Microsoft today introduced a new feature for IT professionals, polyflat policy team(Layered Group Policy). The new feature allows you to configure which devices can be installed on machines in your organization and which are prohibited.
Windows 10 users already have the multilevel group policy with optional "C" updates July of 2021. They will be released for everyone with August's Patch Tuesday 2021.
New choice located in the path Computer Configuration > Administrative Templates > System > Device Installation >Device Installation Restrictions.
Existing device restriction policies work with each device's identifiers, which it can recognize operating system (such as class, device ID and instance ID).
The license list, written by the system administrator, contains sets of IDs representing different devices. In this way a system understands which device is allowed and which is blocked.
By adding the new Multilevel Policy Group to existing device installation policies, Microsoft makes this process much easier.
Intuitive use: With the new policy, you don't need to know the different classes of devices to prevent them from being installed usb classes only. The new policy allows you to focus on scripting actions of the USB classes and be sure that all other classes will be blocked unless the administrator allows it.
Flexibility: In the past, every prevention policy took precedence over any licensing policy, which created a set of definitions and a rigid set of devices to allow or prevent devices. This caused update strains every time a new set of devices entered the settings.
With the new policy, hierarchical layers are used in the following order:
- Instance ID: in the highest ranking
- Hardware IDs and compatible IDs (Device IDs)
Class - Removable device property: in the lowest ranking
The classification of the ID of each device works as a priority value.
If all USB classes are restricted by Group Policy, one or more USB devices in the whitelist may be ranked higher. However, the whitelist will only be able to be counted when a device from the whitelist is connected to the computer.