When the USB storage is blocked by SEP device control, the USB storage disk won’t be shown in “Computer”, but if user have a VMware installed on this host, and a Windows OS is installed in the VMware, the OS operator could be able to access the USB disk by mount the USB drive to the OS in VMware as below:

If the OS in VMware don’t have SEP installed, the OS operator will be able to read and write files to USB storage drive

This is because the VM is using a VMware USB Arbitration Service to access the host’s USB resource, and this action is out of SEP "device control policy" control

There’s a workaround on this issue, to stop VMware OS operator access USB storage, you can add an application control policy to block the VMware USB Arbitration Service from running, and this will stop VMware to mount USB storage from host to VMware

Please follow below step for operation

1. Add a new rule in the Application and Device control policy
2. Block Read Attempt for VMware USB Arbitration Service
   • C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe for 32bit SEP client OS
   • C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator64.exe for 64bit SEP client OS

NOTE: The path may not exactly same as above, you may ask VMware technical support team for the path detail of the exe files.

1. Restart the VMware host