How can I ensure that Symantec Endpoint Protection clients have read-only access to USB drives?
 

To limit SEP clients to read-only USB drive access, create/edit and assign an appropriate Application and Device Control policy using the following steps:

1. Install Symantec Endpoint Protection, including the Application and Device Control feature, on the clients where USB drives will be used
2. Ensure that the clients is communicating with the Symantec Endpoint Protection Manager (SEPM)
3. Log on to the SEPM console and click on the Policies tab in the left hand window pane
4. Select Application and Device Control
5. Create a new policy or edit an existing Application and Device Control policy
6. Click on Application Control and select the following options:
   • Make all removable drives read-only
   • Block writing to USB drives
7. Assign the policy to the client(s) in question.

Both options above are recommended because some USB drives may not be recognized as such. See USB drive is still writable despite Endpoint Protection read-only policy