Managing Windows Devices Using Layered Group Policy

• Layered Group Policy (GP) allows administrators to control which computer hardware can be enabled.
• It improves security by disabling the ability to connect an external USB device such as a hard drive to a computer.
• Used incorrectly or carelessly, Layered Group Policy could effectively render multiple computers unusable.

A Group Policy (GP) update called Layered GP allows administrators to use the hierarchy of a hardware component’s device IDs to more effectively control which hardware can be enabled in a computer. This GP may be useful for organizations with large numbers of computers with uniform hardware deployed in public areas. In these scenarios, this GP could improve security by limiting some malware entry or data exfiltration vectors; for example, by ensuring USB storage devices cannot be used on a computer. However, incorrect or malicious use of Layered GP could render a computer inoperable or unusable.

Device Installation Restriction Policies

Layered GP, also called device installation restriction, relies on the hardware’s device ID, device instance ID, or device class IDs to define sets of devices which can be either allowed or disallowed. For example, Layered GP could prevent installation of all printers on a computer except for a specific printer model or prevent use of all USB storage devices or all USB storage devices except for a specific storage device. Implemented in a public area, such GP could prevent the introduction of malware or prevent unauthorized exfiltration of data. (For an illustration of Layered GP, see “Device Installation Restrictions Policy”.)