Release Notes for deviceTRUST 19.1.100
This document details the new features and bug fixes available within deviceTRUST 19.1.100 for Microsoft Windows.
We’ve introduced a new console, which allows you to define the context that’s important to your business, and also to take action when the context changes. deviceTRUST persists its policy into a GPO, and is integrated into the Microsoft Group Policy editors when editing group policy. Alternatively the local policy editor or the standalone ‘deviceTRUST Console’ start menu shortcut can be used to edit local policy.
The new console continues to work alongside the previous ADMX templates, which are now installed by the console installer.
Context can now be defined within the deviceTRUST Console by combining one or more conditions against the properties from the local host or remote device. By default, the context is set to the value of the left most path where all conditions successfully evaluate. If no path is found, then the default value is used.
A total of 273 unique properties are available to conditions from either the host, device or from multihops from 36 different categories. The condition editor allows the simple selection of the properties with a value aware constraint.
The context defined within the console is kept up-to-date at all times as changes occur on either the host or the remote device. Any change to the context raises a new ‘Context Change’ trigger and a new auditing event ‘Context Changed - 106’.
Actions allow the execution of a sequence of tasks in response to a change in context, or to a predefined trigger such as a Logon or Reconnect.
Tasks available within the Action Editor include:
- AppLocker - Manages the creation, update and deletion of context aware Microsoft AppLocker rules.
- Audit Event - Raises an Information, Warning or Error event to the Windows Event Log.
- Citrix Policy - Updates Citrix policies which control the sharing of data with the remote device.
- Custom Process - Runs an executable or a custom PowerShell, VBScript or Batch script.
- Logon Abort - Aborts the logon process, preventing the creation of the user session. When run as part of a Logon Pre Profile trigger, ensures that the user policy is not created.
- Popup Message - Displays a popup message ot the user, either in a top level popup window, or using an Action Center notification.
- Registry - Updates or deletes values from the Windows Registry.
- Screen Saver - Updates the screen saver settings within the user session.
- Shell Access - Controls access to the shell, optionally logging off or disconnecting the user after the specified timeout period.
- Terminate App - Controls the termination of applications that should not be running within the user session.
The messages tab allows any text within the console, such as the titles and messages shown to the user when denying access to the shell, to be localised either by language or by language and region.
The sharing button within the console facilitates the sharing of context, actions and messages policies. Policies can be imported or exported to clipboard, or imported from one of the predefined templates.
Read Only GPO Support
Read only GPO’s can be viewed using the deviceTRUST Console by launching with the following command line arguments:
dtconsole.exe /readonly "/path:<ldap path to gpo>"
VMware Horizon View Support
We’ve added compatibility for VMware Horizon View. When using any of the supported VMware protocols of Blast Extreme, PCoIP or RDP, you now get the same experience as deviceTRUST provides by native RDP, ICA or Teradici PCoIP. We also provide our properties into both VMware published desktops and applications.
Windows Server 2019 Support
We’ve added support for the very latest Windows Server 2019 release.
Delayed Citrix Policies on Reconnect
We’ve always been able to delay Citrix polciies during Logon, allowing contextual aware modifications to the policies during our Logon trigger. In 19.1, we’ve extended this to support contextual aware properties during the reconnect trigger, and also added a Citrix Policy task to the console to make this event eaiser. A new ‘Delay Citrix policies on LOGON and RECONNECT’ policy has been introduced to enable this functionality, which is disabled by default.
New ‘Logon Pre Profile’ trigger and ‘Logon Abort’ action
We’ve added a new Logon Pre Profile trigger which is raised before the user’s profile is created. The new ‘Logon Abort’ action can, depending upon the context, conditionally abort the logon process before any processes are created for the user and before their profile has been created on disk.
Changes to Auto Update
We’ve made some changes to auto-update which allow for the client to be updated without the user being aware of the update. To accomplish this, we’ve added a new ‘Update Version’ field to the ‘Allow deviceTRUST to automatically update connecting clients’ policy. If the version of the client is older than this version, then an update will occur. The ‘Disallow connections from trusted devices not meeting the minimum client version’ policy can still be used to display a message to the user during the update.
A progress bar is now displayed whenever a timeout period has been defined when denying access to the shell.
Changes to properties
All certificate thumbprints have been changed to SHA256. This includes a change of property name to HOST and DEVICE_CERTIFICATE_X_THUMBPRINT_SHA256.
The new CUSTOM category of properties allows custom data to be retrieved from the remote client. On Windows, we support the reading of any data from the Windows Registry using the ‘Query to include host (or device) CUSTOM from Windows Registry’ policy.
- HOST and DEVICE_CUSTOM_COUNT - A count of the number of available custom properties.
- HOST and DEVICE_CUSTOM_X_PATH - The path to the custom property. On Windows, this is the registry path.
- HOST and DEVICE_CUSTOM_X_NAME - The name of the custom property. On Windows, this is the name of the registry value.
- HOST and DEVICE_CUSTOM_X_VALUE - The value of the custom property.
The previous SOFTWARE category of properties has been renamed DEVICETRUST.
- HOST_DEVICETRUST_CONNECTED - Determines whether the deviceTRUST Host has established a connection with the deviceTRUST Client.
- HOST and DEVICE_DEVICETRUST_VERSION - The version of the deviceTRUST software.
The HOST or DEVICE_HARDWARE_ROLE property is now compatible between Windows and IGEL clients, with potential values Laptop, Desktop, Server, Tablet and Virtual.
Logical Disk Properties
The LOGICAL DISK category of properties is now real-time, and includes the following new properties:
- HOST and DEVICE_LOGICALDISK_X_NAME - The name of the logical disk as seen within Device Manager.
- HOST and DEVICE_LOGICALDISK_X_VENDORID - The vendor id of the logical disk for USB or PCI connected disks.
- HOST and DEVICE_LOGICALDISK_X_PRODUCTID - For USB connected disks, this is the USB product id. For PCI connected disks, this is the device id.
- HOST and DEVICE_LOGICALDISK_X_SERIALNUMBER - The serial number of the physical disk.
- HOST and DEVICE_LOGICALDISK_X_BUSTYPE - Set to the name of the bus that the device is connected, e.g. SATA, SCSI, USB, NVme, etc.
The multihop properties, used to represent both the number of hops and also properties taken from intermediate host sessions, are now persisted to MULTIHOP_ properties.
Remote Control Properties
The previous SESSION category of properties has been moved into a new Remote Control category.
- HOST and DEVICE_REMOTECONTROL_ACTIVE - Set to true when the session is remote controlled.
- HOST and DEVICE_REMOTECONTROL_PROTOCOL - The protocol used to remote control. Currently support Console, RDP, ICA, PCoIP, Blast and for IGEL clients we also support VNC.
- HOST and DEVICE_REMOTECONTROL_REMOTE_IP - The IP address of the remote user.
- HOST and DEVICE_REMOTECONTROL_REMOTE_NAME - The NetBIOS name of the remote device.
- HOST and DEVICE_REMOTECONTROL_REMOTE_PLATFORM - The platform of the remote client.
- HOST_REMOTECONTROL_GATEWAY - Set to true whenever a gateway was used to access the virtual session. Supported on Citrix and VMware only.
- HOST_REMOTECONTROL_GATEWAY_IP - Set to the IP address of the gateway used to access the virtual session. Supported on Citrix and VMware only.
Remoting Client Properties
The REMOTING CLIENT category has been extended with detection of the HDX RealTime Media Engine for Microsoft Skype when using the Citrix ICA protocol.
- DEVICE_REMOTINGCLIENT_PLUGINS_SKYPE - Set to true whenever the Skype plugin is detected.
- DEVICE_REMOTINGCLIENT_PLUGINS_SKYPE_VERSION - Set to the version number of the Skype plugin.
Security Product Properties
The security products (Antivirus, Antispyware and Firewall) have been moved out of the previous ACTION CENTER category of properties into a new SECURITY PRODUCT category. This will allow us to bring the same features available to Windows clients to other platforms in future releases. As with the previous ACTION CENTER properties, the new SECURITY PRODUCTS category requires Microsoft Security and Maintenance (previously Microsoft Security Center or Microsoft Action Center) to be enabled.
- HOST and DEVICE_SECURITYPRODUCT_ANTIVIRUS - Set to Active, Out-Of-Date or Inactive depending upon the state of the installed antivirus products.
- HOST and DEVICE_SECURITYPRODUCT_ANTIVIRUS_NAME_ - Set to the name of the installed antivirus products.
- HOST and DEVICE_SECURITYPRODUCT_ANTIVIRUS_TIMESTAMP - Set to the timestamp of the antivirus product.
- HOST and DEVICE_SECURITYPRODUCT_ANTISPYWARE - Set to Active, Out-Of-Date or Inactive depending upon the state of the installed antispyware products.
- HOST and DEVICE_SECURITYPRODUCT_ANTIVIRUS_NAME_ - Set to the name of the installed antispyware products.
- HOST and DEVICE_SECURITYPRODUCT_ANTIVIRUS_TIMESTAMP - Set to the timestamp of the antispyware product.
- HOST and DEVICE_SECURITYPRODUCT_FIREWALL - Set to Active or Inactive depending upon the state of the installed firewall products.
- HOST and DEVICE_SECURITYPRODUCT_FIREWALL_NAME - Set to the name of the installed firewall products.
A new HOST_SESSION_IDLEPERIOD property has been added which determines the time period in minutes that the user session has been idle. This property is real-time and allows for context aware disconnection of clients when the host has been idle for a specified timeout period. The console template ‘Session Idle’ can be used to see this in action.
A new WINDOWS category has been added for properties specific to the Microsoft Windows operating system. This includes Microsoft Windows specific properties included in the previous ACTION CENTER category of properties, and requires Microsoft Security and Maintenance (previously Microsoft Security Center or Microsoft Action Center) to be enabled.
- HOST and DEVICE_WINDOWS_SECURITY_WINDOWSUPDATE - Set to true whenever Windows Update is automatically applying updates.
- HOST and DEVICE_WINDOWS_SECURITY_UAC - Set to true whenever User Account Control is enabled.
- HOST and DEVICE_WINDOWS_SECURITY_INTERNETSETTINGS - Set to true whenever the Internet Security Settings are at their recommended levels.
Command Line changes to dtcmd
A number of command line changes have been made to ‘dtcmd’, including:
dtcmd APPLOCKERnow have a new /persist:CONNECTION|SESSION|PERMANENT argument to control how long to persist the change.
dtcmd APPTERMINATEhas replaced
dtcmd ACCESSnow has a new /interactive argument to allow user interaction with the shell.
dtcmd APPLOCKER’s /action argument has been renamed /operation.
dtcmd APPLOCKER’s /type argument has been renamed /target
dtcmd SYNCnow has a new /triggers argument to optionally ensure either LOGON or RECONNECT triggers have been launched.
Logging and changes to dtdiag
Logging is now enabled out of the box. This ensures that if a bug does occur, that we’ve already captured our log statements necessary to diagnose the problem. We’ve introduced a new circular logging mode which limits the log files to 100MB, writing over the oldest data once capacity is reached.
The command line arguments to dtdiag have also changed to ensure consistency with other deviceTRUST command line tools.
dtdiag START- Starts a logging session. The previous log file will be overwritten.
dtdiag STOP- Stops a logging session.
dtdiag VIEW- Views the contents of a log file.
dtdiag LIVE- Views live log statements.
For more details, see
- New fields are now available within the Logon (101) and Reconnect (102) auditing events:
Contextincludes a list of contexts that were calculated at the time of the connection.
Durationdetermines the time in milliseconds that deviceTRUST delayed the Logon or Reconnect process, not including the time taken to process action tasks.
Timingsincludes the timing for the 5 slowest categories of properties on both the host and remote device.
Errorsincludes any error messages generated by the property providers on either the host or remote device.
- VPN networks can now be detected by the default NETWORK query.
- Licenses are now loaded by the host whenever it detects changes to the registry. This allows manual deployment of deviceTRUST policy without relying on Microsoft Group Policy.
- Conditional access to the shell can now be applied to Console sessions except when the user is a member of the local administrators group.
- The deviceTRUST Client during an auto-update now uses the proxy settings of the user that initiated the auto update.
- Fixed an issue where SECURITY PRODUCT (previously ACTION CENTER) properties were set to Unavailable with Windows 10 2019 LTSC.
- Fixed an issue where international characters within a WiFi SSID were not correctly encoded within properties.
- Fixed multiple issues seen internally as part of our performance tests where the client could fail to connect to the host.
- Fixed multiple performance issues where under certain circumstances properties can take longer to determine than we deem acceptable.