We are attempting to configure our McAfee DLP to block all users from accessing the CD/DVD drives, with a few exceptions. We have created AD groups for this and applied it with the Plug and Play device type configuration. It succeeds in blocking as intended. This causes the driver in windows to go into an error state. I cannot get the users of the allow group to re-engage the CD/DVD drives.
We are using the "no action" option for CD/DVD with the plug and play device type config as well for the "allow group". According to the documention this should "allow the action". But it isn't bringing the device online for these users. I feel like "no action" means no action, as in, whatever state it's in is where is stays. Which doesn't help us.
We've attempted to change our order of operations, allow by default all users, and block only users in certain AD groups. The problem always exists that once windows has the driver in that "error state" it cannot be recovered.
We created a read-only group, hoping to get the drive to change states in any way possible. This does work. It takes the error state away and puts the drive into read only. But write functionality is still disabled, as intended. But when an account with the allow group (aka no action) the device state doesn't change. It stays as read only, or blocked if you logged in last with a block account.
I'm looking for a way to get EPO/DLP to re-engage the drive for a full allow. But from the documentation i don't see this as an option. Perhaps i'm not reading it right. Am I just trying to accomplish something DLP is in capable of doing? Can you not enable or authorize a group of users to burn through DLP?