Manually marked incidents and their attachments to be deleted. Once the Incident deletion job completed, it shows as successful in the Enforce Console: The number of deleted incidents is shown but attachments deleted = 0. The incidents that should have been deleted are still listed when reviewing Incidents.

Localhost logs show the Incident Deletion job is complete:

Level: INFO
Source: com.vontu.manager
Message: Incident deletion started. Incident deletion started

Level: INFO
Source: com.vontu.manager
Message: Incident deletion completed. Incident deletion ran for 1 minute(s) 12 second(s) 0 ms and deleted 50 incident(s)

IncidentPersister logs shows the following:

Level: WARNING
Thread: 90
Source: com.vontu.incidenthandler.blob.delete.MessageBlobDeleteService.delete
Message: Failed to delete blob file <External storage directory>\xxx\xxx\UncrackedComponent_xxxxx for Message ID xxxxxx.

Symantec Data Loss Prevention 16.x
External Storage for Incident Attachments
Windows OS

The LogOn service user, specified for the Enforce Server DLP services, did not have full permissions to the failed directories mentioned in the IncidentPersister logs.

Add the missing permissions to the External Storage directories.
Then re-run the incident/attachment deletion from the Enforce Console.