New device control capabilities to manage removable storage media access in Microsoft Intune

I dont have my work laptop on me right now, but essentially, we want to block all USB storage. Then we allow certain user groups access to certain USB storage types. Like Encrypted USB sticks, Cameras, Android Tablets, Garmins, Trimble Devices. 

So if you have a block all USB storage rule. (removable media, cdroms, WPD etc.) Then when you create an Allow rule, you set an Include ID using a Reusable setting, (say Approved USB storage which has the SID of the AAD user group or AD group), then there is no reason to use the Exclude ID.

Then add another rule for the next reusable setting and SID (say for Android tablets) etc.

I struggled with what the need for the Exclude ID would be useful for. But we all have different scenarios i guess.

Hope this helps a bit more. I spent about 9 months with this, and watched MS slowly fine tune it, and slowly built our model. Am just happy its in the wild and working as expected. It was a real brain f*ck to work out, especially when MS parts were not behaving as the doco said it would