We had a major major major issue a few weeks back.
I put in the exclusion for USB printers - allow all printers and the class. I even excluded using wild cards, etc.
I then blocked USB devices and also excluded HID, cameras, and so on.
What happened was every USB printer in the agency suddenly went offline and stayed! Didn't matter what I excluded, and I even took the "block USB" out of the policy, the printers simply stopped working all at once in every office, every location.
I was sweating bullets.
I had to create a group that was wide open, excluded everything, blocked nothing, drag the computers into that group, refresh/update content, wait a few minutes, then move them back into their original group. That solved all but a couple, and I had to keep moving them back and forth until they started working.
IT's like the policy was REALLY messed up and no matter what I excluded, no one in 40+ offices, over 300 people, no one could print to a USB printer anywhere.
Let's just say the visit with the boss was tense.
In this case, it blocked USB printing even though it was specifically in the exclusions, AND I excluded *USB\Print* or something like that, so no matter what, if it had the string "print" or "printer" in it, it should have been EXCLUDED from blocking. Like once it got "block USB" in its head it would not let go.
Things have settled now, but I'm totally paranoid about blocking USB generically and add one device at a time to blocking as I discover they are being used. Not secure or sound management, but SEP left me little choice, IMO.