Η Microsoft παρουσίασε σήμερα μια νέα δυνατότητα για επαγγελματίες IT, την πολυεπίπεδη πολιτική ομάδας (Layered Group Policy). Η νέα δυνατότητα επιτρέπει τη ρύθμιση των συσκευών που μπορούν να εγκατασταθούν σε μηχανήματα στον οργανισμό σας και ποιες απαγορεύονται.
Windows 10 users already have the multilevel group policy with optional "C" updates July of 2021. They will be released for everyone with the Patch Tuesday August 2021.
The new option is located in Computer Configuration> Administrative Templates> System> Device Installation> Device Installation Restrictions.
Existing device restriction policies work with the IDs of each device that the operating system can recognize (such as class, device ID, and instance ID).
The permission list, which is written by the system administrator, contains the sets of identifiers that represent different Appliances. So in this way a system understands which device is allowed and which is blocked.
By adding the new layered Group Policy to existing policies installationdevices, Microsoft makes this process much easier.
Intuitive use: With the new policy, you don't need to know the different device classes to prevent installation of USB classes only. The new policy allows you to focus on scripts actions of USB classes and be sure that all other classes will be blocked unless the administrator allows it.
Flexibility: In the past, every prevention policy took precedence over any licensing policy, which created a set of definitions and a rigid set of devices to allow or prevent devices. This caused update strains every time a new set of devices entered the settings.
With the new policy, hierarchical layers are used in the following order:
- Instance ID: in the highest ranking
- Hardware IDs and compatible IDs (Device IDs)
Class - Removable device property: in the lowest ranking
The classification of the ID of each device works as a priority value.
If all USB classes are restricted by Group Policy, one or more USB devices in the permissions list may be ranked higher. However, the list of allowed devices can only be counted when a device from the list of allowed devices is connected to the computer.
