When using a policy that either whitelists or restricts certain devices, using the regex value stored in "endpoint devices", the policy doesn't seem to work. 

Release: 15.8

Certain kinds of USB devices have multiple entries identified by the Operating system.  The "DeviceID.exe" tool, if not run with appropriate permissions, will often report only one of these device IDs for each device.  Sometimes, it will report the incorrect of the two device IDs in the PowerShell or CMD output. 

The output might reflect

Dev ID: SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP#1234567890987654&0#{123A456789-B1CD-23E4-4E32-DC1B-987654321}

Regex: SWD\WPDBUSENUM\\_\?\?_USBSTOR#DISK&VEN_&PROD_USB_DISK_3\.0&REV_PMAP#1234567890987654&0#\{123A456789\-B1CD\-23E4\-4E32\-DC1B\-987654321\}

When in reality the USB Device in question should reflect as follows (Highlighting added for emphasis on the discrepancies)

Dev ID:    USBSTOR\DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP\1234567890987654&0     

Regex:     USBSTOR\\DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP\\1234567890987654&0   

As an alternative to the Broadcom provided DeviceID.exe tool, you can pull the correct device ID with the below command run in PowerShell.  You will need to convert it to regex for use in policies

get-pnpdevice -class wpd,diskdrive -status ok | Format-Table -Wrap -Autosize