Forum Discussion
Device control removable storage via GPO - where to find logs
I configured Device control for removable storage via GPO - used 2 XMLs as described here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806
Wondering if there is any place on endpoint (windows 10) to look for logs when removable storage is blocked? Like event log or something. To not using Advanced hunting https://security.microsoft.com/v2/advanced-hunting
I cannot find anywhere information about Bluetooth connected storage blocking (like paring phone and copy files via Bluetooth). Anyone ?
- marka01Copper Contributor
You can use advanced hunting for it. Query:
DeviceEvents
| where DeviceName contains "hostname"
| where ActionType contains "Pnp"
OR
DeviceEvents
| where DeviceName contains "hostname"
| where ActionType == "PnpDeviceConnected" and Timestamp > ago(7d)
| extend ClassName = parse_json(AdditionalFields).ClassName
| extend DeviceId = parse_json(AdditionalFields).DeviceId
| extend VendorIds = parse_json(AdditionalFields).VendorIds
| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription
| project ClassName, DeviceDescription, Timestamp, DeviceId, VendorIds, DeviceName
| where ClassName contains "drive" or ClassName contains "usb"
change "ago(7d)" value with how many days you want to go back.Also you can check Security Event ID 6416 in EventViewer.