Endpoint Protection

Does Symantec block USB through Reg Key changes or via another way, i need to be able to report on this to see if a PC has this enabled or not remotely from my pc or scanning tool.
We need to ensure this has been applied across all pc's so USB access has been locked down. If i know how it is blocked i can create a scan to check it has been applied.

 You can verify the policy number to verify the client has processed the policy. Maybe there will be a better way in the future but this seems to be the only way for settings like this.

Sorry for the possibly obvious question but where is the policy number?

I have viewed the below path as the possible location for the data as it is the only change from when you enable to disable and vice/versa the USB lock out -
"HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Exclusions\HeuristicScanning\FileHash\Admin"

5 key entries are created here when turned on and are removed when turned off but on a small percentage of pc's on another site they have no admin folder at all even though Symantec blocks the USB.

SEP will block USB by using application and device control policy.This will be using teefer driver for doing this.You can verify whether the policy is got applied in a client or not by using the policy sl. no.For this first find out the policy sl. no. of the group which client belongs.You can get this information in the details tab of that group.In the client you can find it in Client GUI--->Help and support--->troubleshooting--->management......

Symantec use the Device ID and the Global ID of the devices to block them. To perform the device control, Symantec uses Network Threat Protection.
To find the Device ID of a device you can use several application such as DEVVIEW.
Each device has an ID which indicates the class of the device. For instance all the monitors have same Global ID and all the keyboards have the same Global ID. Therefore you can use this ID to tell Symantec to block this category of devices. However in endpoint protection there is a long list of prepared categories and you can use them instead of finding and creating them.

In order to blocking the USB ports, you can use the prepared USB port in the list of devices in Symantec. But this solution will block the USB port and therefore all the devices connected to the USB port will be disabled. Instead, you can create a custom device, name it External USB Storage and in the Device ID write: USBSTOR*
This will block all the devices which can contain file and are connected to the computer via USB port, while the other USB devices such as printers and mice will still be usable.
To do so, in the Symantec console from the Policy tab:

... => Policy Components [Click to Open]
... => Hardware Devices
... => Add [Right Click]
... => ... => Device Name: External USB Storages
... => ... => Device ID: USBSTOR*

Now answer to your question!
To ensure that all the external USB storage are disabled, be sure that the Symantec endpoint agent is functioning on that PC correctly . Because if that agent is functioning well, this means that it blocks the port.

But if you mean that you want to be sure if some one has used the port you receive a notification, this means that you have to use an other application on that systems. Therefore if there is a probability that Symantec Client stops functioning, there will be the same probability that the third paty application stops functioning too.

However, trust the Symantec Endpoint Protection, that is the best solution!