Microsoft today introduced a new feature for IT professionals, the Layered Group Policy. The new feature allows you to configure devices that can be installed on machines in your organization and which are prohibited.
The users of Windows 10 already have Layered Group Policy with the optional “C” type updates July of 2021. They will be released for everyone with the Patch Tuesday August 2021.
The new option is located in Computer Configuration> Administrative Templates> System> Device Installation> Device Installation Restrictions.
Existing device restriction policies work with each device's identifiers, which it can recognize operating system (such as class, device ID and instance ID).
The license list, written by the system administrator, contains sets of IDs representing different devices. In this way a system understands which device is allowed and which is blocked.
By adding the new Multilevel Policy Group to existing device installation policies, Microsoft makes this process much easier.
Intuitive use: With the new policy, you don't need to know the different device classes to prevent installation of USB classes only. The new policy allows you to focus on scripts actions of USB classes and be sure that all other classes will be blocked unless the administrator allows it.
Flexibility: In the past, each prevention policy took precedence over any authorization policy, which created a set of definitions and a rigid set of devices to allow or prevent devices. That was causing it Update strains every time a new set of devices was entered into the settings.
With the new policy, hierarchical layers are used in the following order:
- Instance ID: in the highest ranking
- Hardware IDs and compatible IDs (Device IDs)
Class - Removable device property: in the lowest ranking
The classification of the ID of each device works as a priority value.
If all USB classes are restricted by Group Policy, one or more USB devices in the permissions list may be ranked higher. However, the list of allowed devices can only be counted when a device from the list of allowed devices is connected to the computer.
