Policy category: Security
- Policy setting: Define whether external processes can get properties of the user
- Policy setting: Define whether external processes can set properties of the user
- Policy setting: Define whether external processes can invoke named triggers
- Policy setting: Define whether external processes can change registry values
- Policy setting: Remove write access to deviceTRUST Policy for Local Administrators
Policy setting: Define whether external processes can get properties of the user
Defines whether SYSTEM, elevated or processes in the same session can get properties of the user.
When access is set to none, processes are unable to call ‘dtcmd GET’ to determine properties of the user.
When access is set to SYSTEM account, processes running under the SYSTEM identity can get the properties of the user by calling ‘dtcmd GET /session:
When access is set to any elevated process, allows any elevated administative process to get the properties of the user by calling ‘dtcmd GET /session:
When access to own properties is allowed, allows ‘dtcmd GET’ to query the properties of the current session.
When access to own properties is not allowed, calls to ‘dtcmd GET’ will fail to query properties of the current session unless overridden by SYSTEM or elevated processes.
The default value does not allow access to any elevated process, but access to own properties is allowed.
Policy setting: Define whether external processes can set properties of the user
Defines whether SYSTEM and elevated processes can set properties of the user.
When access is set to none, processes are unable to call ‘dtcmd SET’ to update or delete custom properties of the user.
When access is set to SYSTEM account, processes running under the SYSTEM identity can update and delete custom properties of the user by calling ‘dtcmd SET /session:
When access is set to any elevated process, allows any elevated administative process to update and delete custom properties of the user by calling ‘dtcmd SET /session:
The default value does not allow access to any elevated process.
Policy setting: Define whether external processes can invoke named triggers
Determines whether SYSTEM or Elevated Processes can invoke named triggers.
-
When set to None, processes are unable to call dtcmd.exe to invoke a named trigger.
-
When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to invoke a named trigger by supplying the /session:
option to dtcmd.exe. -
When set to ‘Any elevated process’, allows any elevated administrative process to invoke a named trigger by supplying the /session:
option to dtcmd.exe.
The default value is None.
Policy setting: Define whether external processes can change registry values
Determines whether SYSTEM or Elevated Processes can change registry values.
-
When set to None, processes are unable to call dtcmd.exe to change registry values.
-
When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to change registry values by supplying the /session:
option to dtcmd.exe. -
When set to ‘Any elevated process’, allows any elevated administrative process to change registry values by supplying the /session:
option to dtcmd.exe.
The default value is None.
Policy setting: Remove write access to deviceTRUST Policy for Local Administrators
Determines whether write access to the deviceTRUST Policy should be removed for Local Administrators.
-
When ENABLED, deviceTRUST will remove write access for the Local Administrator group from the HKLM\Software\Policies\deviceTRUST registry key. Additionally, the owner of the key will be set to SYSTEM and all subkeys will be updated to inherit permissions from their parent.
-
When DISABLED, deviceTRUST will not make any changes to the permissions of the HKLM\Software\Policies\deviceTRUST registry key.
The default value is disabled.