deviceTRUST 20.2.200
This release contains bug fixes and minor changes to the deviceTRUST Host, Client and Console. See deviceTRUST 20.2.100 release notes for full details of the new features introduced in 20.2.100. If upgrading, please refer to Compatibility for changes in this release.
- Microsoft AppLocker CSP
- New User Session task
- Portable Devices included in Logical Disk properties
- Changes to Domain properties with support for Azure AD domain
- Version operators within context conditions
- Updated Templates
- Other changes
- Bug Fixes
- Compatibility
Microsoft AppLocker CSP
To bring our Microsoft AppLocker integration to more endpoints, we’ve added support for Microsoft AppLocker CSP. This new feature is available on more editions of Windows 10 including Windows 10 Pro. It can be enabled by selecting the Write to the AppLocker CSP MDM profile instead of Local Policy on supported editions of Windows 10 option within the Microsoft AppLocker Policy Options. Unlike with Microsoft AppLocker rules written to Local Policy, rules written to Microsoft AppLocker CSP are effective immediately without requiring connectivity with a domain controller.
New User Session task
We’ve included a new User Session task which allows the current user session to be either Locked, Disconnected or Signed out.
Portable Devices included in Logical Disk properties
Logical Disk properties now include portable devices with storage capabilities. Portable devices may include cell phones, media players, cameras, etc, and can be identified by the Type property set to Portable Device.
Changes to Domain properties with support for Azure AD domain
We’ve made a number of changes to the Domain properties of an endpoint, including adding detection of when the domain belongs to an Azure AD domain. The changes include:
- HOST or DEVICE_DOMAIN_JOINED has been changed to HOST or DEVICE_DOMAIN_JOIN with values None, Workgroup, Domain or AzureAD.
- HOST or DEVICE_DOMAIN has been changed to HOST or DEVICE_DOMAIN_NAME, and when an endpoint is Azure AD domain joined is set to the name of the Azure AD domain.
- HOST or DEVICE_DOMAIN_SID has been changed to HOST or DEVICE_DOMAIN_ID and when an endpoint is Azure AD domain joined is set to the Azure AD tenant ID.
Compatibility has been added to the deviceTRUST 20.2.200 Host, ensuring it can automatically update previous policies, and automatically convert properties from previous deviceTRUST Clients.
Compatibility has been added to the deviceTRUST 20.2.200 Client, ensuring that it sends the old properties to previous deviceTRUST Hosts.
Version operators within context conditions
We’ve added new operators to simplify comparisons against properties which represent a version number. These operators simplify scenarios such as checking that the Citrix Workspace App is greater than or equal to some predefined value.
Updated Templates
We’ve reworked all of our templates to include an active mode which denies access to the shell, and a passive mode which just notifies the user when requirements are not met. Users can be moved to active mode by simply adding users to a security group.
All of our templates now also include German and English translations.
Other changes
- We’ve added a user and security group picker into the User Group condition to simplify the selection of groups. Manually entering security groups may include variables, either from environment variables or from deviceTRUST Properties, Contexts or Messages.
- We now include detection for Windows Defender as an Anti-Virus security product. This ensures Windows Server OS’s, which don’t include Windows Security Center, include an Anti-Virus security product when Windows Defender is active.
- Errors generated by the host or device property providers are now shown within the Event ID 101: Logon and Event ID 102: Reconnect audit events.
- The Windows Firewall task has been optimised to automatically combine rules which share the same port and protocol.
- The default File-Based Policy setting has changed to Load all policy files from policy folder.
- The Security Products now consistently report Windows Defender as Microsoft Defender AntiVirus.
- The Security Products now consistently report Windows Firewall as Microsoft Defender Firewall.
- Network properties now support detection of the WPA3 Wi-Fi security standard.
- A new option has been added to the Citrix Policy task to Clear Citrix Policy on Logon. When used within a Logon trigger, this option will remove all Citrix policies from the registry during the Logon process.
Bug Fixes
- When using Microsoft AppLocker Policy Settings, the Prevent execution of unauthorized cmdlets and scripts option no longer prevents the PowerShell cmdlets required to use Windows Explorer’s Run with PowerShell context menu. The execution of the PowerShell script is still controlled by the Microsoft AppLocker rules.
- Fixed an issue with Microsoft AppLocker Policy where the Prevent execution of unauthorized cmdlets and scripts did not function correctly on Windows Server 2016.
- Fixed an issue with Microsoft AppLocker Policy Settings authorized owner rules where paths beginning with Microsoft AppLocker’s path variables (such as C:\WindowsAzure\Subdir) could be incorrectly replaced (such as %WINDIR%Azure\Subdir).
- Fixed an issue with the Popup Message task with the title text potentially becoming truncated when it is longer than the message text.
- Fixed an issue with the Operating System Sign out, Lock and Change Password buttons becoming disabled.
- Fixed an issue with the FSLogix rule sets not being effective when the endpoint is domain joined, and has no connection to the domain controller.
- Fixed an issue with Windows Defender as a Security Product, where the timestamp reported did not reflect the Version created on field within Windows Security.
- Fixed an issue detecting a reconnect when using Windows 10 VDI with Citrix.
- Fixed an issue with Amazon WorkSpaces where the deviceTRUST Client was not always detected by the deviceTRUST Host.
- Fixed an issue with VMware Horizon where the deviceTRUST Client was not always detected by the deviceTRUST Host.
- Fixed an issue where the text on the buttons of a Popup message was not translated.
Compatibility
If upgrading from deviceTRUST 20.1.200 or earlier, be sure to refer to the deviceTRUST 20.1.200 Compatibility notes.
If upgrading from deviceTRUST 20.2.100, ensure all deviceTRUST Hosts are upgraded before applying policy that has been written by the deviceTRUST 20.2.200 Console.
The only changes to the ADMX policy definitions are to support the filtering of the updated DOMAIN properties, and a textual description of the Logical Disk queries. Unless you need to change the filter for the DOMAIN properties, we recommend continuing to use the 20.2.100 ADMX policy definitions.