deviceTRUST 19.2 is now available and includes the new macOS Client and an updated iOS Client. See the release notes for more information.

Policy category: Properties

  1. Policy setting: Persist properties to a session specific location
  2. Policy setting: Persist properties to the users registry
  3. Policy setting: Persist properties to the user environment variables
  4. Policy setting: Interval before checking for changes to dynamic properties
  5. Policy setting: Allow deviceTRUST triggers to get properties of the user
  6. Policy setting: Define who can get properties of the user
  7. Policy setting: Define properties which will not be written to the Windows Event Log
  8. Policy setting: Define properties which generate a PROPERTY CHANGED trigger
  9. Policy setting: Propagate MULTIHOP device properties
  10. Policy setting: Define host properties to include in MULTIHOP properties
  11. Policy setting: Whitelist of users to enable WHOIS internet dependent properties
  12. Policy setting: Blacklist of users to disable WHOIS internet dependent properties
  13. Policy setting: Whitelist of users to enable LOCATION internet dependent properties
  14. Policy setting: Blacklist of users to disable LOCATION internet dependent properties

Policy setting: Persist properties to a session specific location

Determines where properties are persisted into the Windows Registry.

  • When ENABLED, properties are persisted into a location unique to the user’s session. If you expect multiple concurrent virtual sessions from the same user then select this option. This option is not supported by Microsoft Group Policy Preferences.

  • When DISABLED, properties are persisted into a location unique to the user.

The default behavior is disabled.

Policy setting: Persist properties to the users registry

Determines whether properties are persisted to the Windows Registry.

  • When ENABLED, properties are persisted into either HKCU\Software\deviceTRUST\Properties or HKCU\Software\deviceTRUST\Properties<SessionId>, depending upon whether configured to persist to a session specific location.

  • When DISABLED, properties are not persisted to the above registry locations.

The default behavior is enabled.

Policy setting: Persist properties to the user environment variables

Determines whether properties are persisted to user environment variables.

  • When ENABLED, properties are persisted into either HKCU\Volatile Environment or HKCU\Volatile Environment<SessionId>, depending upon whether configured to persist to a session specific location. These locations control volatile environment variables for newly created processes, and also existing processes which subscribe to policy change notifications.

  • When DISABLED, properties are not persisted to the above registry locations.

The default behavior is enabled.

Properties are still available as environment variables within deviceTRUST triggers, regardless of whether this policy setting is enabled or disabled.

Policy setting: Interval before checking for changes to dynamic properties

Defines the interval before checking for changes to dynamic properties.

The value, specified in seconds, defines the timeout before checking for changes to the properties.

This value only effects dynamic properties. Static and dynamic (Real time) properties are not impacted by this policy. For more details, refer to the Property Matrix.

The default interval is 60 seconds (1 minute).

Policy setting: Allow deviceTRUST triggers to get properties of the user

Defines whether deviceTRUST triggers can get properties of the user.

This policy works together with the ‘Define who can get properties of the user’ policy, which can be used to allow SYSTEM, Local Administrator or processes from the same session to get properties of the user.

  • When ENABLED, processes launched by deviceTRUST triggers can call ‘dtcmd GET’ to determine properties of the user.

  • When DISABLED, processes launched by deviceTRUST triggers are unable to call ‘dtcmd GET’ to determine properties of the user.

The default behavior is enabled.

Policy setting: Define who can get properties of the user

Defines whether SYSTEM, elevated or processes in the same session can get properties of the user.

This policy works together with the ‘Allow deviceTRUST triggers to get properties of the user’, which can be used to allow deviceTRUST triggered processes to get properties of the user.

When access is set to none, processes are unable to call ‘dtcmd GET’ to determine properties of the user.

When access is set to SYSTEM account, processes running under the SYSTEM identity can get the properties of the user by calling ‘dtcmd GET /session:'.

When access is set to any elevated process, allows any elevated administative process to get the properties of the user by calling ‘dtcmd GET /session:'.

When access to own properties is allowed, allows ‘dtcmd GET’ to query the properties of the current session.

When access to own properties is not allowed, calls to ‘dtcmd GET’ will fail to query properties of the current session unless overridden by SYSTEM or elevated processes.

The default value does not allow access to any elevated process, but access to own properties is allowed.

Policy setting: Define properties which will not be written to the Windows Event Log

Defines the list of properties which will not be written to the Windows Event Log.

Allows a list of property names to be defined, which are removed from all auditing events prior to writing to the Windows Event Log. This policy has no impact on whether the property is collected, and available within the Registry or Environment Variables.

The values within the list are wildcard expressions, such as:

  • DEVICE_NAME_DNS - matches the property ‘DEVICE_NAME_DNS’.
  • DNS - matches all properties containing ‘DNS’.
  • *NAME - matches all properties ending with ‘NAME’.
  • DEVICE_NETWORK_0_NAME - matches the property ‘DEVICE_NETWORK_0_NAME’.
  • DEVICE_NETWORK_*_NAME - matches the properties ‘DEVICE_NETWORK_0_NAME’, ‘DEVICE_NETWORK_1_NAME’, etc.

The default behavior is to write all properties to the event log.

Policy setting: Define properties which generate a PROPERTY CHANGED trigger

Defines the list of properties which generate a Property Changed trigger.

The values within the list are wildcard expressions, such as:

  • HOST_* - matches all properties starting with ‘HOST_’.
  • HOST_MAPPEDDRIVE_* - matches all properties starting with ‘HOST_MAPPEDDRIVE_’.
  • DEVICE_NETWORK_*_GATEWAY - matches the properties ‘DEVICE_NETWORK_0_GATEWAY’, ‘DEVICE_NETWORK_1_GATEWAY’, etc.

The default behavior is for all properties except HOST_PERFORMANCE_BANDWIDTH_SPEED, HOST_PERFORMANCE_LATENCY_SPEED and HOST_SESSION_IDLEPERIOD to generate a Property Changed trigger.

Policy setting: Propagate MULTIHOP device properties

Defines whether MULTIHOP device properties are propagated by remote devices.

  • When ENABLED, a remotely connected device will propagate its own remotely connected device properties, instead of supplying its own.

  • When DISABLED, a remotely connected device will always supply its own properties.

The default behavior is enabled.

Policy setting: Define host properties to include in MULTIHOP properties

Defines the host properties that will be included in the MULTIHOP properties.

This policy requires ‘Propagate MULTIHOP device properties’ to be enabled.

Defines a list of properties that will be read from any intermediate hosts during a MULTIHOP scenario and supplied as MULTIHOP_X indexed properties.

The default behavior does not include any host properties.

Policy setting: Whitelist of users to enable WHOIS internet dependent properties

Defines a whitelist of users that will enable WHOIS internet dependent properties.

This policy works together with the ‘Blacklist of users to disable WHOIS internet dependent properties’ policy, with blacklisted users taking precedence over whitelisted users.

Defines a list of users what will enable WHOIS internet dependent properties.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value includes all users.

Policy setting: Blacklist of users to disable WHOIS internet dependent properties

Defines a blacklist of users that will disable WHOIS internet dependent properties.

This policy works together with the ‘Whitelist of users to enable WHOIS internet dependent properties’ policy, with blacklisted users taking precedence over whitelisted users.

Defines a list of users what will disable WHOIS internet dependent properties.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value does not include any users.

Policy setting: Whitelist of users to enable LOCATION internet dependent properties

Defines a whitelist of users that will enable LOCATION internet dependent properties.

This policy works together with the ‘Blacklist of users to disable LOCATION internet dependent properties’ policy, with blacklisted users taking precedence over whitelisted users.

Defines a list of users what will enable LOCATION internet dependent properties.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value includes all users.

Policy setting: Blacklist of users to disable LOCATION internet dependent properties

Defines a blacklist of users that will disable LOCATION internet dependent properties.

This policy works together with the ‘Whitelist of users to enable LOCATION internet dependent properties’ policy, with blacklisted users taking precedence over whitelisted users.

Defines a list of users what will disable LOCATION internet dependent properties.

User and security group names can be supplied in the format DOMAIN\UserName or DOMAIN\SecurityGroupName, where DOMAIN is either the SAM compatible domain, or the DNS domain name.

The default value does not include any users.