Microsoft Improves Windows 10 Device Control with new ‘Apply Layered’ Group Policy Setting

Along with the Windows 10 quality updates in August, Microsoft added a new feature to Group Policy which will allow IT to better control which devices can be installed on corporate-owned devices. A release is also planned for Windows Server in the future.

Restricting device installation in Windows can be complicated. The new Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria setting is meant to make it a little easier for IT. And Microsoft recommends that this setting should be enabled in most scenarios.

How to block and allow device installation in Windows 10 using Group Policy

When designing a Group Policy strategy to restrict device installation, you should start by adding the devices that you want to block to one of the policy settings below:

  • Prevent installation of devices that match any of these device IDs
  • Prevent installation of devices that match any of these instance IDs
  • Prevent installation of devices that match any of these device setup classes

For example, if you want to block installation of all printers, you would find the ClassGuid for printers and add it, including curly braces, to the Prevent installation of devices that match any of these device setup classes policy setting. If you want to block a specific printer or device, you would add its hardware ID to the Prevent installation of devices that match any of these device IDs policy setting.

Microsoft Improves Windows 10 Device Control with new 'Apply Layered' Group Policy Setting
Microsoft Improves Windows 10 Device Installation Control with new ‘Apply Layered’ Group Policy Setting (Image Credit: Russell Smith)

If you want to block installation of all printers but allow a specific printer to still be installed, you add the ClassGuid for printers to the Prevent installation of devices using drivers that match these device setup classes policy setting. Then enabling the Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria Group Policy setting lets you override the previous prevent policy with a specific device. You can now add the hardware ID for a specific device in the Allow installation of devices that match any of these device IDs policy setting to override the previous Prevent policy setting.

Device evaluation for settings that specify device match criteria

Enabling the new Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria Group Policy setting changes the evaluation order in which Allow and Prevent Group Policy settings are applied in cases where more than one device installation policy setting applies to a device. The policy setting is disabled by default. But when enabled, it ensures that device match criteria is applied when more specific match criteria succeeds less specific criteria.

Microsoft Improves Windows 10 Device Control with new 'Apply Layered' Group Policy Setting
Microsoft Improves Windows 10 Device Installation Control with new ‘Apply Layered’ Group Policy Setting (Image Credit: Microsoft)

In its recent announcement, Microsoft says that Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria brings more flexibility for IT:

In the past, every prevent policy took precedence over any allow policy, which created a set of definitions and a rigid set of allow/prevent devices, causing update strains every time a new set of devices entered the market. With the new policy, we introduce hierarchical layering in the following order:

  • Instance ID: the highest ranking
  • Hardware IDs and compatible IDs (Device IDs)
  • Class
  • Removable device property: the lowest ranking

And more intuitive usage:

With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed. The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.

The Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria Group Policy setting gives IT more granular control than Prevent installation of devices not described by other policy settings. If both these settings are enabled, Prevent installation of devices not described by other policy settings will be ignored.

What’s the difference between Device ID and Device Instance ID?

There are two types of device ID: hardware ID and compatible ID. A hardware ID is the first string in the list of hardware IDs and it is known as the device ID. It matches the make, model, and revision of the connected device exactly. Other hardware IDs match the device less exactly but provide Windows with a means to find a driver that should work if there isn’t a driver that exactly matches the device ID.

The compatible ID is used if Windows cannot find a driver match with the device ID or any of the listed hardware IDs.

Device instance IDs are assigned by the Plug and Play (PnP) manager to uniquely identify a device.

The new device installation Group Policy setting in Windows is now available in Windows 10 version 1809 and higher. If you would like more detailed instructions on how to work with device installation policy settings, check out Microsoft’s website here.