My scenario: The policy I've made blocks mass storages on device ID level (Class_08), allowing casual hardware as mouse, keyboard, etc.. and allowing some certain unique USB drives with the device instance path (including some special verbatim secured storages with hardware encryption).
The problem: My company operates globally and we do have offices in china. They have special banking USB devices for transactions. These devices identify as USB mass storage and if you go to the explorer, you will see it as CDROM (?) drive. The second feature is, that they somehow change the last numbers on their instance path (USB\VID_ABCD&PID_EFGH\123456789). Therefore I need to allow somehow the part before the numbers.
I use the "Apply layered order of evaluation for Allow And Prevent device installation policies"-rule, which then sorts the rules like this: device instance path BLOCK/ALLOW > device id BLOCK/ALLOW > class id BLOCK/ALLOW Since my "Mass Storage Block"-rule is the third step (device id BLOCK), I only have the "device instance path ALLOW"-rule to allow these weird banking USB devices. I've then came across the information, that you can use WILDCARDS according to this MS documentation. However this wildcards are just not working for me. (side note: Using the full unique instance ID worked/allowed the device)
What I tried: USB\VID_ABCD&PID_EFGH\* USB\VID_ABCD&PID_EFGH* USB\VID_ABCD*
Yes, I am aware that it's recommended to use wildcards in the second stage (Device ID), but because of the layered order I am unable to set exceptions with wildcards there. And if it's only possible to use wildcards on this stage, how do I design my policy that the original scenario works?