Great, sounds like we are making some progress.
250GB is fairly large for the number of endpoints you have.
The database maintenance scripts would be helpful in reducing the log data.
The log data of focus would be log data that is irrelevant like local system device attachments not user related data that is relevant for compliance, tracking etc.
How do i get the SDC Event files to tell me what is denied? A deny policy for USB storage use will not let me enable shadow settings.
The SDC Event files are not meant to be read directly and instead of the data which is displayed inside the console.
In addition the SDC event files are after the fact event data and not what/when exact time/device data as we have in our other log files.
You will be better off reviewing the logged data directly on the EMSS server to determine what is being blocked.
You can pull a device control query to show what was blocked, limiting the scope down to that endpoint, user, timeframe etc.
The second question is not clear, you can not shadow a device when you are denying access to that device.
You need to allow READ or WRITE or BOTH to shadow the data which is a copy of what is being READ/WRITE to that device type.
Once you do allow this level of access you will be able to enable a shadow policy for that device class, model or unique device.