The Windows Tracking Policy in Swif.ai enables organizations to collect important security, compliance, and operational event data from Windows devices. This includes visibility into USB activity, device lock/unlock events, and other telemetry that helps IT and Security teams monitor endpoint behavior across the company.
This policy supports both BYOD and company-owned Windows devices running Windows 10 or later.
This policy works together with Swif.ai’s event tracking system, detailed here.
What This Policy Does
When enabled, the Windows Tracking Policy allows Swif.ai to collect real-time event data from Windows devices, including:
USB tracking
Detects when USB storage devices are connected or disconnected.Device lock/unlock tracking
Tracks when users lock or unlock their device, providing insight into user session activity.
This information is used for:
Security monitoring
Compliance reporting and audit evidence
Incident investigations
Behavior analytics
USB risk detection
User activity insights for distributed teams
Requirements
Windows 10+
Policy Settings
Field Name | Description | Value Options | Minimum OS Requirement |
USB Tracking | Controls whether Swif.ai collects USB connection and disconnection events. When enabled, Swif.ai logs USB attachments and removals for compliance, auditing, and security visibility. | True – USB device activity is tracked False – No USB tracking is performed | Windows 10+ |
Device Lock Tracking | Controls whether Swif.ai records device lock and unlock events. Useful for session auditing and monitoring user behavior during device access. | True – Lock/unlock events are tracked False – Lock/unlock activity is not tracked | Windows 10+ |
Location Tracking | When enabled, the device will request location information during periodic compliance checks throughout the day. | True – location information is requested | Windows 10+ |
If you need this embedded into the full Windows Tracking Policy article, I can insert it directly.
Use Cases
1. Compliance Reporting (SOC 2, ISO 27001, HIPAA)
Event logs provide audit-ready evidence of device usage, physical access protection, and external media handling.
2. Security Monitoring
Alerts on suspicious USB device usage
Detect unauthorized USB drives
Identify unusual session activity
3. Remote Workforce Visibility
Provides insight into:
Device usage patterns
Lock/unlock times
Remote employee device interactions
4. Incident Investigation
USB logs and session history help reconstruct activity leading up to a security event.
5. Zero-Trust & Access Control
Supports risk scoring and automated enforcement based on device behavior.
How Event Tracking Appears in Swif.ai
When this policy is enabled, events flow into:
Device → Activity Timeline
Browser & Device Event Logs
Security Center (if enabled)
Automations/Alerts (optional)
This allows teams to quickly filter and analyze event patterns.
Verification & Troubleshooting
Confirm events are being collected
Go to Reports → Events logs
Look for:
USB connection events
Lock/unlock events
Ensure the device is online and has the latest Swif agent
If events are missing:
Confirm the Windows Tracking Policy is applied to the device
Ensure the device has not disabled local auditing settings
Check that the Swif agent is running and up to date
Restart the device if needed
Best Practices
Enable USB Tracking for all company-owned devices for strong security and audit visibility
Enable Device Lock Tracking for remote workforce oversight
Combine with:
Windows Security Policy (encryption)
Windows PIN Policy (authentication)
Windows Connectivity Policy (peripheral restrictions)
This forms a complete Windows compliance and security baseline.