Search the ManageEngine site:  
 

Help Center

Quick Start

File Auditing

File Analysis

Data Risk Assessment

Endpoint DLP

Cloud Protection

General settings

Release notes

Troubleshooting

Guides

Third-party software Contact us

Removable Storage Control

A Removable Storage Control profile defines how USB devices are handled by DataSecurity Plus when connected to monitored endpoints. You can configure profiles to target specific workstations and control which USB devices should be allowed and blocked, and what file transfer actions are permitted.

Removable Storage Control profiles helps prevent data exfiltration through removable media, block unwarranted access from untrusted devices, and support compliance requirements for portable media under standards such as PCI DSS and HIPAA.

Configuring a Removable Storage Control profile

To configure a Removable Storage Control profile, follow these steps in DataSecurity Plus:

  • Select Endpoint DLP from the apps drop-down.
  • Go to Configuration > Removable Storage Control.
  • Click + Create New Profile.
  • Enter a Profile Name and Profile Description.
  • Under Applies To, click + to select the target device or device groups this profile applies to. To create or manage device groups, see the Device Group Configuration help page.
  • Under Include criteria, choose which USB devices this profile applies to:
    • Select All USB devices to apply the profile to all USB devices connected to the selected devices or device groups.
    • Select Custom list to apply the profile to a specific set of USB devices that you define.
  • Under Exclude criteria, choose which USB devices this profile should not apply to.
    • Select None to exclude no devices. The profile will apply to all devices matched by the Include criteria.
    • Select Custom list to define a specific set of USB devices for exclusion from this profile.

    Note: See the creating a custom list of USB devices section for steps on how to create a device list for Include and Exclude criteria.

  • Under Response, choose an action for the included USB devices.
    • Select Allow USB device to permit USB devices to connect. You can then configure File Activity Controls to monitor or restrict specific operations:
      • Audit all file activities in USB, which monitors file operations such as copy, paste, rename, and move, and records them in reports.
      • Block all paste actions in USB, which prevents users from pasting files to the USB device, reducing the risk of data exfiltration.
    • Select Block USB device to prevent the USB devices from connecting.

    Note: Plug-in and plug-out events are always audited and appear in reports, regardless of the action selected.

  • Under Notifications, enter which email addresses should receive alerts when USB devices are connected or disconnected.
  • Click Save to create the profile.

Creating a custom list of USB devices

Using a custom list enables precise control over which specific USB devices are targeted by a profile. Devices are maintained in a centralized master list, making them reusable across all profiles. Once a device is added, it can be referenced in the Include or Exclude criteria of any profile without needing to be redefined.

If you select Custom list under Include criteria or Exclude criteria, follow these steps to create and manage a common master list:

  • After selecting Custom list from the Include or Exclude drop-down, click + Add new device from the Custom include list or Custom exclude list drop-down.
  • Enter a Display name. This is a user-defined label that identifies the device across profiles.

    • Tip: Use clear, consistent display names (e.g., IT-approved SanDisk, Finance Sony USBs) to keep entries easy to identify, avoid duplicates, and simplify profile management.

  • Enter at least one of the following parameters to narrow the device match: Vendor Name, Product Name, or Device Instance Path. Devices matching all the added parameters will be included or excluded. To find the Device Instance Path of a USB device on Windows:
    • Open Device Manager.
    • Expand Universal Serial Bus controllers and locate the connected USB device.
    • Right-click the device and select Properties.
    • Go to the Details tab and select Device Instance Path from the Property drop-down.
  • Copy the value shown. It appears in the following format:

    • USB\VID_xxxx&PID_xxxx\SerialNumber

  • Click Add.

Viewing Removable Storage Control profiles

To view all configured policies, follow these steps:

  • Go to Endpoint DLP from the applications drop-down.
  • Go to Configuration > Removable Storage Control.

From here, you can edit or delete any profile. The Default Removable Storage Control profile is a default profile that cannot be edited or deleted. It applies to all endpoints, allows all USB devices, and audits all file activities in the USB.

Managing multiple profiles matches

DataSecurity Plus evaluates each profile in a priority order—the profile at the top of the list has the highest priority. Each USB device event is matched against profiles in the selected priority order. Once a match is found, that profile's response action is applied and all lower-priority profiles are skipped. For example, if a higher-priority profile allows a device and a lower-priority profile blocks the same device for the same endpoint, the device is allowed.

To change the priority of a profile, follow these steps:

  • Go to the Removable Storage Control page.
  • Locate the profile you want to reorder.
  • Click and hold the drag handle (the four-dot icon) at the left of the profile row.
  • Drag the row to the desired position and release.

Tip: Assign your most specific or restrictive profiles a higher priority to ensure they are not overridden by broader profiles lower in the list. It is recommended to keep the default profile as the lowest priority.

Sample configurations

The following scenarios show how to configure profiles for common use cases.

Read-only access to USB drives for the finance team

Goal: Allow finance team members to read data from USB devices while preventing any data from being copied to them.

  • Applies to: Finance device group
  • Include criteria: All USB devices
  • Response action: Allow
  • File activity controls: Enable Audit all file activities in USB and Block all paste actions in USB

Block all USB devices for the engineering team

Goal: Prevent all USB devices from connecting to workstations used by the engineering team.

  • Applies To: Engineering device group
  • Include criteria: All USB devices
  • Response action: Block USB device

Allow only approved USB drives company-wide

Goal: Allow only a specific set of corporate-approved USB drives and block all others.

  • Applies to: All devices
  • Include criteria: All USB devices
  • Exclude criteria: Custom list (add approved device entries by Vendor Name or Device Instance Path)
  • Response action: Block USB device

Limitations of Removable Storage Control

  • An unblocked USB device remains inaccessible until it is disconnected and reconnected.
  • Paste actions to USB devices cannot be blocked when performed through Remote Desktop sessions.
  • Paste actions to shared folders within USB devices cannot be blocked when accessed using their UNC path.

Topics in this page:

Don't see what you're looking for?

  • Visit our community

    Post your questions in the forum.

     

  • Request additional resources

    Send us your requirements.

     

© 2026 Zoho Corporation Pvt. Ltd. All rights reserved.