deviceTRUST for Windows 20.1.110 is now available. See the release notes for more information.

Policy category: Security

  1. Policy setting: Define whether external processes can display popup windows
  2. Policy setting: Define whether external processes can change application availability
  3. Policy setting: Define whether external processes can change registry values
  4. Policy setting: Define whether external processes can get properties of the user
  5. Policy setting: Define whether external processes can set properties of the user
  6. Policy setting: Define whether external processes can control access to the virtual session
  7. Policy setting: Define whether external processes can invoke named triggers
  8. Policy setting: Remove write access to deviceTRUST Policy for Local Administrators

Policy setting: Define whether external processes can display popup windows

Determines whether SYSTEM or Elevated Processes can display popup windows.

  • When set to None, processes are unable to call dtcmd.exe to display popup windows.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to display popup windows by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to display popup windows by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can change application availability

Determines whether SYSTEM or Elevated Processes can change application availability.

  • When set to None, processes are unable to call dtcmd.exe to change application availability.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to change application availability by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to change application availability by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can change registry values

Determines whether SYSTEM or Elevated Processes can change registry values.

  • When set to None, processes are unable to call dtcmd.exe to change registry values.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to change registry values by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to change registry values by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can get properties of the user

Defines whether SYSTEM, elevated or processes in the same session can get properties of the user.

When access is set to none, processes are unable to call ‘dtcmd GET’ to determine properties of the user.

When access is set to SYSTEM account, processes running under the SYSTEM identity can get the properties of the user by calling ‘dtcmd GET /session:'.

When access is set to any elevated process, allows any elevated administative process to get the properties of the user by calling ‘dtcmd GET /session:'.

When access to own properties is allowed, allows ‘dtcmd GET’ to query the properties of the current session.

When access to own properties is not allowed, calls to ‘dtcmd GET’ will fail to query properties of the current session unless overridden by SYSTEM or elevated processes.

The default value does not allow access to any elevated process, but access to own properties is allowed.

Policy setting: Define whether external processes can set properties of the user

Defines whether SYSTEM and elevated processes can set properties of the user.

When access is set to none, processes are unable to call ‘dtcmd SET’ to update or delete custom properties of the user.

When access is set to SYSTEM account, processes running under the SYSTEM identity can update and delete custom properties of the user by calling ‘dtcmd SET /session:'.

When access is set to any elevated process, allows any elevated administative process to update and delete custom properties of the user by calling ‘dtcmd SET /session:'.

The default value does not allow access to any elevated process.

Policy setting: Define whether external processes can control access to the virtual session

Determines whether SYSTEM or Elevated Processes can control access to the virtual session.

  • When set to None, processes are unable to call dtcmd.exe to allow or deny access to the virtual session.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can invoke named triggers

Determines whether SYSTEM or Elevated Processes can invoke named triggers.

  • When set to None, processes are unable to call dtcmd.exe to invoke a named trigger.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to invoke a named trigger by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to invoke a named trigger by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Remove write access to deviceTRUST Policy for Local Administrators

Determines whether write access to the deviceTRUST Policy should be removed for Local Administrators.

  • When ENABLED, deviceTRUST will remove write access for the Local Administrator group from the HKLM\Software\Policies\deviceTRUST registry key. Additionally, the owner of the key will be set to SYSTEM and all subkeys will be updated to inherit permissions from their parent.

  • When DISABLED, deviceTRUST will not make any changes to the permissions of the HKLM\Software\Policies\deviceTRUST registry key.

The default value is disabled.