We are about to roll out Device control making USB Removable Media Read Only. The devices are blocked and exceptions are working properly so far. I have asked my colleagues to send me the Device Instance IDs for any CD/DVD burners that need to be excluded and have noticed that some of the Device Instance IDs are identical.
Is using the Device Instance ID the proper way to exclude these devices or will this cause security issues with other computers having the same model of burner installed?
I have tried finding the device serial numbers in Device manager but they are not listed. Also in Windows 7 the ID is listed as Device Instance Location. Is using the Device Instance Location the same as Device Instance ID?
I don't believe a device ID is unique like MAC addresses.
What reason have you decided to use device ID instead of using the built in device classes in DLP?
The easiest way to excluded a subset of burners is probably to create a security group of users and add them as an exclusion to the blocking policy.
I would prefer not to exclude users from the rule but rather the individual burners "computers that may have come with the same type of device should not be used to write data in our environment.. Is there a practical way of differentiating the individual devices?
You might want to try using just a blanket monitor rule for the devices to have DLP collect the device parameters for you. Once collected, you can then right click on the event and export the device parameters. When you create your device definition, if the criteria exists for the device (such as serial number), you can import from the exported csv file automatically.