Hi,
To block USB Drives (ThumbDrives, Hard Drives) while not blocking a specific USB drive in the Device Control policy, you must gather the Device ID for the specific device, add that device into the Hardware Devices list in the SEPM, then block Disk Drives and exclude the devices you want to still use in the Application and Device Control policy.
Gather the Device ID of device(s) to exclude using the DevViewer tool:
1. Find the DevViewer.exe tool on the SEP 11.0.X CD2 in the CD2\Tools\NoSupport\DevViewer folder.
2. Plug in the device you want to gather the Device ID from.
3. Run the DevViewer.exe tool and browse to find the device. (Example, for a thumb drive, look under Disk drives)
4. Select the device, and on the right you will see information about the device.
5. Right click the [device id] and select Copy Device ID.
6. Exit the DevViewer Tool.
Add the Hardware Device into SEPM policy:
1. In the SEPM, select the Policies view.
2. In the upper left corner of the console, under the View Policies section, click on Policy Components to expand the sub-list.
3. Under Policy Components, select Hardware Devices.
4. Under Tasks, select Add a Hardware Device
5. Type in the Name you wish to call your device (example: Administrator's Thumbdrive).
6. Select the Device ID option, click in the text box and use CTRL-V to paste the Device ID you copied from the DevViewer tool.
7. Click OK.
Add Disk Drives and the Hardware Device to allow to the Devices Excluded From Blocking list:
1. In the SEPM, Under View Policies, select Application and Device Control
2. Right click your Application and Device Control Policy and select Edit.
3. Select the Device Control view.
4. Under the Blocked Devices section, click Add, select Disk Drives and click OK. (If Disk Drives isn't listed, it is already added as a Blocked Device).
5. Under Devices Excluded From Blocking, click Add.
6. Select the device you added in the previous section and click OK.
7. Click OK to the Application and Device Control policy window. SEP clients in Client Groups that currently have this policy assigned will get the changed policy from the SEPM.
When the clients get the new policy, they may need to be rebooted for the policy to work correctly. If so, there will be a notification message on the client that a reboot is necessary for the new policy change, and the client will be listed in the Reboot Required logs in the SEPM.
You can also exclude the HID USB devices such as Keyboard, Mouse