Hi,
We've finally got around to looking at implementing USB Defender but only require it in a file audit capacity.
So we don't need whitelist or UDLP items, there's GPO in place and AD secgroups to control USB access.
I have one development Windows 7 citrix VDI desktop accessed via a Wyse terminal and I can see USB-Defender events for Attach/Detach, and it was automatically detaching devices until I turned off Active Response.
My question is should File Auditing work without Active Response/Approved Devices being in place? If so then am I missing anything obvious? LEM has been handling syslog traffic for the last two years from servers but this is the first activity on a workstation, with a view to deploying to 1000+ workstations soon.
Any comments are appreciated as I've been through everything I can think of and couldn't locate a 'SW USB Defender for Dummies' section
Kev