Granular control of USB drives in the Application and Device Control Policy in Endpoint Protection
Last Updated April 08, 2019
You want to use Symantec Endpoint Protection (SEP) Application and Device Control policy to block all USB thumb drives and USB hard drives on managed Symantec Endpoint Protection clients, but want to allow some USB drives to work.
To block USB drives (thumb drives, hard drives) while not blocking a specific USB drive in the Device Control policy, you must:
Gather the device ID with DevViewer of the device(s) to exclude
Find the DevViewer.exe tool on the SEP full installation file in the \Tools\DevViewer folder. In earlier versions, this tool may be in \Tools\NoSupport\DevViewer.
Plug in the device from which you want to gather the device ID.
Run the DevViewer.exe tool and browse to find the device. For example, for a thumb drive, look under Disk drives.
Select the device. The right pane displays information about the device.
Right-click the device ID and select Copy Device ID.
Exit the DevViewer Tool.
Note: An alternate way to find device ID, if DevViewer is not available:
1. On the Windows taskbar, click Start > Settings > Control Panel > System. 2. On the Hardware tab, click Device Manager. 3. In the Device Manager list, double-click the device. 4. In the device's Properties dialog box, on the Details tab, select the Device ID (on Windows XP) or Device Instance Path (Windows Vista or 7). 5. Press Control+C to copy the ID string.
If you cannot locate the correct device ID for building the rule, remember that in DevViewer you can change View Style to View devices by connection. Changing this view may help, particularly when troubleshooting USB exclusions.
Add the hardware device into SEPM policy
In the SEPM, select Policies.
Under View Policies, click Policy Components to expand the sub-list.
Under Policy Components, select Hardware Devices.
Under Tasks, select Add a Hardware Device.
Type in the name for your device. For example: Administrator's Thumb Drive.
Select the Device ID option, click the text box and paste the device ID that you copied from the DevViewer tool.
Add disk drives and the hardware device to allow to the Devices Excluded From Blocking list
In the SEPM, under View Policies, select Application and Device Control.
Right-click your Application and Device Control policy and select Edit.
Use one of the following processes to correctly block and exclude:
Do not use a mix of the these methods to block and exclude devices.
Select Assign the Policy.
Select the group to which you want to assign the edited policy.
To block or exclude with Device Control:
In the Application and Device Control policy, select Device Control.
Under the Blocked Devices section, click Add, select Disk Drives and click OK. If Disk Drives isn't listed, it is already added as a Blocked Device..
Under Devices Excluded From Blocking, click Add.
Select the device you added in the previous section and click OK.
Click OK to close the Application and Device Control policy window.
To block or exclude with Application Control:
In the Application and Device Control policy, select Application Control.
Check Make all removable devices read-only (for example) and select Edit.
Select Block writing to all files and folders, and under Do not apply to the following files and folders, select Add.
Under File or Folder Name To Match, enter an asterisk (*).
Check Only match on the following device ID type and press Select.
Select the device that you added to the hardware list and press OK. This is the unique USB device ID that you added previously.
Press OK to close windows until you return to the main Application and Device Control Policies window of SEPM.
When the clients get the new policy, they may need to reboot for the policy to work correctly. If so, a notification message appears on the client that a reboot is necessary for the new policy change. The client is listed in the Reboot Required logs in the SEPM until the reboot completes.
Imported Document ID: TECH106304
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe