Forum Discussion

BIH89's avatar
BIH89
Copper Contributor
Dec 15, 2025

DLP USB Block

Currently we have DLP policies setup to block the use of USB devices and copying data to it. 

When checking the activity explorer I am still seeing user's able to copy data to USB devices and for the action item it says "Audit" when in the DLP policies we explicitly set it to block. 

 

Has anyone run into this issue or seen similar behavior? 

data loss prevention
microsoft purview
purview

3 Replies

  • Ahmed_Masoud97's avatar
    Ahmed_Masoud97
    Iron Contributor
    Dec 27, 2025
    • Is the DLP policy currently in Test mode? If so, switch it to On/Enforced to apply the Block action.

    • Is user override enabled (“Let users override the policy”)? If so, users can bypass the block and the action will appear as Audit....disable overrides to enforce blocking.

    • Are you using Windows Information Protection (WIP)? If so, is the protection mode set to Block? Modes like Allow Overrides or Silent will only log activity instead of preventing USB copies.

    • Were the policy changes made recently? If so, allow up to one hour for policy replication to endpoints before validating the behavior again.

      Best, 

      Ahmed Masoud

      LinkedIn



  • AlainSchneiter's avatar
    AlainSchneiter
    MCT
    Dec 25, 2025

    I assume this devices are onboarded to Endpoint DLP. Have you checked the sync status of the devices? Are to policies correctly assigned?

  • danghoang95's avatar
    danghoang95
    Copper Contributor
    Dec 18, 2025

    Can you screenshot your current policy? And also please the policy synchronization of that computer. 

Resources