Windows 10 admins haven't been able to selectively block USB devices in the past, but now they can thanks to Microsoft's new layered Group Policy feature.
Windows 10 Group Policies are a way for admins to control the Settings app among other things on managed PCs but policy settings in the past have been crude. Now they can be prioritized to prevent some USB storage devices from connecting to a PC while allowing others to connect.
For Windows 10 and the forthcoming Windows 11, Microsoft has enabled the ability to apply these device controls, which lets admins pick which devices can be installed across an organization and which devices are banned.
The capability has multiple implications for security, allowing admins, for example, to prevent users from causing harm by inserting rogue or malicious USB devices, like thumb drives or mass storage devices. Admins can blacklist or whitelist certain or classes of devices by using device identifiers.
Microsoft says the feature will become broadly available for admins with the August 2021 Patch Tuesday update, which arrives on Tuesday August 10.
"The ability to apply layered Group Policy is available for all versions of Windows 10 as part of the July 2021 optional "C" client release, and will be made more broadly available beginning in the August 2021 Update Tuesday release. The Windows Server release will follow thereafter. This feature will also be supported in Windows 11," Microsoft said in a blogpost.
After that Windows 10 and Windows 11 will understand devices being connected by their class, device ID and instance ID as defined by the system admin. This allows the admin to control which devices are allowed or blocked.
Windows 11 is in preview now and comes with a host of hardware and virtualization-based security features to prevent ransomware and insider threats. Windows 11 is expected to be released around October 2020 in line with its past fall release cycle.
Microsoft promises the layered Group Policy will let admins block USB by classes, while allowing other classes of USB devices to connect to a Windows 10 or Windows 11 PC.
"The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin," it says.
It also promises more flexibility by letting admins selectively create policies that prevent users from connecting devices with download and upload capabilities rather than blanket rules.
The actual hierarchical layering part helps admins prioritize instance IDs, followed by hardware IDs, and class of device.
"IT pros may prevent all USB classes and allow only a small set of USB devices through hardware IDs since they have a higher rank; however, the allow list takes precedence over the prevent list only when the listed devices on the allow list are connected to the machine," Microsoft notes.