Configuring Removable Media Encryption Device Exclusion Policy Options
search cancel

Configuring Removable Media Encryption Device Exclusion Policy Options


Article ID: 174636


Updated On:


Endpoint Encryption


Symantec Endpoint Encryption (SEE) Removable Media Encryption (RME) provides the ability to exclude specific devices from being encrypted. Adding devices to the exclusion list means that the RME policy will not apply to this device.

Adding devices to the exclusion list is useful when users know specific devices they want unaffected by RME.

Note: For information on how to exclude specific devices for SEE RME, see KB article TECH254413.


During client creation (or policy configuration), navigate to the page titled Removable Media Encryption Installation Settings - Device and File Type Exclusions

Select the checkbox under Device Exclusions named Exclude these removable media encryption devices from encryption. Next, fill out the Vendor ID and Product ID fields. Devices with matching Vendor and Product IDs will be excluded from the RME policy of this client after finishing the client creation process.


To find the Vendor ID and Product ID of a device, perform the following steps:

  1. Plug the device into a computer
  2. On that computer, open Device Manager
  3. Find the device in Device Manager
  4. ​​​​It is likely under Disk DrivesPortable Devices, or Other devices

  5. Right click on the device and select Properties
  6. Select the Details tab
  7. Under Property, click Hardware Ids
  8. Note the numbers after VID_ (Vendor ID) and PID_ (Product ID)
    • ​​In this example, the Vendor ID is 0529 and the Product ID is 0514

  9. If the Vendor and Product information is not available under Hardware Ids, change the property to Parent
  10. Note the numbers after VID_ (Vendor ID) and PID_ (Product ID)
    • In this example, the Vendor ID is 0781 and the Product ID is 5588


Confirming Device Exclusion

You can confirm the new client (or policy) is successfully excluding devices by plugging a device with a matching Vendor and Product ID into a computer that has the client installed with the new policy.

When you plug in an excluded device, you will receive a notification that the removable media device is excluded from encryption:



When opening the SEE Management Agent using the Run as Administrator option, you can also go to the Policy tab and see A device is added for exclusion at the bottom of the page:




For more information on SEE RME Exclusions, see the online Help.

Note: For information on how to exclude specific file types for SEE RME, see KB article TECH2554413



Additional Information

Important Note on GPO Policies: If you are not seeing any of the above screens, and you are using GPOs to manage SEE RME, make sure you are going to the same Windows server to edit the GPOs where the SEE Management Server is installed.  This will then be available for you.