Good Morning,
We are using Device Control policies to block USB Devices such as Mass Storage Devices and we have exclusions setup for Keyboard and Mice devices and other things that would show up as a usb device that are necessary for staff to get their job done. Staff members know that there is a policy against USB Devices such as Mass Storage Devices and so we also have notifications setup to email us whenever a usb device is plugged in to a computer so that we can contact that person to see what it is they are trying to accomplish.
The problem we are running into is that I can't seem to find a way to make it where just notifications for mass storage devices come through, instead we are getting notifications for anything that is trying to be blocked even things that are in the exclusion list. Below are a couple examples.
| Device control disabled device | Default My Company\Desktop and Laptop Machines | XXXXXX | XXXXXX | Windows 7 Professional Edition | Device Manager Message Disabled the device. [name]:USB Optical Mouse [class]:Other devices [guid]:4d36e97e-e325-11ce-bfc1-08002be10318 [deviceID]:USB\VID_0461&PID_4E22\6&2B2F421&0&1 |
| Device control disabled device | Default My Company\Desktop and Laptop Machines | XXXXXX | XXXXXX | Windows 7 Professional Edition | Device Manager Message Disabled the device. [name]:Dell USB Entry Keyboard [class]:Other devices [guid]:4d36e97e-e325-11ce-bfc1-08002be10318 [deviceID]:USB\VID_413C&PID_2107\6&2B2F421&0&2 |
In the above examples you scan see that the Event Types "Device control disabled device" was logged and an email was sent out with this information. In reality though these devices were in the exclusion list and were never actually blocked.
Why do you think it was logged as such with the notification having been sent to me?