Tracking removable storage with the Windows Security Log

Check this.
If you have Powershell Remote enabled you can create a job for all machines.

Thanks for that. It does show USB devices that have been inserted to the machine, however not much else. We're looking to get maybe files transferred to and time stamps. Exactly what this gives.

https://www.eventtracker.com/newsletters/tracking-removable-storage-windows-security-log/

You can use powershell cmdlet get-winevent to get the events you want. Check this link to see soma examples.

Now for the hard part: getting the audit option enabled on your endpoints. Due to the SBS 2008 limitations GPO is not an option. The only workaround i can think of is to edit Windows Registry. Using a test endpoint,with procmon(sysinternals) and gpedit.msc its possible to track down which keys were changed. Using this information you can easilly create a powershell script to change this values on the other machines.

Having done this on a few ocasions where nothing else was possible I don't think this is the safest way of doing things, so think 10 times if this is an option for you.

I see now that is not going to be possible with Native auditing and Windows 7. All the current workstation are Windows 7.

This would have worked like a charm, but the endpoints are Windows 7 and that setting is not on them.