Device control (DC) policy is configure with the Device ID of Quectel Mobile Broadband adaptor to BLOCK.

DeviceID : {7DCB3244-C836-4A0C-A1E9-BD68D385AA2B}\{96FEAF0E-D43D-41DE-9B11-CCD992D18E1A}\0&00X0XX0X&0&02

If GUID is used to BLOCK : It is successfully BLOCKED, however, it BLOCKS all the devices with the same GUID.

If given the command as follows:

pnputil.exe /disable-device "{7DCB3244-C836-4A0C-A1E9-BD68D385AA2B}\{96FEAF0E-D43D-41DE-9B11-CCD992D18E1A}\0&00X0XX0X&0&02"

Successfully gets disabled

And one can re-enable it with:

pnputil.exe /enable-device "{7DCB3244-C836-4A0C-A1E9-BD68D385AA2B}\{96FEAF0E-D43D-41DE-9B11-CCD992D18E1A}\0&00X0XX0X&0&02"

Endpoint protection (SEP) DC was designed to remove the '{}' characters from the beginning and end of the GUID, but it mistakenly also removed the '{}' characters from the device ID, causing a match failure.

‘{}’ within the middle of the device ID is fine

There are no length limitations to characters of device ID in device control policy.

This issue is planned to be fixed in future release of SEP.

Work around : Configure the DC rule to block and add the device ID as:

"*7DCB3244-C836-4A0C-A1E9-BD68D385AA2B}\{96FEAF0E-D43D-41DE-9B11-CCD992D18E1A}\0&00X0XX0X&0&02"

Replaced "{" with "*"

Save and apply the DC rule.