Introducing the ability to apply layered Group Policy

Published Aug 04 2021 07:00 AM 12.7K Views
Microsoft

To give IT admins greater control and visibility with corporate-owned devices in their organization, we have now enabled the apply layered Group Policy feature. This new feature gives you the ability to decide which devices can be installed on machines across your organization and which are prohibited.

The ability to apply layered Group Policy is available for all versions of Windows 10 as part of the July 2021 optional “C” client release, and will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter. This feature will also be supported in Windows 11.

BarakManor_0-1628057280306.png

Device installation policies are used to restrict the installation of any device, both internal and external, to all machines across an organization while allowing a small set of pre-authorized devices to be used/installed.

Every device has a set of ‘device identifiers’ that are understood by the system (class, device ID and instance ID). The allow list, which is written by the system admin, contains sets of identifiers that represent different devices – this way a system understands which device is allowed and which is blocked.

Adding the new apply layered Group Policy to the existing device installation policies improves intuitive usage and flexibility as follows:

  • Intuitive usage: With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed. The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.
  • Flexibility: In the past, every prevent policy took precedence over any allow policy, which created a set of definitions and a rigid set of allow/prevent devices, causing update strains every time a new set of devices entered the market. With the new policy, we introduce hierarchical layering in the following order:
    • Instance ID: the highest ranking
    • Hardware IDs and compatible IDs (Device IDs)
    • Class
    • Removable device property: the lowest ranking

The ranking of the device identifier is assessed and, if the ranking is the same, prevent priority is given over allow priority. For example, IT pros may prevent all USB classes and allow only a small set of USB devices through hardware IDs since they have a higher rank; however, the allow list takes precedence over the prevent list only when the listed devices on the allow list are connected to the machine.

To learn more about device installation policies in Group Policy, and specifically about practical scenarios that utilize the new policy, please visit Manage Device Installation with Group Policy.

 

6 Comments
New Contributor

where do we find these settings in Intune?

Valued Contributor

This simplify the process a bit but the main challenge remains where we have to manually enter ID for devices.

Microsoft

@Sander de Wit It will likely be in Settings Catalog once it becomes broadly available. 

New Contributor

@RichGallo thank you, any idea when this will be available? as Microsoft is motivating clients to move to an MDM management solution, feature parity is a must to convince my clients.

Microsoft

@Sander de Wit I totally get it. I don't know when it will be added to the catalog but it likely isn't long. The feature was just made broadly available last week so it may take some time to show up there.

New Contributor

Nice! :hearteyes:

%3CLINGO-SUB%20id%3D%22lingo-sub-2608462%22%20slang%3D%22en-US%22%3EIntroducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2608462%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20give%20IT%20admins%20greater%20control%20and%20visibility%20with%20corporate-owned%20devices%20in%20their%20organization%2C%20we%20have%20now%20enabled%20the%20%3CSTRONG%3Eapply%20layered%20Group%20Policy%3C%2FSTRONG%3E%20feature.%20This%20new%20feature%20gives%20you%20the%20ability%20to%20decide%20which%20devices%20can%20be%20installed%20on%20machines%20across%20your%20organization%20and%20which%20are%20prohibited.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThe%20ability%20to%20apply%20layered%20Group%20Policy%20is%20available%20for%20all%20versions%20of%20Windows%2010%20as%20part%20of%20the%20July%202021%20optional%20%E2%80%9CC%E2%80%9D%20client%20release%2C%20and%20will%20be%20made%20more%20broadly%20available%20beginning%20in%20the%20August%202021%20Update%20Tuesday%20release.%20The%20Windows%20Server%20release%20will%20follow%20thereafter.%20This%20feature%20will%20also%20be%20supported%20in%20Windows%2011.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%20of%20the%20Local%20Group%20Policy%20Editor%20in%20Windows%20showing%20where%20the%20new%20policy%20to%20apply%20a%20layered%20order%20is%20located%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300356iD895612211D12EB9%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22BarakManor_0-1628057280306.png%22%20alt%3D%22BarakManor_0-1628057280306.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EDevice%20installation%20policies%20are%20used%20to%20restrict%20the%20installation%20of%20any%20device%2C%20both%20internal%20and%20external%2C%20to%20all%20machines%20across%20an%20organization%20while%20allowing%20a%20small%20set%20of%20pre-authorized%20devices%20to%20be%20used%2Finstalled.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EEvery%20device%20has%20a%20set%20of%20%E2%80%98device%20identifiers%E2%80%99%20that%20are%20understood%20by%20the%20system%20(class%2C%20device%20ID%20and%20instance%20ID).%20The%20allow%20list%2C%20which%20is%20written%20by%20the%20system%20admin%2C%20contains%20sets%20of%20identifiers%20that%20represent%20different%20devices%20%E2%80%93%20this%20way%20a%20system%20understands%20which%20device%20is%20allowed%20and%20which%20is%20blocked.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EAdding%20the%20new%20%3CSTRONG%3Eapply%20layered%20Group%20Policy%3C%2FSTRONG%3E%20to%20the%20existing%20device%20installation%20policies%20improves%20intuitive%20usage%20and%20flexibility%20as%20follows%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3E%3CU%3EIntuitive%20usage%3C%2FU%3E%3A%20With%20this%20new%20policy%2C%20you%20don%E2%80%99t%20need%20to%20know%20different%20device%20classes%20to%20prevent%20USB%20classes%20only%20from%20being%20installed.%20The%20new%20policy%20allows%20you%20to%20focus%20scripts%20on%20USB%20classes%20and%20be%20confident%20that%20no%20other%20class%20is%20going%20to%20be%20blocked%20unless%20specified%20by%20the%20IT%20admin.%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3E%3CU%3EFlexibility%3C%2FU%3E%3A%20In%20the%20past%2C%20every%20prevent%20policy%20took%20precedence%20over%20any%20allow%20policy%2C%20which%20created%20a%20set%20of%20definitions%20and%20a%20rigid%20set%20of%20allow%2Fprevent%20devices%2C%20causing%20update%20strains%20every%20time%20a%20new%20set%20of%20devices%20entered%20the%20market.%20With%20the%20new%20policy%2C%20we%20introduce%20hierarchical%20layering%20in%20the%20following%20order%3A%3CUL%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%20margin-top%3A%2020px%3B%22%3EInstance%20ID%3A%20the%20highest%20ranking%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EHardware%20IDs%20and%20compatible%20IDs%20(Device%20IDs)%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3EClass%3C%2FLI%3E%0A%3CLI%20style%3D%22margin-bottom%3A%208px%3B%22%3ERemovable%20device%20property%3A%20the%20lowest%20ranking%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3EThe%20ranking%20of%20the%20device%20identifier%20is%20assessed%20and%2C%20if%20the%20ranking%20is%20the%20same%2C%20prevent%20priority%20is%20given%20over%20allow%20priority.%20For%20example%2C%20IT%20pros%20may%20prevent%20all%20USB%20classes%20and%20allow%20only%20a%20small%20set%20of%20USB%20devices%20through%20hardware%20IDs%20since%20they%20have%20a%20higher%20rank%3B%20however%2C%20the%20allow%20list%20takes%20precedence%20over%20the%20prevent%20list%20only%20when%20the%20listed%20devices%20on%20the%20allow%20list%20are%20connected%20to%20the%20machine.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3ETo%20learn%20more%20about%20device%20installation%20policies%20in%20Group%20Policy%2C%20and%20specifically%20about%20practical%20scenarios%20that%20utilize%20the%20new%20policy%2C%20please%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fclient-management%2Fmanage-device-installation-with-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EManage%20Device%20Installation%20with%20Group%20Policy%3C%2FA%3E.%3C%2FP%3E%0A%3CP%20style%3D%22margin-top%3A%2020px%3B%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2608462%22%20slang%3D%22en-US%22%3E%3CP%3EDecide%20which%20devices%20can%20be%20installed%20on%20machines%20across%20your%20organization%20and%20which%20are%20prohibited.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2608462%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice%20management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%2010%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619171%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619171%22%20slang%3D%22en-US%22%3E%3CP%3Ewhere%20do%20we%20find%20these%20settings%20in%20Intune%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620160%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620160%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20simplify%20the%20process%20a%20bit%20but%20the%20main%20challenge%20remains%20where%20we%20have%20to%20manually%20enter%20ID%20for%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2656409%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2656409%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68368%22%20target%3D%22_blank%22%3E%40Sander%20de%20Wit%3C%2FA%3E%26nbsp%3BIt%20will%20likely%20be%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fconfiguration%2Fsettings-catalog%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ESettings%20Catalog%3C%2FA%3E%20once%20it%20becomes%20broadly%20available.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2657582%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2657582%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1056825%22%20target%3D%22_blank%22%3E%40RichGallo%3C%2FA%3E%26nbsp%3Bthank%20you%2C%20any%20idea%20when%20this%20will%20be%20available%3F%20as%20Microsoft%20is%20motivating%20clients%20to%20move%20to%20an%20MDM%20management%20solution%2C%20feature%20parity%20is%20a%20must%20to%20convince%20my%20clients.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2657615%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2657615%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F68368%22%20target%3D%22_blank%22%3E%40Sander%20de%20Wit%3C%2FA%3E%26nbsp%3BI%20totally%20get%20it.%20I%20don't%20know%20when%20it%20will%20be%20added%20to%20the%20catalog%20but%20it%20likely%20isn't%20long.%20The%20feature%20was%20just%20made%20broadly%20available%20last%20week%20so%20it%20may%20take%20some%20time%20to%20show%20up%20there.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2658077%22%20slang%3D%22pt-BR%22%3ERe%3A%20Introducing%20the%20ability%20to%20apply%20layered%20Group%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2658077%22%20slang%3D%22pt-BR%22%3E%3CP%3ENice!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%40AEEAEF144D00DE0D72B7CC3EC4FC2866%2Fimages%2Femoticons%2Fhearteyes_40x40.gif%22%20alt%3D%22%3Ahearteyes%3A%22%20title%3D%22%3Ahearteyes%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 04 2021 08:10 AM
Updated by: