We have had the USB Defender rule on our LEM for the duration of time I have been with my organization. It's connected to the UDLP policy and they opted to use a notepad document to catalog the Windows ID numbers that are to NOT to be blocked by the policy. So the rule is:
EventInfo: *Mass Storage Device*
AND
ExtraInfo: Allowed Group (associated with the notepad document imported)
I wanted to have SmartCard readers, the ones a select group of end users have built into their laptops (all the same brand) to not be checked against this list as i do not want them ever to be blocked. So i added:
AND
EventInfo is NOT: *Smart Card Reader Details*
Has anyone done something similar and did it work?
Presently it does not seem to be working. I am not in a position to test on a domain laptop at this second so i am looking for possibilities until I get my hands on one.
Oddly enough i disabled the policy and the same user's reader is still being blocked by policy. And from what i gather it's not possible to attribute the policy that is being used and this is the only one i can see that would action on detaching.