One of the most important challenges for an IT admin during a company is to dam access to devices like USB, External disk drive , and even Printers to the organization’s devices. to form this a touch easier, Microsoft has unrolled the Layered Group Policy feature that provides administrators the power to divide which devices are often installed on machines across the organization.
What is Layered Group Policy in Windows 11?
This Group Policy aims to make sure the machines get less corruption, the amount of support cases drops, and therefore the most vital is to scale back data theft. The policy ensures to limit any installation, i.e., the utilization of devices both within the internal and external environment is blocked. IT admins can prefer to pre-authorized devices to be used/installed.
Available here, the script makes sure not all classes are blocked:
Computer Configuration > System > Device Installation > Device Installation Restrictions
this means that if you chose to dam the USB device usage, it only blocks it. Going one step ahead, the new feature resolves the sooner problem where several sets got to be created to avoid conflict. Instead, you’ve got hierarchical layering Instance ID > Device ID > Class > Removable device property.
How to apply Layered Group Policy in Windows 11
The first policy you would like to enable is — Apply layered order of evaluation for Allow and stop device installation policies across all device match criteria.
Once done, there are a further set of policies, and you would like to make sure to stay the hierarchical order (Device instance IDs > Device IDs > Device setup class > Removable devices) in mind. Here are the policies associated with each:
Device instance IDs
- Prevent installation of devices using drivers that match these device instance IDs
- Allow installation of devices using drivers that match these device instance IDs.
- Prevent installation of devices using drivers that match these device IDs
- Allow installation of devices using drivers that match these device IDs
Device setup class
- Prevent installation of devices using drivers that match these device setup classes
- Allow installation of devices using drivers that match these device setup classes.
- Prevent installation of removable devices
Configure each of them by adding the device id or class ID and apply the changes.
Microsoft recommends using this policy over the “Prevent installation of devices not described by other policy settings” policy setting due to the layered structure.
How to find the Hardware ID or Compatible ID?
- Open Device Manager using Win + X, followed by pressing M.
- Locate the device. Right-click on it, and then select Properties
- Switch to the Details tab
- Click on the Property dropdown, and here you can select hardware ID, class ID, and other details. The exact value will be available in the value section.
How to add Device IDs to the Allow list?
- Open the policy— Allow installation of devices that match any of these device IDs.
- Select Enabled, and then click on the Show button under Options.
- Add Compatible ID or Hardware ID to the list
- Apply the changes.
You can also block the installation of specific devices by using the Prevent installation policies.
How to allow administrators to override device installation restrictions?
There is a policy specific to the present which you’ll enable. Once enabled, members of the Administrators group can use the Add Hardware wizard or the update driver wizard to put in and update the device.
How to found out a timeout to enforce policy change?
If you would like to enforce the about-face , you would like to reboot. A setting allows you to line up a Reboot Timeout showed the end-user to form sure there’s no data loss.
I hope the post explained to you clearly about the Layered Group Policy in Windows 11.
The policy is also available in Windows 10 as part of the July 2021 optional “C” client release and will be made more broadly available beginning in the August 2021 Update Tuesday release.