Video Screencast Help

Device Control policy - printer showing disabled when allowed via the policy

Created: 08 Apr 2014 | 10 comments
S_K's picture


I have a question regarding Device Control policy. We are using it to block some devices. However I allowed USB printer from the policy and on the PC it was showing in Device Manager that the printer is disabled. User had to enable it manually and it was working.

Shouldn't device enalble automatically after it it allowed from Device Control policy or user will have to enable it then manually?

Operating Systems:

Comments 10 CommentsJump to latest comment

S_K's picture

yes, it is excluded in the policy, the question is why after that SEP didn't enable the device automatically on the machine, but the user had to go in Device Manager and enable it manually. Customer is not happy is they will have to enable manually every device after it was excluded in the Device Control policy

SMLatCST's picture

SEP should indeed enable it automatically.  The exception I've found is when a device is administratively disabled from DevViewer (or device manager for that matter), A&DC won't override that manual "disable" action.

Could this be the case?

As the device itself is already present in Device Manager, I'll assume you're not subject to the situation where a higher level device (i,.e the controller) is blocked, thereby preventing detection, installation, and exclusion from blocking of the child device (your printer).

Rafeeq's picture

AFAIK , if you have set a policy to block , SEP will block the device, 

if you again create another policy to allow it, then you need to manually enable it from device manager..

SMLatCST's picture

It would be crazy if it operated in that manner, as it would negate the whole idea of centralised management.

In any case, a quick test has confirmed this is not the case.  My test consisted of:

  1. Plug in USB stick and use it
  2. Apply A&DC policy to block Device ID: USBSTOR\*
  3. Verifying USB stick disappears (with corresponding log on the SEPM)
  4. Updating said policy to exclude the USB stick from blocking
  5. Watching it pop up again on test machine with no local manual processes required (with "device enabled" event in my SEPM)

Soooo, it sounds like odd behaviour coming from your environment if a SEP blocked device is not becoming available again after adding an exclusion for it.

Just so you know (test environment details):

SEPM: v12.1RU4a on Win2012R2
Client: v12.1RU4 on Win8

Yahya's picture

If the device was blocked by SEP, once it is allowed, it will automatically be enabled in device manager. Did you refresh the devices in device manager, if yes and still show disabled, there is something wrong somewhere.

Rafeeq's picture

Create a rule to block mass USB, insert mass USB, USB is blocked

Apply a new policy to allow mass USB, is it allowed automatically?

SMLatCST's picture

Feel free to test it yourself and raise it as a bug if it doesn't automatically reenable a deivce as it really should laugh

S_K's picture

it seems that we have this issue only with printers, all other devices are working fine. Just opened a ticket with Symantec and have sent them the SymHelp log