How to block all the USB type devices (e.g. mice, keyboards, USB drives, etc), yet allow a single specific device (such as an Administrator's USB key) to function
Before you create the exception, you'll need to gather the Hardware ID from the specific device.
You must create exclusions for each individual device. If there are, for example, 15 different Administrator USB keys, you will need to create 15 different exclusions, one for each device. The only other alternative to this is to not block all USB devices.
Gather the Device ID of device(s) to exclude using the DevViewer tool:
Double click DevViewer.exe tool located on CD2 in the /Tools/NoSupport/DevViewer folder.
Plug in the device you want to gather the Device ID from.
Run the DevViewer.exe tool and browse to find the device. USB keys are, for example, located under Universal Serial Bus controllers/USB Mass Storage Device
Select the device, and on the right you will see information about the device.
Copy down the entire Device ID. The Device ID should look similar to this:
Exit the DevViewer Tool.
Create the exclusion:
Open the Symantec Endpoint Protection Manager (SEPM) console.
Click Policy Components.
Click Hardware Devices.
Click Add a Hardware Device...
Enter a name for the exclusion.
Click Device ID.
Enter the Device ID exactly as seen in the DevViewer tool.
Assign the exclusion:
Click Application and Device Control.
Double click the policy you wish to edit.
Click Device Control.
In Devices Excluded From Blocking, click Add.
Click the exclusion you created earlier, then click OK.
While not required, it is advisable to set up a message using
Notify users when devices are blocked. This will let users know when Application and Device control blocks access to a device, rather than simply blocking it and not letting the user know.
Imported Document ID: TECH105770
Subscribing will provide email updates when this Article is updated. Login is required.