Microsoft officially announced Layered Group Policy Application in Windows 10

Microsoft today introduced a new feature for IT Pros, layered Group Policy. This new feature allows configuring which devices can be installed on machines across your organization and which are prohibited.


Windows 10 users have already received support for layered Group Policy with July 2021 optional “C” client updates. They will hit the production branch beginning with the August 2021 Update Tuesday release.

The new option can be found at Computer Configuration > Administrative Templates > System > Device Installation >Device Installation Restrictions.

Apply Layered Order

Winaero readers must be familiar with this new policy, which was first spotted in Windows 10 version 21H2.

The existing device restriction policies operate with device identifiers, which the operating system can recognize, including class, device ID and instance ID). The allow list, which is written by the system admin, contains sets of identifiers that represent different devices – this way a system understands which device is allowed and which is blocked.

By adding the new layered Group Policy to the existing device installation policies, Microsoft makes this process much easier.

  • Intuitive usage: With this new policy, you don’t need to know different device classes to prevent USB classes only from being installed. The new policy allows you to focus scripts on USB classes and be confident that no other class is going to be blocked unless specified by the IT admin.
  • Flexibility: In the past, every prevent policy took precedence over any allow policy, which created a set of definitions and a rigid set of allow/prevent devices, causing update strains every time a new set of devices entered the market. With the new policy, we introduce hierarchical layering in the following order:
    • Instance ID: the highest ranking
    • Hardware IDs and compatible IDs (Device IDs)
    • Class
    • Removable device property: the lowest ranking

Device ID ranking works like a priority value. If all USB classes are restricted by Group Policy, one or more USB devices in the allow list will be ranked higher. However, the list of permitted devices will only be counted when a device from the allow list is connected to the computer.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!


Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.