A machine is running guest Virtual Machines (VMs). Symantec Endpoint Protection (SEP) is installed to the host, but not to the guest/clients. Application and Device Control (ADC) device control policies are not getting triggered on the guest/client VMs when new devices are added.
That type of communication will bypass the host and will not be detected by Application and Device Control (ADC). The virtual client is not going to be using Windows APIs on the host to access the allocated hardware. That client communication to the assigned hardware will not be visible to the host.
To prevent access to prohibited devices, safeguards will need to be put in place to prevent that such as: