Soon, IT administrators will be able to make use of the new “layered Group Policy feature” to specify which types of USB devices are allowed to interact with Windows 10 machines provisioned for employees.
“Every device has a set of ‘identifiers’ that are understood by the system (class, device ID and instance ID),” Microsoft explained in a blog post. “The allow list, which is written by the system admin, contains sets of identifiers that represent different devices - this way a system understands which device is allowed and which is blocked.”
- Check out our list of the best external hard drives out there
- We've built a list of the best rugged hard drives on the market
- Here's our list of the best large capacity drives around
The new feature is already available to businesses that have taken up the optional July 2021 Windows 10 C client release, but will become more widely available with tomorrow’s Patch Tuesday update. A release for Windows Server will apparently “follow thereafter”.
Windows 10 USB devices
There are a number of reasons IT administrators might want to limit the access granted to USB devices hooked up to corporate devices.
Firstly, the use of removable storage - such as USB flash drives and portable SSDs - makes it far more difficult for companies to see how employees are using files and data and who they might be sharing them with.
Although the goal of employees in this scenario is likely to make their life easier from a productivity standpoint, the transport of files away from managed devices poses a distinct security risk and could also make investigating a breach all the more difficult.
Another factor is the possibility of physical security attacks (or kinetic attacks), whereby a hacker breaks into a device in-person. Although much more rare than regular cyberattacks, physical attacks still represent an avenue through which someone might gain unauthorized access to company data and other assets.
By blocking USB storage, businesses can limit the scope for one such device to be used by a third-party to upload or download information without permission.
According to Microsoft, the new layered Group Policies system offers a dramatic improvement over previous measures, introducing an important element of flexibility and granularity.
The groundwork put in by Microsoft today will also contribute towards making Windows 11 the company’s most secure operating system to date when it goes live later this year.
- Here's our list of the best Windows 10 Pro laptops right now