An Application and Device Control (ADC) policy is created to block all USB devices. The results are inconsistent. Some USB devices are not blocked.
In some rare instances, inconsistencies in the operating system's Device Manager can result in incorrectly reported device states. The APIs that ADC uses to interact with the operating system are affected, and a policy cannot be correctly applied. This should happen very infrequently. A more common cause of Device Control issues is misconfiguration. Please see the Connect article How to block or allow devices in Symantec Endpoint Protection for an illustration of how to apply policies.
NOTE: Some devices plugged in through USB, such as Keyboards, cannot be disabled, as the operating system will not let the system's keyboard be disabled. Use the DevViewer tool (on SEP CD2 in the Tools\NoSupport\DevViewer folder) and view the "[can be disabled]:" value for devices to determine if they can be disabled or not.
For example, the Keyboards\HID Keyboard Device has the value of "[can be disabled]: false." It cannot be disabled even if it is plugged in through USB.