Auditing USB Read and Write Access before disabling Access

Intune Policy

KQL or via Device Reports in Defender

DeviceEvents
| where ActionType == "RemovableStoragePolicyTriggered"
| extend parsed = parse_json(AdditionalFields)
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess)
| extend PolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict)
| extend MediaBusType = tostring(parsed.BusType)
| extend MediaClassName = tostring(parsed.ClassName)
| extend MediaDeviceId = tostring(parsed.DeviceId)
| extend MediaInstanceId = tostring(parsed.DeviceInstanceId)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| project Timestamp, DeviceName, AccountName, RemovableStorageAccess,
          PolicyVerdict, MediaClassName, MediaDeviceId, MediaSerialNumber
| order by Timestamp desc
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely