Device ID field is blank and you cannot exempt an individual device in a central device control policy

  • Article ID: 110566
  • Rating:
  • 6 customers rated this article 4.0 out of 6
  • Updated: 30 Jun 2015


When attempting to exempt a device (e.g., a USB flash pen device) using its 'Device ID', the unique identifier is not shown in the Enterprise Console 'Device Control - Event Viewer'.


As a result of this you are unable to exempt this particular device from a device control policy in the console.  Example:

Expected policy option: Actual policy option:

First seen in
Sophos Endpoint Security and Control 9.5


A device ID is only returned to the Enterprise Console Event Viewer (by Sophos Endpoint Security and Control running on the client computer) when the device has a unique ID across all computers.  In order to prevent unexpected behavior, a device ID is not sent to the console if it cannot be blocked across all computers.  This is by design.


  • Some devices do not present themselves to the operating system as a unique device and some do.  This is down to the manufacturer of the device.
  • A device ID may be present on the endpoint computer but this will not be a unique ID for all computers - it will only be unique to the current computer.  Blocking the device on this ID will not result in a block on another computer.

What To Do

You need to check if the device is seen by the operating system as a unique device or not.

Check if a device has a unique ID

  1. Open the 'Device Manager' (Start | Run | Type: devmgmt.msc | Press return).
  2. Locate the device in the tree list.  Example of a USB pen drive listed under 'Disk drives':

  3. Right-click on it and select Properties.
  4. Click on the 'Details' tab.
  5. In the 'Property' list choose the Property 'Capabilities'.
  6. In the 'Value' list check if the CM_DEVCAP_UNIQUEID text is shown.

    Example of a device that is manufactured with a unique ID:

Is the device seen as unique or not?

If the CM_DEVCAP_UNIQUEID value is present for a device then that device is seen as a unique device by the operating system and you should expect a device ID to be present in the device control event viewer, under the 'Device ID' column.  You will also be able to select the option 'Exempt: This device only' from your central device control policy.

If the device does not have the CM_DEVCAP_UNIQUEID value then the device ID is purposely withheld from the event viewer as the code returned will not allow you to block the device across all endpoint computers.  As a result you are only able to select the option 'All devices of this model' from the central policy.

Why is the device not seen as unique?

If you are unsure as to why this ability has not been included in the device please contact the manufacturer.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent