All Removable Disks security events are logged in the Removable Disks Log. This log shows an overview of all events that occurred when users were prevented from accessing a removable storage device. The list specifies time, file name and location, process, computer, user, session, operation, and action. The log is automatically cleaned up periodically.
You can authorize a blocked file from the Removable Disks Log by selecting it and clicking Authorize selected file. This exception can be Execute and/or Modify. Alternatively, you can authorize the file by right-clicking it and then selecting Authorize selected file from the context menu. It will then automatically be added to the Global Authorized Files.
The Removable Disks Security log file can be exported in XML format via a command line (case insensitive): PWRTECH.EXE /EXPORTLOG /TYPE=REMDISK /OUTPUT=<OUTPUT FILEPATH> /START=<START DATE> /END=<END DATE>. A value for OUTPUT must be specified. START and END are optional values with a YYYYMMDD (optionally YYYYMMDDHHMMSS) format. Data entered for START and END, and timestamps in the export file are all in UTC.
PWRTECH.EXE /EXPORTLOG /TYPE=REMDISK /OUTPUT=C:\LOGS\REMDISKLOG.XML /START=20160101082959 /END=20160229
At least read permission is needed on the Removable Disks node (at Security > Data > Removable Disks) to export the log. With insufficient access rights, the XML export file will contain no data.
Ivanti recommends to test first by exporting just one or two days of data.