This release includes new features and bug fixes to the deviceTRUST Host and Client for Microsoft Windows. For upgrading users, please refer to Policy Compatibility for important changes in this release.
Location Property Enhancements
We’ve added support for the Operating System’s location services on Windows 10 which can determine a users position from a Satellite device, nearby WiFi Access Points or a connected Cell Tower. This new OS location provider now works alongside the previous Third Party location provider, which can either act as a fallback when location is unavailable from the OS, or the most accurate location can be selected from both providers.
We’ve also built an embedded country database which when combined with the new OS location provider, can determine the country where the device is located without the need for any third party dependency.
The following location properties have been added:
- HOST and DEVICE_LOCATION_PROVIDER - Set to OperatingSystem or ThirdParty depending whether the OS or Third Party lookup was used to determine the position.
- HOST and DEVICE_LOCATION_SOURCE - Set to Satellite, WiFi, Cellular or IPAddress depending upon the source used to determine the position.
Whois Property Enhancements
We’ve made some small but important enhancements to our Whois properties. All Whois internet requests now bypass any proxy servers, ensuring the accuracy of the properties. We’ve also added a new policy within the Administrative Templates (ADMX) to periodically refresh the Whois value.
New Cellular Properties
For those devices with a Cellular connection, we’ve added detailed information about the connected cellular network.
- HOST and DEVICE_CELLULAR_TYPE - Set to the cellular communication type supported by the device, such as GSM or CDMA.
- HOST and DEVICE_CELLULAR_CLASS - The cellular data class of the active connection, such as LTE, HSPA or GPRS.
- HOST and DEVICE_CELLULAR_ID - For GSM devices the IMEI number. For CDMA devices, the ESN or MEID number.
- HOST and DEVICE_CELLULAR_ROAMING - Set to true when the connected network provider differs from the home provider defined by the SIM.
- HOST and DEVICE_CELLULAR_COUNTRY - The ISO-3166 country name of the country where the connected network provider resides.
- HOST and DEVICE_CELLULAR_COUNTRY_CODE - The mobile country code (MCC) of the connected network provider.
- HOST and DEVICE_CELLULAR_NETWORK - The name of the connected network provider.
- HOST and DEVICE_CELLULAR_NETWORK_CODE - The mobile network code (MNC) of the connected network provider.
- HOST and DEVICE_CELLULAR_PRODUCT - The product name of the device providing the cellular service.
- HOST and DEVICE_CELLULAR_VENDOR - The vendor name of the device providing the cellular service.
New Network Property
To better identify whether a user is connected to the domain network, we’ve added the following property:
- HOST and DEVICE_NETWORK_X_CATEGORY - Set to Public, Private or Domain depending upon the OS categorisation of the network.
This new category property represents the network categorisation by the Microsoft Windows Network List Service. The OS categorises each network as either Public, Private or Domain, with the current categorisation visible within the Network and Internet Settings (depending upon OS version). When the OS connects to a network which includes a domain that the local computer is a member, and authentication with the domain is successful, then the network is automatically categorised as Domain. When Domain categorisation fails, the OS prompts the user to select either a Public or Private network.
New Logical Disk Property
We’ve added detection of whether a logical disk is encrypted with Microsoft BitLocker.
- HOST and DEVICE_LOGICALDISK_X_ENCRYPTED - Set to true whenever the disk is encrypted using Microsoft BitLocker.
New Windows Properties with Windows Defender SmartScreen
We can now detect the enabled status of Windows Defender SmartScreen in real time.
- HOST and DEVICE_WINDOWS_SMARTSCREEN_EXPLORER - Set to Off, Warn or Block depending upon the status of SmartScreen for Windows Explorer.
- HOST and DEVICE_WINDOWS_SMARTSCREEN_EDGE - Set to Off, Warn or Block depending upon the status of SmartScreen for Microsoft Edge.
- HOST and DEVICE_WINDOWS_SMARTSCREEN_STORE - Set to Off or Warn depending upon the status of SmartScreen for Microsoft Store apps.
New Windows Defender Property
We’ve added the following property to our Windows Defender properties.
- HOST and DEVICE_WINDOWSDEFENDER_REALTIMEPROTECTION - Set to true when Windows Defender’s real time protection is enabled.
New Windows Update Properties
For each category of Windows Update (e.g. definition update, critical update, etc), we’ve introduced a new release date property.
- HOST and DEVICE_WINDOWSUPDATE_CRITICAL_RELEASEDATE - The deployment date of the oldest pending critical update.
- HOST and DEVICE_WINDOWSUPDATE_DEFINITION_RELEASEDATE - The deployment date of the oldest pending definition update.
- HOST and DEVICE_WINDOWSUPDATE_ROLLUP_RELEASEDATE - The deployment date of the oldest pending rollup update.
- HOST and DEVICE_WINDOWSUPDATE_SECURITY_RELEASEDATE - The deployment date of the oldest pending security update.
- HOST and DEVICE_WINDOWSUPDATE_SERVICEPACK_RELEASEDATE - The deployment date of the oldest pending service pack update.
- HOST and DEVICE_WINDOWSUPDATE_UPDATE_RELEASEDATE - The deployment date of the oldest pending update.
These new properties allow a grace period to be defined allowing you to warn users of recent updates, and deny access when updates have been ignored.
New OS Property
We’ve added a single new OS property which is available on Windows 10 and Windows Server 2016 or greater.
- HOST and DEVICE_OS_RELEASE - The release version of Windows, such as 1809 or 1903.
Advanced Action Context Filter`
We’ve enhanced the power of our action context filters used to determine whether to execute a sequence of tasks. Action context filters now include operators such as Equals or Not Equals, and can also define the underlying data type of the context to allow operations against text, numbers, booleans, dates and IP addresses.
IP Range Conditions
We’ve included a new IP Range condition which can be used within a context or action to filter on IP address ranges.
Registry Task Enhancements
The registry task has been enhanced to support multiple registry values, and an option to protect the registry key. The protection secures the registry key to prevent changes from logged in users.
Auto Update Client Enhancements
We’ve introduced a new
Version Blacklist field within the
Allow deviceTRUST to automatically update connecting clients policy. This field takes a list of deviceTRUST
client versions which should not be installed on a client. If a value within this list matches the installed client version, then the deviceTRUST Client will be
either upgraded or downgraded to the deviceTRUST Client referenced by the upgrade URL.
- Fixed an issue where a user may not have been able to logon to Amazon WorkSpaces when they did not have the deviceTRUST Client installed.
- Fixed an issue with popup messages displaying a default icon on the taskbar on Windows Server 2016.
- Fixed an issue where the conditional access could display a logoff button, but only disconnect the user when the timeout period expires.
- Fixed an issue where the message component of a popup message would be missing if it was more than 512 characters.
- Fixed an issue where Whois and Location properties could take a long time when a device is not connected to the internet.
- The Logical Disk encrypted property could on the host incorrectly state that the disk is not encrypted when a disk is encrypted mid session on Windows 7.
The deviceTRUST Host 19.2 and earlier releases are not compatible with policies created by the deviceTRUST Console 19.3. It is recommended that the deviceTRUST Host is upgraded before applying any policy changes.
Important changes to Actions
We’ve made some important changes to the way we execute actions in 19.3 which may break actions created in previous releases. In 19.1 and 19.2, an action that was triggered on more than one of the logon triggers (Logon Pre Profile, Logon, Logon Shell Starting or Logon Shell Ready), or more than one of the reconnect triggers (Reconnect or Reconnect Shell Ready), would only execute on the first trigger where all of the context filters were satisfied. This is no longer the case in 19.3 hence you may find that upgraded actions now execute tasks multiple times during the logon or reconnect. To resolve any issues arising from this change, reduce the action’s triggers to the minimal required triggers.
The following properties have been changed:
- HOST or DEVICE_LOCATION_COUNTRY_CODE and DEVICE_LOCATION_COUNTRY have been combined into a single DEVICE_LOCATION_COUNTRY property representing the ISO-Alpha 2 country code.
- HOST or DEVICE_LOCATION_STATE_DISTRICT has been removed.
- HOST or DEVICE_WINDOWSUPDATE_PENDING_DEFINITION has been renamed to DEVICE_WINDOWSUPDATE_DEFINITION, as have the other categories of Windows Updates.
- HOST or DEVICE_WINDOWS_SECURITY_WINDOWSUPDATE has been renamed to DEVICE_WINDOWS_UPDATE.
- HOST or DEVICE_WINDOWS_SECURITY_UAC has been renamed to DEVICE_WINDOWS_UAC.
- HOST or DEVICE_WINDOWS_SECURITY_INTERNETSETTINGS has been renamed to DEVICE_WINDOWS_ZONESETTINGS.
- HOST or DEVICE_WINDOWSDEFENDER_STATUS values Initialized and CriticalFailure have been changed to Active and Inactive.
Where these properties are referenced within a context condition, the existing condition should be removed and replaced accordingly.