Endpoint Protection

We have added an application and device control policy that is blocking all USB with some devices excluded.  Some devices have been excluded by class id and others by device id. 

We are having issues with some USB thumb drives not working with the device id being excluded, but others do.  Are there specific brands that just don't work? 

Another issue we are having is not being able to exclude bluetooth headphones.  When the device is plugged into DevViewer, 3 devices are showing up with 3 seperate device IDs and 1 class ID.  All 3 device IDs have been excluded and the class ID have been excluded.  When the device is plugged in only one of the 3 device names show up and the USB block warning still comes up.  Any ideas?

Regarding the USB drive, this can happen sometimes if the USB device has never been used on the machine before.  In these instances, Windows must install the device before it can find out its device ID, but cannot do so because SEP is blocking *all* USB devices.  If you temporarily disable A&DC so that the device can install, then re-enable it again, SEP should then behave as expected.

Regarding your headphones, what is getting blocked?  Why are you plugging in a bluetooth device?  Are you perhaps encountering the above USB Device scenario whereby Windows cannot install the device to identify it for SEP to then allow it?

Finally, on a much higher level viewpoint, what is your use-case for blocking devices?  The reason I ask is that many customers seem to have an easier time of managing the Application Control element instead, if the use-case is to block writing of files and reading/executing of .exe files (all possible using just the default rules).