Blocking access to external devices such as external hard drives, USB Flash Drives, and even printers is one of the biggest challenges faced by an IT administrator in an organization. However, the layered group policy feature in Windows 11 makes it easier for them.
The Layered Group Policy feature in Windows 11 makes it possible for IT administrators to control whether a device should be installed or not. So if you are an administrator and want to apply Layered Group Policy across your devices, this guide is for you.
What is Layered Group Policy in Windows 11?
This Group Policy aims to ensure that machines are less corrupted, that the number of support cases is reduced, and that data theft is reduced.
The policy further ensures that any installation is limited, i.e., the use of devices both internally and externally is prohibited. IT administrators can choose to use/install devices that have been pre-authorized.
Available here, this script ensures not all classes are blocked:
Computer Configuration > System > Device Installation > Device Installation Restrictions
This means that if you choose to disable USB device usage, it will do so only for that device. Going one step further, the new feature solves the earlier issue of having to create multiple sets to avoid conflict.
Instead, you have Instance ID > Device ID > Class > Removable device property hierarchical layering.
How to Apply Layered Group Policy?
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria is the first policy you should enable.
After that, there are a few more policies to remember, including the hierarchical order (Device instance IDs > Device IDs > Device setup class > Removable devices).
The following are the policies that apply to each:
Device Instance IDs
- Installing devices with drivers that match these device instance IDs should be avoided.
- Allow drivers that match these device instance IDs to be installed on devices.
- Prevent the installation of devices with device IDs that match these IDs.
- Allow devices to be installed with drivers that match these device IDs.
Device Setup Class
- Installing devices with drivers that match these device setup classes should be avoided.
- Allow devices to be installed using drivers that correspond to these device setup classes.
- Removable devices should not be installed.
Apply the changes to each of them by adding the device id or class ID.
Because of the layered structure, Microsoft recommends this policy over the “Prevent installation of devices not described by other policy settings” policy setting.
How to Find the Hardware ID or Compatible ID?
- Press the Start button and search for Device Manager.
- Locate the device you want to apply layered group policy and then click on Properties.
- Now switch to the Details tab.
- Click on the Property box, and from the dropdown, select class ID, hardware ID, and other details. You will be able to see the exact value in the Value section.
How to add Device IDs to the Allow list?
Open this policy: Allow installation of devices that match any of these device IDs.
Now, click on Enabled, and after that, under options, click on the Show button.
Next, add Hardware ID or Compatible ID to the list.
Apply the changes.