We have to roll out a policy that blocks USB storage devices. Mice, Keyboards and docking stations still have to work. To set it up, I used the following guide:
https://learn.microsoft.com/en-us/intune/device-configuration/settings-catalog/restrict-usb

(It might be worth mentioning that we have a Hybrid environment)

It seems quite straight forward. The policy blocks everything, but you can whitelist certain types of devices by adding class GUID's to an exception list. The devices for which the policy is blocked however, seems to block all USB connections. Including Mice, keyboards etc.

For example: I plugged in a Dell MS116 optical mouse. In devmgmt.msc, I can see it categorized under "other devices" with a yellow triangle. I navigate to "Properties > Details"and want to check the "Class GUID" property, but this property is simply not showing. There is no Class GUID assigned to the device at all.

I take the same mouse and plug it in another device (for which the policy isn't applied). Here the mouse DOES work and gets registered as a HID-Compliant mouse. In "Properties > details", there is a Class Guid showing (which matches the one filled in as an exception in Intune: {4d36e96f-e325-11ce-bfc1-08002be10318})

It seems to me like a catch-22 situation. The policy blocks the USB device before it is can properly get the value it needs to not be blocked in the first place. Does anyone know how to stop this from happening?