deviceTRUST 19.4.100 is now available. See the release notes for more information.

Policy category: Security

  1. Policy setting: Define whether external processes can display popup windows
  2. Policy setting: Define whether external processes can change application availability
  3. Policy setting: Define whether external processes can change registry values
  4. Policy setting: Define whether external processes can get properties of the user
  5. Policy setting: Define whether external processes can control access to the virtual session
  6. Policy setting: Define whether external processes can invoke named triggers
  7. Policy setting: Timeout whilst waiting for AppLocker to process a change

Policy setting: Define whether external processes can display popup windows

Determines whether SYSTEM or Elevated Processes can display popup windows.

  • When set to None, processes are unable to call dtcmd.exe to display popup windows.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to display popup windows by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to display popup windows by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can change application availability

Determines whether SYSTEM or Elevated Processes can change application availability.

  • When set to None, processes are unable to call dtcmd.exe to change application availability.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to change application availability by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to change application availability by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can change registry values

Determines whether SYSTEM or Elevated Processes can change registry values.

  • When set to None, processes are unable to call dtcmd.exe to change registry values.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to change registry values by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to change registry values by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can get properties of the user

Defines whether SYSTEM, elevated or processes in the same session can get properties of the user.

When access is set to none, processes are unable to call ‘dtcmd GET’ to determine properties of the user.

When access is set to SYSTEM account, processes running under the SYSTEM identity can get the properties of the user by calling ‘dtcmd GET /session:'.

When access is set to any elevated process, allows any elevated administative process to get the properties of the user by calling ‘dtcmd GET /session:'.

When access to own properties is allowed, allows ‘dtcmd GET’ to query the properties of the current session.

When access to own properties is not allowed, calls to ‘dtcmd GET’ will fail to query properties of the current session unless overridden by SYSTEM or elevated processes.

The default value does not allow access to any elevated process, but access to own properties is allowed.

Policy setting: Define whether external processes can control access to the virtual session

Determines whether SYSTEM or Elevated Processes can control access to the virtual session.

  • When set to None, processes are unable to call dtcmd.exe to allow or deny access to the virtual session.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to allow or deny access to any other virtual session by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Define whether external processes can invoke named triggers

Determines whether SYSTEM or Elevated Processes can invoke named triggers.

  • When set to None, processes are unable to call dtcmd.exe to invoke a named trigger.

  • When set to ‘SYSTEM account’, allows any process running under the SYSTEM identity to invoke a named trigger by supplying the /session: option to dtcmd.exe.

  • When set to ‘Any elevated process’, allows any elevated administrative process to invoke a named trigger by supplying the /session: option to dtcmd.exe.

The default value is None.

Policy setting: Timeout whilst waiting for AppLocker to process a change

Determines how long to wait for AppLocker to process the changes to a rule.

The value, specified in seconds, defines an upper limit of how long to wait for AppLocker to process a change to the rules. If the change is not processed within the specified timeout period, then a ‘322: APPLOCKER RULE FAILED’ auditing event will be raised. If AppLocker policy changes are made during Logon or Reconnect, then the user may be denied access to the shell until this timeout has expired.

The default value is 60 seconds.