This week, one of my colleagues logged on to a server and when he opened the file explorer all external USB drives where appearing and disappearing continuously.
At the same time, in the upper right corner, several messages appeared asking to unlock all BitLocker-protected drives.
This happened on several Windows 2012 R2 servers.
After investigation, we found events in the System log which seamed to be related to this strange behaviour.
First there was an Error event with ID 7 and “The device has a bad block” as message.
- Event ID 98 Information Volume (\Device\HarddiskVolume) is healthy. No action is needed.
- Event ID 1 Information CBA filesystem filter driver has attached to volume “\Device\HarddiskVolume”.
Fortunately, we discovered this behaviour only a few hours after I updated a GPO, which helped me to quickly establish the link between the behaviour and my action.
The modified Group Policy was Audit Removable Storage.
It is located in Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Object Access.
As soon as I removed this auditing configuration and launched GPUpate /force in a command line, all external USB drives showed up normally again in file explorer.
I made some additional tests, and it appears that both the Success or the Failure setting produce this behavior.