Device control report

Applies to:

Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives.

With the device control report, you can view events that relate to media usage. Such events include:

  • Audit events: Shows the number of audit events that occur when external media is connected.
  • Policy events: Shows the number of policy events that occur when a device control policy is triggered.

Note

The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint.

Understanding the audit events

The audit events include:

  • USB drive mount and unmount: Audit events that are generated when a USB drive is mounted or unmounted.
  • PnP: Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected.
  • Removable storage access control: Events are generated when a removable storage access control policy is triggered. It can be Audit, Block, or Allow.

Monitor device control security

Device control in Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 Defender portal (https://security.microsoft.com). Go to Reports > General > Security report. Find Device control card, and select the link to open the report.

The Device protection card on the Reports dashboard shows the number of audit events generated by media type, over the last 180 days.

The View details button shows more media usage data in the device control report page.

The page provides a dashboard with aggregated number of events per type and a list of events and shows 500 events per page, but Administrators can scroll down to see more events and can filter on time range, media class name, and device ID.

When you select an event, a flyout appears that shows you more information:

  • General details: Date, Action mode, the policy, and Access of this event.
  • Media information: Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Serial number, and Bus type.
  • Location details: Device name, User, and MDATP device ID.

To see real-time activity for this media across the organization, select the Open Advanced hunting button. This includes an embedded, pre-defined query.

To see the security of the device, select the Open device page button on the flyout. This button opens the device entity page.

Reporting delays

There might be a delay of up to 12 hours from the time a media connection occurs to the time the event is reflected in the card or in the domain list.