Microsoft launches new layered group policy feature

Layered feature makes it easier to selectively block USB devices in Windows

Microsoft has introduced a Windows 10 and 11 feature that allows administrators to select which devices connect to endpoints. The layered Group Policy feature will make it easier for organizations to block specific types of USB devices using combined whitelisting and blacklisting. 

This feature governs any device, whether internal or external, including USB drives. Administrators can define an allow list, which specifies whitelisted and blacklisted devices by their device identifiers. Windows systems categorize devices by class, device ID, and instance ID. 

In the past, Microsoft used a simple combination of an allow policy and a prevent policy, with the latter taking precedence over the former. This rigid approach made it harder to update permissions when new devices entered the market, Microsoft said. 

The new layering feature uses a hierarchical list of these identifiers that it examines in order, with higher identifiers taking precedence. This makes it easier to ban all devices of a particular class while making specific exceptions for devices in that class with certain hardware IDs. 

The hierarchical layers allow admins to be as exclusive as they wish when defining which devices can connect to Windows endpoints. For example, locking out all USB devices other than those provided by their company. They could also block all USB devices from being installed while allowing all other devices to connect to a Windows endpoint. 

Related Resource

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Cyber resilience for dummies - How to improve cyber resilience within your organisation - whitepaper from MimecastDownload now

"With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed," said Microsoft in a blog post announcing the feature. "The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin." 

More effective device blocking could prevent the spread of malware via malicious USB devices. It could also make it more difficult for people to copy data from work computers that could later be lost, causing compliance problems

Layered Group Policy capabilities are available as part of the optional "C" client release, which is the company's non-security preview release. It will become more widely available on August 10 with the August 2021 Update Tuesday release. Windows 11 will also support the feature, Microsoft said. 

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Best laptops 2022: Acer, Asus, Dell and more
Laptops

Best laptops 2022: Acer, Asus, Dell and more

18 Jan 2022
Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update
cyber security

Microsoft takes aim at critical RCE flaws with "massive" Patch Tuesday update

12 Jan 2022
Windows 11 problems and how to fix them
Microsoft Windows

Windows 11 problems and how to fix them

7 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022
Hired by machines: Exploring recruitment's machine-driven future
recruitment

Hired by machines: Exploring recruitment's machine-driven future

8 Jan 2022