To give IT admins greater control and visibility with corporate-owned devices in their organization, we have now enabled the apply layered Group Policy feature. This new feature gives you the ability to decide which devices can be installed on machines across your organization and which are prohibited.
The ability to apply layered Group Policy is available for all versions of Windows 10 as part of the July 2021 optional “C” client release, and will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter. This feature will also be supported in Windows 11.
Device installation policies are used to restrict the installation of any device, both internal and external, to all machines across an organization while allowing a small set of pre-authorized devices to be used/installed.
Every device has a set of ‘device identifiers’ that are understood by the system (class, device ID and instance ID). The allow list, which is written by the system admin, contains sets of identifiers that represent different devices – this way a system understands which device is allowed and which is blocked.
Adding the new apply layered Group Policy to the existing device installation policies improves intuitive usage and flexibility as follows:
Intuitive usage: With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed. The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.
Flexibility: In the past, every prevent policy took precedence over any allow policy, which created a set of definitions and a rigid set of allow/prevent devices, causing update strains every time a new set of devices entered the market. With the new policy, we introduce hierarchical layering in the following order:
Instance ID: the highest ranking
Hardware IDs and compatible IDs (Device IDs)
Removable device property: the lowest ranking
The ranking of the device identifier is assessed and, if the ranking is the same, prevent priority is given over allow priority. For example, IT pros may prevent all USB classes and allow only a small set of USB devices through hardware IDs since they have a higher rank; however, the allow list takes precedence over the prevent list only when the listed devices on the allow list are connected to the machine.