deviceTRUST for Windows 20.1.110 is now available. See the release notes for more information.

deviceTRUST Product Events

deviceTRUST delivers information about its runtime behavior to the Windows Event Log for easy integration into existing Security Information and Event Management (SIEM) and reporting solutions. This information includes detailed properties of the remote device during user logon, reconnect, and also includes all properties that are changed whilst the user session is active.

deviceTRUST/Admin Channel

The ADMIN channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\ADMIN, or queried programmatically using the deviceTRUST/Admin channel. The following events are included:

Event ID Name Type Data Format Name Description
1 Service Started Information Service Status The deviceTRUST Host Service has started.
2 Service Stopped Information Service Status The deviceTRUST Host Service has stopped.
3 Policy Loaded Information Policy Loaded The deviceTRUST Host Service loaded new policies.
11 License Validated Information License The license has been read, is valid, and is not yet expired, or within the expiry threshold (30 days). The license is read on service startup, and any time a new license is deployed by Group Policy.
12 Hard License Expires Soon Warning License The license is a hard license, is valid, but it expires within the expiry threshold (30 days). Since the license is a hard license, the software will stop functioning once the expiry date is reached.
13 Soft License Expires Soon Warning License The license is a soft license, is valid, but it expires within the expiry threshold (30 days). Since the license is a soft license, the software will continue to function after the expiry date is reached.
14 Soft License Expired Error License The license is a soft license, is valid, but has expired. Since the license is a soft license, the software will continue to function.
15 Hard License Expired Error License The license is a hard license, is valid, but has expired. Since the license is a hard license, the software will not function.
16 License Invalid Error License Invalid The license does not exist or contains invalid data.
17 Unmanaged User Logon Information Unmanaged User Logon An unmanaged user logged on.
101 Logon Information Connection A user successfully logged onto a new session.
102 Reconnect Information Connection A user successfully reconnected to an existing session.
103 Logoff Information Session A user which previously successfully logged onto a session was logged off.
104 Disconnect Information Session A user which previously successfully logged onto a session was disconnected from that session.
105 Property Changed Information Property Changed One or more properties of the host or remote connected device were added, removed or changed.
106 Context Changed Information Context Changed One or more context values changed.
111 Untrusted Device Blocked Warning Untrusted Device Blocked A user attempted to logon or reconnect to an existing session, but the deviceTRUST Client failed to provide properties of the remote connected device, and the policy determines that this information is required.
112 Trusted Device Blocked Warning Trusted Device A trusted device, i.e. a device with the deviceTRUST Client installed, was blocked from access due to not meeting version or encryption minimum requirements.
113 Trusted Device Auto Update Succeeded Information Trusted Device Auto Update A trusted device was successfully auto-updated.
114 Trusted Device Auto Update Failed Error Trusted Device Auto Update Failed A trusted device failed to auto-update.
201 Custom Process Executed Information Custom Process A custom process was executed.
202 Custom Process Succeeded Information Custom Process Complete A custom process finished executing and the process did not report an error.
203 Custom Process Failed Error Custom Process Complete A custom process finished executing, but the process either timed out or reported an error.
301 Access Allowed Information Access Allowed Access to the shell was allowed by a call to dtcmd.exe ACCESS /operation:allow.
302 Access Denied Warning User Message Access to the shell was denied by a call to dtcmd.exe ACCESS /operation:deny.
303 Access Failed Error Access Failed A request to change access to the shell failed.
304 Logon Aborted Warning Logon Aborted The logon process was aborted.
311 Event Info Information Event A custom information event was created by a call to dtcmd.exe EVENT /level:info.
312 Event Warning Warning Event A custom warning event was created by a call to dtcmd.exe EVENT /level:warning.
313 Event Error Error Event A custom error event was created by a call to dtcmd.exe EVENT /level:error.
321 AppLocker Rule Information AppLocker Rule An AppLocker rule was applied as a result of a call to dtcmd.exe APPLOCKER
322 AppLocker Rule Failed Error AppLocker Rule Failed An AppLocker rule failed to apply.
331 Application Terminated Information Application Terminated An application was terminated because a user failed to close an application following a call to dtcmd.exe APPTERMINATE.
332 Application Shutdown Information Application Shutdown A user was asked to shutdown an application following a call to dtcmd.exe APPTERMINATE.
341 Popup Shown Information Popup Shown A popup message was shown to the user.
342 Popup Failed Error Popup Failed An attempt to display a popup message to the user failed.
351 Registry Updated Information Registry Updated The registry was updated.
352 Registry Warning Warning Registry Warning A warning was generated while updating the registry.
353 Registry Failed Error Registry Failed An attempt to update the registry failed.
361 Printer Mapped Information Printer Operation Printers were successfully mapped.
362 Printer Map Failed Error Printer Operation Failed An attempt to map printers failed.
363 Printer Unmapped Information Printer Operation Printers were successfully unmapped.
364 Printer Unmap Failed Error Printer Operation Failed An attempt to unmap printers failed.
365 Printer Set Default Information Printer Operation A printer was set as default.
366 Printer Set Default Failed Error Printer Operation Failed An attempt to set a default printer failed.
367 Printer Map Warning Warning Printer Operation Failed A warning was generated when attempting to map a printer.
368 Printer Set Default Warning Warning Printer Operation Failed A warning was generated when attempting to set a default printer.
371 App Masking Update Information App Masking Update A Microsoft FSLogix App Masking update was successfully applied.
372 App Masking Update Failed Error App Masking Update Failed A Microsoft FSLogix App Masking update failed.
381 Send Mail Succeeded Information Send Mail Succeeded A send mail task succeeded.
382 Send Mail Failed Error Send Mail Failed A send mail task failed.
391 Web Request Succeeded Information Web Request Succeeded A web request task succeeded.
392 Web Request Failed Error Web Request Failed A web request task failed.
401 Windows Firewall Succeeded Information Windows Firewall The Windows Firewall task succeeded to create a rule.
402 Windows Firewall Failed Error Windows Firewall Failed The Windows Firewall task failed to create a rule.
411 Drive Map Information Drive Operation A network drive was mapped.
412 Drive Map Warning Warning Drive Operation Failed A network drive failed to map, but the failover drive was successfully mapped.
413 Drive Map Failed Error Drive Operation Failed A network drives and any failover drives failed to map.
414 Drive Unmap Information Drive Operation A network drive was unmapped.
415 Drive Unmap Failed Error Drive Operation Failed A network drive failed to unmap.
421 Shortcut Creation Succeeded Information Shortcut Operation A shortcut was successfully created.
422 Shortcut Creation Failed Error Shortcut Operation Failed A shortcut failed to be created.
423 Shortcut Deletion Succeeded Information Shortcut Operation A shortcut was successfully deleted.
424 Shortcut Deletion Failed Error Shortcut Operation Failed A shortcut failed to be deleted.

The above events report the following event data:

Name Field Name (Index) Format Description
Name (1) TEXT The name of the service, e.g. deviceTRUST Host Service.
CustomerId (1) GUID An identifier that uniquely identifies the customer.
  LicenseId (2) GUID An identifier that uniquely identifies the license.
  IssueDate (3) SYSTEMTIME The date that the license was issued.
  ExpiryDate (4) SYSTEMTIME The date that the license expires.
  Type (5) TEXT The type of license, e.g. Subscription.
  Quantity (6) INT The quantity of units that can consume a license.
  Unit (7) TEXT The unit of license, e.g. User.
  Days (8) INT The number of days remaining on the license.
Message (1) TEXT A description of the reason why the license is invalid.
LogonId (1) GUID An identifier representing the user logon.
  LogonTime (2) SYSTEMTIME The time that the user logged onto the session.
  SessionId (3) INT The session id that the user is connected to.
  UserName (4) TEXT The name of the user logged into the session.
  UserDomain (5) TEXT The domain of the user logged into the session.
  UserSID (6) TEXT The security identifier of the user logged into the session.
Name (1) TEXT The name of the service, e.g. deviceTRUST Host Service.
  Policies (2) TEXT A list of the policies that were loaded and the timestamp that the policy was saved.
LogonId (1) GUID Uniquely identifies events from the same logon session. By filtering on this field, all events related to a single logon session can be determined.
  LogonTime (2) SYSTEMTIME The time that the user logged onto the session.
  ConnectedId (3) GUID Uniquely identifies events from the same connection. Unlike the LogonId, the value of this field changes every time a new connection is established to an existing session.
  ConnectedTime (4) SYSTEMTIME The time that the user logged on, or reconnected, to the session.
  SessionId (5) INT The session id that the user is connected to.
  UserName (6) TEXT The name of the user logged into the session.
  UserDomain (7) TEXT The domain of the user logged into the session.
  UserSID (8) TEXT The security identifier of the user logged into the session.
DeviceId (9) TEXT Uniquely identifies the remote connected device. All activity originating from the same device can be queried by filtering on this field. This field is blank for local console sessions.
  DeviceName (10) TEXT The name of the remote connected device. This field is blank for local console sessions.
  DeviceOS (11) TEXT The operating system of the remote connected device. This field is blank for local console sessions, and if the deviceTRUST Client did not provide details of the operating system.
  Properties (12) TEXT A textual representation of all properties, including host and device properties. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  Contexts (13) TEXT A textual representation of all contexts. The contexts are formatted with the name and value separated by an equals symbol (=), and multiple contexts separated by a newline (\n) character. E.g. CONTEXT1=VALUE1\nCONTEXT2=VALUE2\n
  Errors (14) TEXT A description of any errors that occurred whilst obtaining properties.
  Timings (15) TEXT Lists the five deviceTRUST Host and Client property providers that took the longest to return, in milliseconds.
  Duration (16) INT The number of milliseconds it took for all deviceTRUST property providers to return.
AddedProperties (9) TEXT A textual representation of all properties that were added. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  RemovedProperties (10) TEXT A textual representation of all properties that were removed. The properties are formatted with the name of each property, with multiple properties separated by a newline (\n) character. E.g. PROPERTY1 \nPROPERTY2 \n
  ChangedProperties (11) TEXT A textual representation of all properties that were changed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
  PreviousProperties (12) TEXT A textual representation of the previous value of all properties that were changed or removed. The properties are formatted with the name and value separated by an equals symbol (=), and multiple properties separated by a newline (\n) character. E.g. PROPERTY1=VALUE1\nPROPERTY2=VALUE2\n
ClientName (9) TEXT The Operating System reported name of the connecting device.
ClientName (9) TEXT The deviceTRUST Client reported name of the connected device.
  ClientVersion (10) TEXT The version number of the deviceTRUST Client on the remote device.
  MinimumVersion (11) TEXT The minimum version of the deviceTRUST Client as defined by policy.
  Encrypted (12) BOOLEAN Set to true when application level encryption was used in addition to the encryption offered by the underlying protocol.
AutoUpdateUrls (13) TEXT The auto-update URLS that were used to upgrade the deviceTRUST Client.
ErrorMessage (14) TEXT An error message reported by the upgrade of the deviceTRUST Client.
TriggerName (9) TEXT The name of the action that the custom process resides.
  TriggerType (10) TEXT The type of the custom process, e.g. Executable, VBScript, Batch or PowerShell.
  TriggerTime (11) TIME The time that the custom process was executed.
  TriggeredBy (12) TEXT The properties that resulted in the execution of the custom process.
  CommandLine (13) TEXT The command line that was executed.
  RunAs (14) TEXT Either ‘USER’ or ‘SYSTEM’, depending upon the configuration of the trigger that was executed.
  Identity (15) TEXT The user name of the custom process.
  Pid (16) INT The Process ID of the custom process.
  Location (17) TEXT Determines whether the custom process was executed on the host or client.
Duration (18) INT The time taken for the custom process to complete, in milliseconds.
  Output (19) TEXT The output messages returned by the custom process.
  Error (20) TEXT The error messages returned by the custom process.
Title (9) TEXT A message title displayed to the user.
  Message (10) TEXT The message displayed to the user.
  Timeout (11) INT The timeout period that the message is displayed to the user.
Message (9) TEXT The message reported by a call to dtcmd.exe ACCESS.
Reason (9) TEXT The reason that a call dtcmd.exe ACCESS failed.
  Message (10) TEXT The message supplied to a call to dtcmd.exe ACCESS that would have been displayed to the user if the call succeeded.
  Timeout (11) INT The timeout period that the user would have had before being disconnected from the session, if the call to dtcmd.exe ACCESS succeeded.
Message (9) TEXT A user supplied message from a call to dtcmd.exe EVENT.
Name (9) TEXT The name of the rule.
  Operation (10) TEXT The operation of the AppLocker rule, either Allow, Deny or Delete.
  Target (11) TEXT The target of the AppLocker rule, either Executable, Dll, Installer, Script or Package.
  Duration (12) INT The time taken for the AppLocker rule to become effective.
  Rule (13) TEXT The AppLocker XML fragment that defines the rule.
Name (9) TEXT The name of the rule.
  Operation (10) TEXT The operation of the AppLocker rule, either Allow, Deny or Delete.
  Target (11) TEXT The target of the AppLocker rule, either Executable, Dll, Installer, Script or Package.
  Duration (12) INT The time taken for the AppLocker rule to become effective.
  Message (13) TEXT A message explaining why the rule failed to apply.
Title (9) TEXT The title displayed to the user following a call to dtcmd.exe APPTERMINATE.
  Message (10) TEXT The message displayed to the user following a call to dtcmd.exe APPTERMINATE.
  Applications (11) TEXT A comma separated list of all processes and their PID’s that were terminated.
Termination Time (12) DATE/TIME The time that the applications will be terminated.
Title (9) TEXT The popup title.
  Message (10) TEXT The popup message.
  Timeout (11) INT The timeout in seconds to display the popup.
Reason (9) TEXT The reason that the popup failed to shown.
  Title (10) TEXT The popup title.
  Message (11) TEXT The popup message.
  Timeout (12) INT The timeout in seconds to display the popup.
Values (9) TEXT The registry values.
  Persist (10) TEXT How to persist the registry values.
  Protect (11) BOOLEAN Whether the registry key is protected.
Warnings (12) TEXT The warning messages generated by the update.
Source (9) TEXT The source of the registry update.
  Reason (10) TEXT The reason the registry update failed.
Printer (9) TEXT The path to the printers.
Reason (10) TEXT The reason that the printer operation failed.
Path (9) TEXT The path to the Microsoft FSLogix App Masking Rule Assignment file.
  Operation (10) TEXT The type of operation.
  Entry (11) TEXT The entry to apply to the file.
Error (12) TEXT The reason that the Microsoft FSLogix App Masking update failed.
Host Name (9) TEXT The host name of the SMTP server.
  Recipients (10) TEXT A list of the recipients of the mail message.
  Subject (11) TEXT The subject of the mail message.
  Status Code (12) INT The status code reported by the SMTP server representing the success of the mail message.
  Duration (13) INT The time in milliseconds taken to send the mail message.
Message Id (14) TEXT Uniquely identifies the sent mail message.
Error (14) TEXT An error message representing the problem that occurred.
  Response (15) TEXT The response from the SMTP server.
Method (9) TEXT The method used in the web request.
  URL (10) TEXT The URL that the web request was sent.
  Status Code (11) INT The status code reported by the web server.
  Duration (12) INT The time in milliseconds taken to perform the web request.
  Request Id (13) INT Uniquely identifies the web request.
Error (14) TEXT An error message representing the problem that occurred.
  Response (15) TEXT The response from the web server.
Action (9) TEXT Whether the firewall rule was an Allow or a Deny.
  RuleName (10) TEXT The name of the rule created.
Error (11) TEXT A description of the error that occurred.
Drive (9) TEXT The drive that was mapped or unmapped.
Error (10) TEXT A description of the error that occurred.
Shortcut Name (9) TEXT The name of the shortcut.
  Shortcut Directories (10) TEXT A list of directories that the shortcut should be created.
  Target Path (11) TEXT The path where the target file exists.
  Target Args (12) TEXT Any arguments to supply to the shortcut target.
Error (13) TEXT A description of the error that occurred.

deviceTRUST/Usage Channel

The USAGE channel can be found within the Windows Event Log under APPLICATION AND SERVICE LOGS\DEVICETRUST\USAGE, or queried programmatically using the deviceTRUST/Usage channel. The following event is included.

Event ID Name Type Data Format Name Description
21 Usage Information Usage Raised when a license unit, e.g. a User, logs into the host for the first time within a calendar month.

The above event reports the following event data:

Name Field Name (Index) Format Description
TrackingId (1) TEXT Uniquely identifies the license unit, e.g. the User, that logged in. For a user, this is a Base64 encoded SHA256 hash of the user’s security identifier.
  TrackingName (2) TEXT The name of the license unit that logged in, e.g. the user name.
  TrackingUnit (3) TEXT The unit of license, e.g. User.