Endpoint Protection

 View Only

How to block or allow device's in Symantec Endpoint Protection 

Sep 30, 2011 09:40 PM

There are two ways that devices can be identified in Symantec Endpoint Protection (SEP) 11 and 12: 1. by Class ID, 2. by Device ID.  There are advantages and disadvantages of using either method and there is a different functionality for each method.  This article will be discussing these two IDs and how to use then in SEP.

Class ID

A Class ID is a generic category of devices that are designated by the Windows operating system.  A Class ID is always listed as a Guid.  Here are some examples of Class IDs.

  • Disk Drives - {4d36e967-e325-11ce-bfc1-08002be10318}
  • Storage Volumes - {71a27cdd-812a-11d0-bec7-08002be2092f}
  • USB devices - {36FC9E60-C465-11CF-8056-444553540000}
  • DVD/CD-ROM - {4D36E965-E325-11CE-BFC1-08002BE10318}
  • IDE - {4d36e96a-e325-11ce-bfc1-08002be10318}
  • PCMCIA - {4d36e977-e325-11ce-bfc1-08002be10318}

In SEP, wildcards are not supported on Class IDs.

For a list of Class IDs you can click here.

Device ID

A Device ID (also known as a Device Instance ID in Windows) is a specific ID that is given to each device.  A Device ID can be much more useful for blocking or allowing devices because it is made by concatenating a list of data about the particular device.  Device IDs are generally in a more readable format.

Here are two common formats for Device IDs:

<class>\<type>&<vendor>&<model>&<revision>\<serial number>

<class>\<type><vendor><model><revision>\<serial number>

Here are some examples of Device IDs for a few devices:

  • SanDisk Micro Cruzer - USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_2033\0002071406&0
  • Apple iPod - USBSTOR\DiskApple___iPod____________1.62\4&3656B0&0
  • Hitachi IDE Hard Drive - IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0

For Device IDs we support wildcards.  Both * and ? are supported.

  • Asterisk [*] - means zero or more of any character
  • Question mark [?] - means a single character of any value

Here are some examples of using wildcards:

Any USB Storage device


Any USB Disk


Any USB SanDisk drive


Any USB SanDisk Micro Cruzer drive


A specific SanDisk device


Generally I recommend using Device ID's over Class IDs for most use cases.

Hardware Devices

Both the Class IDs and the Device IDs can be added to the SEP manager under the Policy Components --> Hardware Devices section.

Hardware Devices

Device Viewer

On the SEP CD or DVD under the Tools\NoSupport folder you will find the Device Viewer (DevViewer).  The Device Viewer can be used to get either the Class ID or the Device ID of a particular device.  It also has the ability to let you copy the IDs to the clipboard so that you can paste into the SEP manager (using Ctrl+V).

Copy from DevViewer

The Device Viewer also gives you the ability to view devices by type or by connection.

By type:

DevViewer by type

By connection:

DevViewer by connection

Device Control

SEP has the ability to block devices using either Application Control or Device Control.  Device Control gives the ability to completely disable a device.  When a device has been disabled this way you can see it as disabled even in the Windows Device manager.  Device Control can be useful if you do not want your users to use the device at all.  With Device Control you can use both Class IDs and Device IDs.

Device Control

Device Control also allows you to block devices at any node in the tree.  If you block a device at one node then all devices below that node (all children) will be blocked also.  Conversely if you exclude a device then all the devices above that node will also be excluded.

In the example below, if you want to block the SanDisk Cruzer you can block it by blocking the USB Mass Storage Device:

Device Control example

Note: on Windows 2000, XP and 2003 if you disable a USB device with SEP's Device Control then the operating system will power down the device.  Devices such as Androids, iPods, cameras and other types of portable devices will not be able to get charged.  On newer operating systems such as Windows Vista, Windows 7 and 2008 the operating system will allow the devices to receive power even if they are disabled.

Application Control

If you want to do more granular blocking of devices you can do that by using the Application Control feature.  Application Control is a very powerful engine that allows you to block read, write or execute on a device.  If you want to you can even go to the level of controlling what individual applications can do.  For example you could create a policy using Application Control to block any program that is running off a USB drive from changing the registry or modifying files on the host computer.

With Application Control you can only use Device IDs.  Class IDs will not work.  Device IDs are allowed in the following places:

Program Definition

  • Application Rule process
  • Launch process
  • Terminate process

File Definition

  • File Access
  • Load DLL

Program Definition

You can only block a device with Application Control that is at the end of a node in the tree, unless the end node is "Generic volume" or "Storage volume".  In these two cases you will block the device that is one up from the last node (the parent of the last node).

In the example below you cannot block the SanDisk Cruzer Micro at either the "USB Mass Storage Device" node or at the "Generic volume" node:

DevViewer example

Most Device ID's that are supported by Application Control will have one of these types:




  • Example: FDC\GENERIC_FLOPPY_DRIVE\4&371082C9&0&0


  • Example: IDE\DISKHTS541060G9SA00_________________________MB3IC60H\4&14AA9DA8&0&0.0.0


  • Example: SCSI\DISK&VEN_WDC_WD50&PROD_00KS-00MNB0&REV_700.\4&1291CDED&0&000

Note: Application Control can only block devices that are seen by Windows as disk drives and have drive letters associated with them.  Devices that do not add drive letters (such as an iPhone or iPad) will need to be blocked using Device Control.

0 Favorited
7 Files
png file
DeviceControl.png   163 KB   1 version
Uploaded - Feb 25, 2020
png file
DeviceControl-example.png   146 KB   1 version
Uploaded - Feb 25, 2020
png file
DevViewer.png   105 KB   1 version
Uploaded - Feb 25, 2020
png file
DevViewer-connection.png   150 KB   1 version
Uploaded - Feb 25, 2020
png file
DevViewer-type.png   112 KB   1 version
Uploaded - Feb 25, 2020
png file
HardwareDevices.png   174 KB   1 version
Uploaded - Feb 25, 2020
png file
ProgramDefinition.png   67 KB   1 version
Uploaded - Feb 25, 2020

Tags and Keywords


Apr 25, 2017 05:19 AM

How to block USB port  From Software ...........?

Dec 15, 2016 11:35 PM

How to block USB port ?So,that no mobile device will not get connected and allow only keyboard,mouse and printer.

Dec 15, 2016 03:53 PM

Just an FYI, USBSTOR* doesn't work You have to use USBSTOR/*


This is in the default application and device control policy when you install ver 14, and needs to be modified.



Aug 31, 2016 05:18 AM

Dear Support, Today , I saw a case very stranger . I have USB Removeable drive :

  1. ​I have pluged to computer Name : A and got Device ID : USB_1
  2. I have pluged to computer Name : B and got Device ID : USB_2

Why exirst 02 Device ID on same USB device ?

Please give to me your advised



Jul 25, 2016 09:25 PM

Thank you for the thorough explanation, this KB will definitely come in handy. 

May 19, 2016 07:42 AM

hello i have a problem with my SEP 12.1 Antivirus

i have made the policy for blocking usb devices and i have put printing device exludet from blocking,but in users pc the printer is blocked like the usb drivers even that is exluded from the blocking list...

why is this happened??

could someone help me....


Jul 17, 2015 01:06 PM

Are you uploading Control logs to the SEPM? Have you verified this?

Jul 17, 2015 12:45 PM

Hi Sir,

I want to know why portable Device  Log  not Coming in SEPM.

Jul 17, 2015 09:36 AM

Certainly. As long as you have standard users and management team groups split out then you can apply separate policies for each one.

Jul 17, 2015 07:52 AM

Dear Everyone

If we folllowed the setup to block all USB storage device, will this apply to all computers? 

Is there an option/instruction which we can set for users/groups? what I mean is that we have standard users and management team and we want to block all form of USB storage device for standard users but allow USB storage devices for managment.



Jul 17, 2015 05:44 AM

Dear Sir,

Portable Device log not coming in Device Control .any Other way Please Suggest .

Jul 15, 2015 07:55 AM

Follow this article:

Block or allow devices in Endpoint Protection

Logs can be found at Monitors >> Application and Device Control >> Device Control

Jul 15, 2015 12:22 AM

Hi Sir,

How i can take the Portable device log in SEPM,and how to block the portable divice in oneshot .



Apr 24, 2015 12:52 AM


Iam a network administrator.we are using symmantec end point protection manager using in my company.

can u tell me How to enable pendrive option in the SEPM console system(Main system).

Jan 25, 2015 11:23 AM

You should use an application control rule to do this. There is a default one to block writing to USB devices already created in the SEPM.

Jan 23, 2014 11:22 AM

Good afternoon,

I need to block download and upload to usb storage device(pen drive).

Only, I could to block the upload but the download is unblocked yet.


Oct 15, 2012 08:28 PM

Hello phamduyus,

Can you verify that ADC is running and installed on the Windows 7 client?  From a command prompt run "sc query sysplant" and check if the STATE is set to RUNNING.  If the STATE is not set to RUNNING then it means that either ADC is not installed or not running.


Oct 13, 2012 04:38 AM

I am using SEP 11.x I have been config ADC as above but not effected with windows 7 Pro 32 bit, windwow XP is OK

Please help me


Aug 28, 2012 04:57 AM

Excellent article - many thanks!

These KB's may also be of assistance to followers of this thread.

How to obtain a device ID when creating an Application and Device Policy

DevViewer - a tool for finding hardware device ID for Device Blocking in Symantec Endpoint Protection

Symantec Endpoint Protection Manager - Application and Device Control (ADC) - Policies explained

Symantec Endpoint Protection Device Control: excluding devices from blocking show inconsistent results

Smart phones and Application and Device Control in Symantec Endpoint Protection


Jul 25, 2012 11:36 AM

SEP 11 can only report and email on blocked devices.  You would have to block all USB devices in order to get an email when users plug-in a USB device.

SEP 12.1 can report and email on blocked and excluded devices.  So you can report on any USB device without blocking it.

Jul 24, 2012 09:29 PM

Thanks Elisha..

So , SEP 11.x can not get e-mail when user plug-in USB in their computer ?


Jul 24, 2012 02:55 PM

In order to get an email from any USB device you need to be running SEP 12.1.  You can create a Device Control policy in SEP 12.1 to block all USB devices and then add an exclusion in for all USB devices.  Since the exclusion is added no USB devices will actually be blocked.

Then you go to Monitors --> Notifications and add in a new Notification Condition called "Client Security Alert".  In this notification you will check the "Device Control" option to get alerted of Device Control events.

Jul 23, 2012 11:16 PM

i do not think there is notification, you can view only the information on SEPM

Jul 23, 2012 10:29 PM

Thanks pete_4u2002 for your share

I did follow the instruction that you provied. I don't see any e-mail send to me when user plug-in USB into their computer but I can log in Monitor.

Also, I have been setup mail server OK ( My shedule report send to me is OK )



Jul 22, 2012 11:44 PM

Hi Everybody

I am an IT administrator. I using SEP 11.x 11.0.7200.1147 I have a question :

How to send report to me by e-mail automatic when anyone plug-in USB to their computer ? Tell me known that : which computer name ? which user name ? what time ?...


Nov 28, 2011 08:09 AM

Update the Human Interface Device Id in Exceptional

Nov 28, 2011 07:04 AM

I have a requirement for a new customerI am setting up on a server to block all usb devices but allow certain ones through.

I did the following

used device view util to copy device ID of USB stick want to allow and added to to allowed devices.

then clicked usb and added it to blocked devices

applied the policy to default group.and immedialty mouse stopped.

My server is in the top 'computer' group so should not affect it??

now usb mouse on the server does not work but what puzzles me is the keyboard , also usb does work.

been trying to run SEPMC without the mouse is not working.

OS server 2008 64bit R2 Xeon 3Ghz 8Gb ram 1Tb raid 5 bitblocker active w/o TPM

domain enviroment

Nov 25, 2011 05:24 AM

Good KB.

Nov 14, 2011 04:05 AM

good work Elisha =) I know how hard it can be to create tutorials for every user...

Oct 20, 2011 04:20 AM

Thanks Elisha for shring this information.

Related Entries and Links

No Related Resource entered.