To give IT admins greater control and visibility with corporate-owned devices in their organization, we have now enabled the apply layered Group Policy feature. This new feature gives you the ability to decide which devices can be installed on machines across your organization and which are prohibited.
The ability to apply layered Group Policy is available for all versions of Windows 10 as part of the July 2021 optional “C” client release, and will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter. This feature will also be supported in Windows 11.
Device installation policies are used to restrict the installation of any device, both internal and external, to all machines across an organization while allowing a small set of pre-authorized devices to be used/installed.
Every device has a set of ‘device identifiers’ that are understood by the system (class, device ID and instance ID). The allow list, which is written by the system admin, contains sets of identifiers that represent different devices – this way a system understands which device is allowed and which is blocked.
Adding the new apply layered Group Policy to the existing device installation policies improves intuitive usage and flexibility as follows:
The ranking of the device identifier is assessed and, if the ranking is the same, prevent priority is given over allow priority. For example, IT pros may prevent all USB classes and allow only a small set of USB devices through hardware IDs since they have a higher rank; however, the allow list takes precedence over the prevent list only when the listed devices on the allow list are connected to the machine.
To learn more about device installation policies in Group Policy, and specifically about practical scenarios that utilize the new policy, please visit Manage Device Installation with Group Policy.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.