Introducing Enhanced Storage Access

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the Enhanced Storage Access settings that are new in Windows 7 and Windows Server 2008 R2.

Enhanced Storage Access settings

Enhanced Storage devices are devices that support the IEEE 1667 protocol to provide functions such as authentication at the hardware level of the storage device. These devices can be very small, such as USB flash drives, to provide a convenient way to store and carry data. At the same time, the small size makes it very easy for the device to be lost, stolen, or misplaced.

The Enhanced Storage Access settings in Windows 7 and Windows Server 2008 R2 enable you to use Group Policy to administer policies for Enhanced Storage devices that support certificate and password authentication silos in your organization.

For definitions of various storage devices, see Definitions for Storage Silo Drivers in the MSDN Library.

These Group Policy settings are located in Computer Configuration\Administrative Templates\System\Enhanced Storage Access.

Policy setting descriptions

The following Group Policy settings control the behavior of Enhanced Storage devices.

Policy setting Description If not configured…

Allow Enhanced Storage certificate provisioning

Allows users to provision certificates on devices that support the Certificate Authentication Silo.

This setting is applicable only to Enhanced Storage devices that support the Certificate Authentication Silo.

Users cannot provision certificates on devices that support the Certificate Authentication Silo.

Allow only USB root hub connected Enhanced Storage devices

Allows only Enhanced Storage devices that are connected to USB root hubs.

Enhanced Storage devices connected to both USB root hubs and non-root hubs are allowed.

Configure list of approved Enhanced Storage devices

Allows you to configure a list of devices by manufacturer and product ID that are allowed on the computer.


Manufacturer ID is a 6-character value. Product ID is up to 40 characters in length. To specify that all devices by a manufacturer are allowed, type the manufacturer ID of the manufacturer. To specify that only specific devices by a manufacturer are allowed, type the manufacturer ID, a hyphen, and the product ID or IDs of the allowed devices; for example: <Manufacturer ID>-<Product ID>. The manufacturer ID and product ID values are case-sensitive. Contact the device manufacturer to get the manufacturer and product ID values.

All devices are allowed.

Configure list of approved IEEE 1667 silos

Allows you to create a list of approved silos that can be used on the computer.

The Certificate Authentication Silo is always on the approved list.

All silos are allowed.

Do not allow password authentication of Enhanced Storage devices

Blocks the use of a password to unlock an Enhanced Storage device.

Permits the use of a password to unlock Enhanced Storage devices.

Do not allow non-Enhanced Storage removable devices

Limits the use of removable devices to Enhanced Storage devices.

Blocks the use of other storage devices on the computer.

Non-Enhanced Storage removable devices are allowed.

Lock Enhanced Storage when the machine is locked

Locks the device when the computer is locked.

The security state of the device remains unlocked even if the computer is locked with CTRL+ALT+DELETE.

Policy setting implementation

Enhanced Storage Access settings are administered in the same manner as any other Group Policy setting on the domain controller. When policy settings are enabled, the following actions are taken:

  1. The policy settings are periodically sent to the client computers that are members of the domain.

  2. The Group Policy service on the client computer creates registry keys corresponding to the policy settings.

  3. The Enhanced Storage components read the registry keys to determine which policy settings are enabled and then take actions to comply with the policy settings.