How to apply layered Group Policy in Microsoft Windows {RESOLVED}

Microsoft have now enabled the apply layered Group Policy feature. This new feature gives you the ability to decide which devices can be installed on machines across your organization and which are prohibited.

The ability to apply layered Group Policy is available for all versions of Windows 10 as part of the July 2021 optional “C” client release, and will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter. This feature will also be supported in Windows 11.

Device installation policies are used to restrict the installation of any device, both internal and external, to all machines across an organization while allowing a small set of pre-authorized devices to be used/installed.

Every device has a set of ‘device identifiers’ that are understood by the system (class, device ID and instance ID). The allow list, which is written by the system admin, contains sets of identifiers that represent different devices – this way a system understands which device is allowed and which is blocked.

Adding the new apply layered Group Policy to the existing device installation policies improves intuitive usage and flexibility as follows:

  • Intuitive usage: With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed. The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.
  • Flexibility: In the past, every prevent policy took precedence over any allow policy, which created a set of definitions and a rigid set of allow/prevent devices, causing update strains every time a new set of devices entered the market. With the new policy, we introduce hierarchical layering in the following order:
    • Instance ID: the highest ranking
    • Hardware IDs and compatible IDs (Device IDs)
    • Class
    • Removable device property: the lowest ranking

The ranking of the device identifier is assessed and, if the ranking is the same, prevent priority is given over allow priority. For example, IT pros may prevent all USB classes and allow only a small set of USB devices through hardware IDs since they have a higher rank; however, the allow list takes precedence over the prevent list only when the listed devices on the allow list are connected to the machine.

To learn more about device installation policies in Group Policy, and specifically about practical scenarios that utilize the new policy, please visit Manage Device Installation with Group Policy.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: