Feb 04 2023
I configured Device control for removable storage via GPO - used 2 XMLs as described here https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storag...
Wondering if there is any place on endpoint (windows 10) to look for logs when removable storage is blocked? Like event log or something. To not using Advanced hunting https://security.microsoft.com/v2/advanced-hunting
I cannot find anywhere information about Bluetooth connected storage blocking (like paring phone and copy files via Bluetooth). Anyone ?
Mar 08 2023
Mar 08 2023
You can use advanced hunting for it. Query:DeviceEvents| where DeviceName contains "hostname"| where ActionType contains "Pnp"ORDeviceEvents| where DeviceName contains "hostname"| where ActionType == "PnpDeviceConnected" and Timestamp > ago(7d)| extend ClassName = parse_json(AdditionalFields).ClassName| extend DeviceId = parse_json(AdditionalFields).DeviceId| extend VendorIds = parse_json(AdditionalFields).VendorIds| extend DeviceDescription = parse_json(AdditionalFields).DeviceDescription| project ClassName, DeviceDescription, Timestamp, DeviceId, VendorIds, DeviceName| where ClassName contains "drive" or ClassName contains "usb"change "ago(7d)" value with how many days you want to go back.
Also you can check Security Event ID 6416 in EventViewer.