Exempt a device from a single policy

If you use role-based administration:

  • You must have the Policy setting - device control right to edit a device control policy.
  • You cannot edit a policy if it is applied outside your active sub-estate.

For more information, see Managing roles and sub-estates.

You can exempt a specific device from a device control policy.

You can exempt a device instance (“this device only”) or a specific device model (“all devices with this model ID”). Do not set multiple exemptions for the same device at both the model ID and device instance levels. If both are defined, the device instance level will take precedence.

To exempt a device from a policy:

  1. Check which device control policy is used by the group(s) of computers you want to configure.

    See Check which policies a group uses.

  2. In the Policies pane, double-click Device control. Then double-click the policy you want to change.
  3. In the Device control policy dialog box, on the Configuration tab, click Add exemption.
    The Device Control - Event Viewer dialog box appears.
  4. If you want to display only certain events, in the Search criteria pane, set the filters as appropriate and click Search to display the events.

    For more information, see About device control events.

  5. Select the entry for the device that you want to exempt from the policy, and then click Exempt Device.

    The Exempt device dialog box appears. Under Device details, you see the type, model, model ID and device ID of the device. Under Exemption details, Scope, you see the words “This policy only.”

    Note If there is no event for the device you want to exempt, for example, an integral CD or DVD drive on an endpoint computer, go to the computer containing the device and enable the device in the Device Manager. (To access Device Manager, right-click My Computer, click Manage, and then click Device Manager.) This will generate a new “block” event that will appear in the Device Control - Event Viewer dialog box. You can then exempt the device as described earlier in this step.
  6. Select whether you want to exempt this device only or all devices with this model ID.
  7. Select whether you want to allow full access or read-only access to the device.
  8. In the Comment field, enter a comment, if you wish. For example, you can specify who requested to exempt the device.
  9. Click OK.