Configuring DeviceID for DLP Endpoint Agent removable device monitoring
search cancel

Configuring DeviceID for DLP Endpoint Agent removable device monitoring


Article ID: 160084


Updated On:


Data Loss Prevention Endpoint Prevent Data Loss Prevention


Can one use wildcards in the REGEX string, so you can define a CLASS of devices instead of entering different IDs for every individual device?


All supported versions


In most cases, a wildcard configuration is required in order to monitor a class of Endpoint Devices (thumbdrives, external storage devices, etc).


Below is a DeviceID.exe result for a USB 3.0 device, showing both the ID as read, and the REGEX for that ID as suggested by the tool (To get the Device ID, run the DeviceID.exe tool from command prompt) :

Regex:  USBSTOR\\DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_2\.18\\0000060435096770&0

And here is a REGEX string that shows wildcard for above device with the serial number removed from the REGEX - note that the wildcard format after the last pair of slashes is ".*"


Note that in testing, the single backslash before the period seems to make no difference in the detection - the tool will "see" the DeviceID either way, with or without the single backslash (either "2.18" or "2\.18" to use the above example).

In testing, changes to the DeviceID configuration were updated on the Endpoint Server immediately, and did not require recycling of services to take effect.



Additional Information

For more information on configuring DeviceIDs, including details on how to verify whether the REGEX will match as configured, see this Help Center topic: Using the Windows Device ID utility (