You must create exclusions for each individual device. If there are, for example, 15 different Administrator USB keys, you will need to create 15 different exclusions, one for each device. The only other alternative to this is to not block all USB devices.
Gather the Device ID of device(s) to exclude using the DevViewer tool:
Double click DevViewer.exe tool located on CD2 in the /Tools/NoSupport/DevViewer folder.
Plug in the device you want to gather the Device ID from.
Run the DevViewer.exe tool and browse to find the device. USB keys are, for example, located under Universal Serial Bus controllers/USB Mass Storage Device
Select the device, and on the right you will see information about the device.
Copy down the entire Device ID. The Device ID should look similar to this:
USB\VID_054C&PID_0243\1206092800314
Exit the DevViewer Tool.
Create the exclusion:
Open the Symantec Endpoint Protection Manager (SEPM) console.
Click Policies.
Click Policy Components.
Click Hardware Devices.
Click Add a Hardware Device...
Enter a name for the exclusion.
Click Device ID.
Enter the Device ID exactly as seen in the DevViewer tool.
Click OK.
Assign the exclusion:
Click Policies.
Click Application and Device Control.
Double click the policy you wish to edit.
Click Device Control.
In Devices Excluded From Blocking, click Add.
Click the exclusion you created earlier, then click OK.
Click OK.
**NOTE**
While not required, it is advisable to set up a message using Notify users when devices are blocked. This will let users know when Application and Device control blocks access to a device, rather than simply blocking it and not letting the user know.