Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

DLP policy to monitor every file copied to USB drive

Brass Contributor

Hello All,


I am looking for an option in Microsoft DLP to monitor every file copied to a USB drive so that I can pull a report periodically.


The policy is not to capture when someone copies sensitive data to a USB drive, but rather looking for a policy that can capture every file copied to a USB drive.


Kindly advice.

1 Reply
best response confirmed by Afsar_Shariff (Brass Contributor)

Hi @Afsar_Shariff 


This isn't exactly something you can set from a policy perspective through DLP. You could do a policy that looks for file types or file extensions versus sensitive content, but you'd likely have a long list to enter for file extensions.


You can enable "always audit file activity for devices" in endpoint DLP settings which you can then monitor the auditing through Activity Explorer but this will not alert you. 


You can also follow along with this article for Auditing read, write, and execute attempts to any USB, which is configured through Microsoft Intune.


Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage m...