Categories of devices are considered unknown devices, because policies are administered to the category types by default rather than automatically having to set policies to each unique device in your environment.  So, if your device is seen as a 'Windows Portable Device',  any setting, such as allow/block , that is currently assigned to 'Windows Portable Devices' will inherit those permissions.

Now, if you have some specific devices for which you would need an exception from that rule, that's when you would can assign a specific device, or a group of devices, a different policy that it's parent category.  Using you example, I'm automatically blocking 'Windows Portable Devices' on PC's with MEPP.  But I have some users who have been blocked that need to have access to their devices and have permission from the business to be considered an exception.  Even though the category the device is still 'Windows Portable Devices', I can assign that device an exception policy, allowing access to this specific device. 

There are a variety of ways to add the device.  You can add an exception to a peripheral that has already reported to the management server through the client on a PC.  You can also the device manually, which is useful if the device the device hasn't been attached to the network yet.   You can also create a group of devices and can classify devices device ID and serial numbers as well.