB flash ...How to configure Workstations in ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To configure Windows Workstations in ADAudit Plus using either the product console or command-line arguments, and to apply ...Privileges required for ADAudit Plus auditing
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article outlines the minimum privileges required for ADAudit Plus to audit and start: Active Directory Windows ...Unable to view Member Servers and Workstations reports because access is denied in ADAudit Plus
In this article Issue description Prerequisites Possible causes Resolution Related topics and articles When and how to contact Support Issue description: This error occurs when the user account that runs ADAudit Plus does not have sufficient ...How to configure Member Server in ADAudit Plus
In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective To configure Windows Member Servers in ADAudit Plus, including agent deployment, configuration using the product console ...