Microsoft has introduced a Windows 10 and 11 feature that allows administrators to select which devices connect to endpoints. The layered Group Policy feature will make it easier for organizations to block specific types of USB devices using combined whitelisting and blacklisting.
This feature governs any device, whether internal or external, including USB drives. Administrators can define an allow list, which specifies whitelisted and blacklisted devices by their device identifiers. Windows systems categorize devices by class, device ID, and instance ID.
In the past, Microsoft used a simple combination of an allow policy and a prevent policy, with the latter taking precedence over the former. This rigid approach made it harder to update permissions when new devices entered the market, Microsoft said.
The new layering feature uses a hierarchical list of these identifiers that it examines in order, with higher identifiers taking precedence. This makes it easier to ban all devices of a particular class while making specific exceptions for devices in that class with certain hardware IDs.
The hierarchical layers allow admins to be as exclusive as they wish when defining which devices can connect to Windows endpoints. For example, locking out all USB devices other than those provided by their company. They could also block all USB devices from being installed while allowing all other devices to connect to a Windows endpoint.
RELATED RESOURCE
"With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed," said Microsoft in a blog post announcing the feature. "The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin."
More effective device blocking could prevent the spread of malware via malicious USB devices. It could also make it more difficult for people to copy data from work computers that could later be lost, causing compliance problems.
Layered Group Policy capabilities are available as part of the optional "C" client release, which is the company's non-security preview release. It will become more widely available on August 10 with the August 2021 Update Tuesday release. Windows 11 will also support the feature, Microsoft said.
-
Jensen Huang says AI will make us busier – so what’s the point?Opinion So much for efficiency gains and focusing on the more “rewarding” aspects of your job
-
This DeepSeek-powered pen testing tool could be a Cobalt Strike successorNews ‘Villager’, a tool developed by a China-based red team project known as Cyberspike, is being used to automate attacks under the guise of penetration testing.
-
Windows 10 extended support costs could top $7 billionNews Enterprises sticking with Windows 10 after the October deadline face huge costs
-
A senior Microsoft exec says future Windows versions will offer more interactive, ‘multimodal’ experiencesNews With speculation over a Windows 12 reveal mounting, a senior company figure claims the new operating system will mark a step change for users
-
Microsoft’s botched August updates wiped SSDs, now it’s breaking PC resets and recoveries on WindowsNews An out-of-band patch has been issued by Microsoft to fix a flaw introduced by its August update
-
The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to knowNews The UK cyber agency says those that haven’t migrated to Windows 11 should do so immediately
-
Windows 11 finally overtakes Windows 10 in popularity – but what’s driving this surge?News It’s been a long time coming, but Windows 11 is finally Microsoft’s most popular operating system
-
Dragging your feet on Windows 11 migration? Rising infostealer threats might change that
News With the clock ticking down to the Windows 10 end of life deadline in October, organizations are dragging their feet on Windows 11 migration – and leaving their devices vulnerable as a result.
-
Recall arrives for Intel and AMD devices after months of controversyNews Microsoft's Recall feature is now available in preview for customers using AMD and Intel devices.
-
With one year to go until Windows 10 end of life, here’s what businesses should do to prepareNews IT teams need to migrate soon or risk a plethora of security and sustainability issues
