Configuring Symantec Endpoint Encryption Removable Media Encryption Device Exclusion Policy Options
search cancel

Configuring Symantec Endpoint Encryption Removable Media Encryption Device Exclusion Policy Options


Article ID: 174636


Updated On:


Endpoint Encryption


Symantec Endpoint Encryption (SEE) Removable Media Encryption (RME) provides the ability to exclude specific devices from being encrypted. This means when the devices are plugged in, there is no encryption that will take place on them.

Adding devices to the exclusion list means that the RME policy will not apply to this device.

Adding devices to the exclusion list is useful when users know specific devices they want unaffected by RME.

Note: For information on how to exclude specific devices for SEE RME, see the following article:

174637 - Configuring Symantec Endpoint Encryption Removable Media Encryption File Type Exclusion Policy Options


During the SEE Client creation (or policy configuration), navigate to the page titled Removable Media Encryption Installation Settings - Device and File Type Exclusions.

Select the checkbox under Device Exclusions named Exclude these removable media encryption devices from encryption. Next, fill out the details to exclude the devices.


Symantec Endpoint Encryption version 12 and above have now streamlined the exclusion interface.

To find the exclusions, navigate to the Policies section in the SEE Management Server Web Console, click on the policy you wish to modify, then click on the "Device and File Type Exclusions" from the menu:

Next, you can add the device information required:

From there, you can supply the information.  The rest of this article will provide information on how to obtain this information.

Recommended Method 1: Specific Serial Number Exclusions
To have the most strict set of exclusions, you would use the "Serial Number" for the removable devices. This is because a serial number is specific to only one device, and is considered unique.
No two serial numbers can be the same for the devices.

In order to exclude these devices, there are several ways this can be done.  For example, once you plug in the device, you can view the devices via the Device Manager.

For this example, you can see when we run a "gwmi" command in powershell, the following is displayed:

gwmi Win32_USBControllerDevice |%{[wmi]($_.Dependent)} | Where-Object {($_.Description -like '*mass*')} | Sort Description,DeviceID | ft Description,DeviceID -auto | Format-Table -AutoSize


The serial for this test is "4C530000080118207342" and applies to only this USB device.  No other USB Device can have this serial number.

If you open Device Manager, right-click on the device in question, and then click Properties.  Click the Details tab and click on "Parent". 
This will also display the serial number for the USB device:

Issuing the following command can also help validate you are seeing the proper serial number:

wmic diskdrive get Model, Name, InterfaceType, SerialNumber

Adding this serial number to the SEE Exclusion list should be sufficient.


Supplying the Vendor ID or Product ID. 

Vendor ID and Product ID fields. Devices with matching Vendor and Product IDs will be excluded from the RME policy of this client after finishing the client creation process.



To find the Vendor ID and Product ID of a device, perform the following steps:

  1. Plug the device into a computer
  2. On that computer, open Device Manager
  3. Find the device in Device Manager
  4. ​​​​It is likely under Disk DrivesPortable Devices, or Other devices

  5. Right click on the device and select Properties
  6. Select the Details tab
  7. Under Property, click Hardware Ids
  8. Note the numbers after VID_ (Vendor ID) and PID_ (Product ID)
    • ​​In this example, the Vendor ID is 0529 and the Product ID is 0514

  9. If the Vendor and Product information is not available under Hardware Ids, change the property to Parent
  10. Note the numbers after VID_ (Vendor ID) and PID_ (Product ID)
    • In this example, the Vendor ID is 0781 and the Product ID is 5588


Confirming Device Exclusion

You can confirm the new client (or policy) is successfully excluding devices by plugging a device with a matching Vendor and Product ID into a computer that has the client installed with the new policy.

When you plug in an excluded device, you will receive a notification that the removable media device is excluded from encryption:





When opening the SEE Management Agent using the Run as Administrator option, you can also go to the Policy tab and see A device is added for exclusion at the bottom of the page:





Additional Information

174637 - Configuring Symantec Endpoint Encryption Removable Media Encryption File Type Exclusion Policy Options


Important Note on GPO Policies: If you are not seeing any of the above screens, and you are using GPOs to manage SEE RME, make sure you are going to the same Windows server to edit the GPOs where the SEE Management Server is installed.  This will then be available for you.