diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 3562d6d9f1..2ffc227a40 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -8,7 +8,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -40,7 +40,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -56,7 +56,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -88,7 +88,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -120,7 +120,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -136,7 +136,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -200,7 +200,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -232,7 +232,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -280,7 +280,7 @@ "locale": "en-us", "monikers": [], "moniker_ranges": [], - "open_to_public_contributors": true, + "open_to_public_contributors": false, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -481,4 +481,4 @@ }, "need_generate_pdf": false, "need_generate_intellisense": false -} \ No newline at end of file +} diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f3835820c5..399dbdb7bc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,51 @@ { "redirections": [ { +"source_path": "devices/hololens/hololens-upgrade-enterprise.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-requirements#upgrade-to-windows-holographic-for-business", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-install-localized.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-install-localized", +"redirect_document_id": false +}, +{ +"source_path": "devices/hololens/hololens-install-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps", +"redirect_document_id": false +}, +{ +"source_path": "devices/hololens/hololens-setup.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-setup", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-use-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-home#using-apps-on-hololens", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-get-apps.md", +"redirect_url": "https://docs.microsoft.com/hololens/holographic-store-apps", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-spaces-on-hololens.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens-spaces", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-clicker.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-clicker-restart-recover.md", +"redirect_url": "https://docs.microsoft.com/hololens/hololens1-clicker#restart-or-recover-the-clicker", +"redirect_document_id": false +}, +{ "source_path": "devices/surface/manage-surface-pro-3-firmware-updates.md", "redirect_url": "https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates", "redirect_document_id": true @@ -196,6 +241,21 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-if-server-agrees.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees", "redirect_document_id": true @@ -211,6 +271,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create", +"redirect_document_id": false +}, +{ "source_path": "windows/security/threat-protection/applocker/administer-applocker-using-mdm.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm", "redirect_document_id": true @@ -741,11 +806,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction", "redirect_document_id": true @@ -836,11 +896,6 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection", -"redirect_document_id": true -}, -{ "source_path": "windows/threat-protection/windows-defender-exploit-guard/prerelease.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prerelease", "redirect_document_id": true @@ -5996,6 +6051,16 @@ "redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps", "redirect_document_id": true }, +{ + "source_path": "devices/hololens/hololens-restart-recover.md", + "redirect_url": "/hololens/hololens-recovery", + "redirect_document_id": false +}, +{ + "source_path": "devices/hololens/holographic-photos-and-video.md", + "redirect_url": "/hololens/holographic-photos-and-videos", + "redirect_document_id": false +}, { "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", "redirect_url": "https://docs.microsoft.com/surface-hub/provisioning-packages-for-surface-hub", @@ -15290,6 +15355,76 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", "redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew", +"redirect_document_id": true +}, +{ +"source_path": "windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-exclusions.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-pua.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-pua", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-perf.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-support-kext.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-privacy", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-resources", +"redirect_document_id": true } ] } diff --git a/ThirdPartyNotices b/ThirdPartyNotices index a0bd09d68f..faceb5a528 100644 --- a/ThirdPartyNotices +++ b/ThirdPartyNotices @@ -7,7 +7,7 @@ see the [LICENSE](LICENSE) file, and grant you a license to any code in the repo Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. -Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. +Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653. Privacy information can be found at https://privacy.microsoft.com/en-us/ diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 730c9d7ac2..45cd5c2570 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -34,9 +34,8 @@ "ms.topic": "article", "manager": "laurawi", "ms.prod": "edge", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.microsoft-edge", diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index 130038d3a2..c336f03247 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -243,7 +243,7 @@ In the following table, we show you the features available in both Microsoft Edg |-----------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:-------------------------------------------------------------------------------------------------------------------------------------------------------:| | Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | | Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* Windows Defender Firewall. Microsoft kiosk browser has custom policy support. | ![Supported](images/148767.png) | +| Allow/Block URL support | ![Not Supported](images/148766.png) ![Supported](images/148767.png) | | Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | | Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | | Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | @@ -255,7 +255,7 @@ In the following table, we show you the features available in both Microsoft Edg | SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | **\*Windows Defender Firewall**

-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). +To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both, using IP addresses. For more details, see [Windows Defender Firewall with Advanced Security Deployment Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). --- diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 934ad0e5f6..1cec2c9694 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -30,9 +30,8 @@ "ms.topic": "article", "manager": "laurawi", "ms.date": "04/05/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.internet-explorer", diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3f07da3690..159effd554 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -5,12 +5,15 @@ ## [HoloLens 2 hardware](hololens2-hardware.md) ## [Get your HoloLens 2 ready to use](hololens2-setup.md) ## [Set up your HoloLens 2](hololens2-start.md) +## [HoloLens 2 fit and comfort FAQ](hololens2-fit-comfort-faq.md) +## [Supported languages for HoloLens 2](hololens2-language-support.md) ## [Getting around HoloLens 2](hololens2-basic-usage.md) # Get started with HoloLens (1st gen) ## [HoloLens (1st gen) hardware](hololens1-hardware.md) ## [Get your HoloLens (1st gen) ready to use](hololens1-setup.md) ## [Set up your HoloLens (1st gen)](hololens1-start.md) +## [HoloLens (1st gen) fit and comfort FAQ](hololens1-fit-comfort-faq.md) ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md) ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) @@ -23,16 +26,16 @@ ## [Set up ring based updates for HoloLens](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# User management and access management -## [Share your HoloLens with multiple people](hololens-multiple-users.md) -## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) -## [Set up limited application access](hololens-kiosk.md) - # Navigating Windows Holographic ## [Start menu and mixed reality home](holographic-home.md) ## [Use your voice with HoloLens](hololens-cortana.md) ## [Find and save files](hololens-find-and-save-files.md) -## [Create, share, and view photos and video](holographic-photos-and-video.md) +## [Create, share, and view photos and video](holographic-photos-and-videos.md) + +# User management and access management +## [Share your HoloLens with multiple people](hololens-multiple-users.md) +## [Set up HoloLens as a kiosk (single application access)](hololens-kiosk.md) +## [Set up limited application access](hololens-kiosk.md) # Holographic Applications ## [Try 3D Viewer](holographic-3d-viewer-beta.md) @@ -47,12 +50,15 @@ # Hologram optics and placement in space ## [Tips for viewing clear Holograms](hololens-calibration.md) -## [Mapping physical spaces with HoloLens](hololens-spaces.md) +## [Environment considerations for HoloLens](hololens-environment-considerations.md) +## [Spatial mapping on HoloLens](hololens-spaces.md) -# Recovery and troubleshooting -## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) -## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md) +# Update and recovery +## [Join the Windows Insider program](hololens-insider.md) +## [Managing HoloLens updates](hololens-updates.md) +## [Restart, reset, or recover](hololens-recovery.md) +## [Known issues](hololens-known-issues.md) +## [Frequently asked questions](hololens-faq.md) # [Give us feedback](hololens-feedback.md) -# [Insider preview for Microsoft HoloLens](hololens-insider.md) # [Change history for Microsoft HoloLens documentation](change-history-hololens.md) diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 51b4a3afbb..4f53494c32 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -43,8 +43,9 @@ "./": { "depot_name": "Win.itpro-hololens", "folder_relative_path_in_docset": "./" + } + } - } }, "fileMetadata": {}, "template": [ @@ -52,5 +53,15 @@ ], "dest": "devices/hololens", "markdownEngineName": "markdig" - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "Kellylorenebaker", + "jborsecnik", + "tiburd", + "garycentric" + ] } diff --git a/devices/hololens/holographic-3d-viewer-beta.md b/devices/hololens/holographic-3d-viewer-beta.md index 0aada1fe55..0973813221 100644 --- a/devices/hololens/holographic-3d-viewer-beta.md +++ b/devices/hololens/holographic-3d-viewer-beta.md @@ -6,9 +6,10 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.localizationpriority: medium -ms.date: 9/3/19 -ms.reviewer: +ms.localizationpriority: high +ms.date: 10/30/2019 +ms.reviewer: scooley +audience: ITPro manager: jarrettr appliesto: - HoloLens (1st gen) @@ -59,22 +60,22 @@ If you're having trouble after reading these topics, see [Troubleshooting](#trou - Scale/rotation/translation animation on individual objects - Skeletal (rigged) animation with skinning - - Maximum of 4 influences per vertex + - Maximum of 4 influences per vertex ### Materials - Lambert and Phong materials are supported, with adjustable parameters - Supported material properties for Lambert - - Main Texture (RGB + Alpha Test) - - Diffuse Color (RGB) - - Ambient Color (RGB) + - Main Texture (RGB + Alpha Test) + - Diffuse Color (RGB) + - Ambient Color (RGB) - Supported material properties for Phong - - Main Texture (RGB + Alpha Test) - - Diffuse Color (RGB) - - Ambient Color (RGB) - - Specular Color (RGB) - - Shininess - - Reflectivity + - Main Texture (RGB + Alpha Test) + - Diffuse Color (RGB) + - Ambient Color (RGB) + - Specular Color (RGB) + - Shininess + - Reflectivity - Custom materials are not supported - Maximum of one material per mesh - Maximum of one material layer diff --git a/devices/hololens/holographic-custom-apps.md b/devices/hololens/holographic-custom-apps.md index 4936fab2b7..0a86a7b37a 100644 --- a/devices/hololens/holographic-custom-apps.md +++ b/devices/hololens/holographic-custom-apps.md @@ -35,7 +35,6 @@ You can install your own applications on HoloLens either by using the Device Por > Make sure to reference any associated dependency and certificate files. 1. Select **Go**. - ![Install app form in Windows Device Portal on Microsoft HoloLens](images/deviceportal-appmanager.jpg) ### Deploying from Microsoft Visual Studio 2015 @@ -44,7 +43,6 @@ You can install your own applications on HoloLens either by using the Device Por 1. Open the project's **Properties**. 1. Select the following build configuration: **Master/x86/Remote Machine**. 1. When you select **Remote Machine**: - - Make sure the address points to the Wi-Fi IP address of your HoloLens. - Set authentication to **Universal (Unencrypted Protocol)**. 1. Build your solution. diff --git a/devices/hololens/holographic-photos-and-video.md b/devices/hololens/holographic-photos-and-video.md deleted file mode 100644 index a02c1fb445..0000000000 --- a/devices/hololens/holographic-photos-and-video.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Create, share, and view photos and video -description: Create, share, and view photos and video -ms.assetid: 1b636ec3-6186-4fbb-81b2-71155aef0593 -keywords: hololens -ms.prod: hololens -ms.sitesec: library -author: Teresa-Motiv -ms.author: v-tea -ms.topic: article -ms.localizationpriority: high -ms.date: 8/12/19 -ms.reviewer: -manager: jarrettr -appliesto: -- HoloLens (1st gen) -- HoloLens 2 ---- - -# Create, share, and view photos and video - -Use your HoloLens to take photos and videos that capture the holograms you've placed in your world. - -To sync your photos and videos to OneDrive, open the OneDrive app and select **Settings** > **Camera upload**, and then turn on **Camera upload**. - -## Take a photo on HoloLens (1st gen) - -Use the open the **Start** menu, and then select the Photos app. - -Use gaze to position the photo frame, then air tap to take the picture. The picture will be saved to your collection in the Photos app.

- -Want to snap a quick picture? Press the [volume up and volume down buttons](hololens1-hardware.md#hololens-components) at the same time. - -## Take a video on HoloLens (1st gen) - -Use the bloom gesture to go to **Start**, then select **Video**. Use gaze to position the video frame, then air tap to start recording. To stop recording, use bloom once. The video will be saved to your collection in the Photos app. - -To start recording more quickly, press and hold the volume up and volume down buttons simultaneously until a three-second countdown begins. To stop recording, tap both buttons. - -> [!TIP] -> You can always have Cortana take a photo or a video for you. Just say "Hey Cortana, take a photo" or "Hey Cortana, take a video." [What else can I say to Cortana?](hololens-cortana.md) - -## Find your photos and videos - -To see your photos from OneDrive, select **More** > **Settings**, and then turn on **Show my cloud-only content from OneDrive**. (You'll need to sign in to the Photos app with your Microsoft account, if you haven't already.) - -To pin a photo or video in your world, open it, then select **Place in mixed world**. Use tap and hold to move it to where you want it. - -## Share photos and videos - -To share images to a social network, in the Collection view, tap and hold the photo you want to share, then select **Share**. Select **Share Assistant**, then select the app that you want to share to. - -You can also share directly from the camera app right after you take a photo—at the top of the image, select **Share**. diff --git a/devices/hololens/holographic-photos-and-videos.md b/devices/hololens/holographic-photos-and-videos.md new file mode 100644 index 0000000000..10e6bb4756 --- /dev/null +++ b/devices/hololens/holographic-photos-and-videos.md @@ -0,0 +1,150 @@ +--- +title: Capture and manage mixed reality photos and videos +description: Learn how to capture, view, and share mixed reality photos and videos, using HoloLens. +keywords: hololens, photo, video, capture, mrc, mixed reality capture, photos, camera, stream, livestream, demo +ms.assetid: 1b636ec3-6186-4fbb-81b2-71155aef0593 +ms.prod: hololens +ms.sitesec: library +author: mattzmsft +ms.author: mazeller +ms.topic: article +audience: ITPro +ms.localizationpriority: medium +ms.date: 10/28/2019 +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# Create mixed reality photos and videos + +HoloLens gives users the experience of mixing the real world with the digital world. Mixed reality capture (MRC) lets you capture that experience as a photo or video, or share what you see with others in real-time. + +Mixed reality capture uses a first-person point of view so other people can see holograms as you see them. For a third-person point of view, use [spectator view](https://docs.microsoft.com/windows/mixed-reality/spectator-view). Spectator view is especially useful for demos. + +While it's fun to share videos amongst friends and colleagues, videos can also help teach other people to use an app or to communicate problems with apps and experiences. + +> [!NOTE] +> If you can't launch mixed reality capture experiences and your HoloLens is a work device, check with your system administrator. Access to the camera can be restricted through company policy. + +## Capture a mixed reality photo + +There are several ways to take a photo of mixed reality on HoloLens; you can use hardware buttons, voice, or the Start menu. + +### Hardware buttons to take photos + +To take a quick photo of your current view, press the volume up and volume down buttons at the same time. This is a bit like the HoloLens version of a screenshot or print screen. + +- [Button locations on HoloLens 2](hololens2-hardware.md) +- [Button locations on HoloLens (1st gen)](hololens1-hardware.md#hololens-components) + +> [!NOTE] +> Holding the **volume up** and **volume down** buttons for three seconds will start recording a video rather than taking a photo. To stop recording, tap both **volume up** and **volume down** buttons simultaneously. + +### Voice commands to take photos + +Cortana can also take a picture. Say: "Hey Cortana, take a picture." + +### Start menu to take photos + +Use the Start gesture to go to **Start**, then select the **camera** icon. + +Point your head in the direction of what you want to capture, then [air tap](hololens2-basic-usage.md#touch-holograms-near-you) to take a photo. You can continue to air tap and capture additional photos. Any photos you capture will be saved to your device. + +Use the Start gesture again to end photo capture. + +## Capture a mixed reality video + +There are several ways to record a video of mixed reality on HoloLens; you can use hardware buttons, voice, or the Start menu. + +### Hardware buttons to record videos + +The quickest way to record a video is to press and hold the **volume up** and **volume down** buttons simultaneously until a three-second countdown begins. To stop recording, tap both buttons simultaneously. + +> [!NOTE] +> Quickly pressing the **volume up** and **volume down** buttons at the same time will take a photo rather than recording a video. + +### Voice to record videos + +Cortana can also record a video. Say: "Hey Cortana, start recording." To stop a video, say "Hey Cortana, stop recording." + +### Start menu to record videos + +Use the Start gesture to go to **Start**, then select the **video** icon. Point your head in the direction of what you want to capture, then [air tap](hololens2-basic-usage.md#touch-holograms-near-you) to start recording. There will be a three second countdown and your recording will begin. + +To stop recording, use the Start gesture and select the highlighted **video** icon. The video will be saved to your device. + +> [!NOTE] +> **Applies to HoloLens (1st gen) only** +> The [Windows 10 October 2018 Update](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018) changes how the Start gesture and Windows button behave on HoloLens (1st gen). Before the update, the Start gesture or Windows button would stop a video recording. After the update, however, the Start gesture or Windows button opens the **Start** menu (or the **quick actions menu** if you are in an immersive app), from which you can select the highlighted **video** icon to stop recording. + +## Share what you see in real-time + +You can share what you see in HoloLens with friends and colleagues in real-time. There are a few methods available: + +1. Connecting to a Miracast-enabled device or adapter to watch on a TV. +1. Using [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal) to watch on a PC +1. Using the [Microsoft HoloLens companion app](https://www.microsoft.com/store/productId/9NBLGGH4QWNX) to watch on a PC. +1. Deploying the [Microsoft Dynamics 365 Remote Assist](https://dynamics.microsoft.com/en-us/mixed-reality/remote-assist) app, which enables front-line workers to stream what they see to a remote expert. The remote expert can then guide the front-line worker verbally or by annotating in their world. + +> [!NOTE] +> Sharing what you see via Windows Device Portal or Microsoft HoloLens companion app requires your HoloLens to be in [Developer mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#setting-up-hololens-to-use-windows-device-portal). + +### Stream video with Miracast + +Use the Start gesture to go to **Start**, then select the **connect** icon. From the picker that appears, select the Miracast-enabled device or adapter to which you want to connect. + +To stop sharing, use the Start gesture and select the highlighted **connect** icon. Because you were streaming, nothing will be saved to your device. + +> [!NOTE] +> Miracast support was enabled on HoloLens (1st gen) beginning with the [Windows 10 October 2018 Update](https://docs.microsoft.com/windows/mixed-reality/release-notes-october-2018). + +### Real time video with Windows Device Portal + +Because sharing via Windows Device Portal requires Developer mode to be enabled on HoloLens, follow the instructions in our developer documentation to [set up Developer mode and navigate Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). + +### Microsoft HoloLens companion app + +Because sharing via the Microsoft HoloLens companion app requires Developer mode to be enabled on HoloLens, follow the instructions in our developer documentation to [set up Developer mode](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). Then, download the [Microsoft HoloLens companion app](https://www.microsoft.com/store/productId/9NBLGGH4QWNX) and follow the instructions within the app to connect to your HoloLens. + +Once the app is set up with your HoloLens, select the **Live stream** option from the app's main menu. + +## View your mixed reality photos and videos + +Mixed reality photos and videos are saved to the device's "Camera Roll". You can browse the contents of this folder on your HoloLens with the File Explorer app (navigate to Pictures > Camera Roll). + +You can also view your mixed reality photos and videos in the Photos app, which is pre-installed on HoloLens. To pin a photo in your world, select it in the Photos app and choose **Place in mixed world**. You can move the photo around your world after it's been placed. + +To view and/or save your mixed reality photos and videos on a PC connected to HoloLens, you can use [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal#mixed-reality-capture) or your [PC's File Explorer via MTP](https://docs.microsoft.com/windows/mixed-reality/release-notes-april-2018#new-features-for-hololens). + +## Share your mixed reality photos and videos + +After capturing a mixed reality photo or video, a preview will appear. Select the **share** icon above the preview to bring up the share assistant. From there, you can select the end point to which you'd like to share that photo or video. + +You can also share mixed reality photos and videos from OneDrive, by automatically uploading your mixed reality photos and videos. Open the OneDrive app on HoloLens and sign in with a personal [Microsoft account](https://account.microsoft.com) if you haven't already. Select the **settings** icon and choose **Camera upload**. Turn Camera upload on. Your mixed reality photos and videos will now be uploaded to OneDrive each time you launch the app on HoloLens. + +> [!NOTE] +> You can only enable camera upload in OneDrive if you’re signed into OneDrive with a personal Microsoft account. If you set up HoloLens with a work or school account, you can add a personal Microsoft account in the OneDrive app to enable this feature. + +## Limitations of mixed reality capture + +- While using mixed reality capture, the framerate of HoloLens will be halved to 30 Hz. +- Videos have a maximum length of five minutes. +- The resolution of photos and videos may be reduced if the photo/video camera is already in use by another application, while live streaming, or when system resources are low. + +## Default file format and resolution + +### Default photo format and resolution + +| Device | Format | Extension | Resolution | +|----------|----------|----------|----------| +| HoloLens 2 | [JPEG](https://en.wikipedia.org/wiki/JPEG) | .jpg | 3904x2196px | +| HoloLens (1st gen) | [JPEG](https://en.wikipedia.org/wiki/JPEG) | .jpg | 1408x792px | + +### Recorded video format and resolution + +| Device | Format | Extension | Resolution | Speed | Audio | +|----------|----------|----------|----------|----------|----------| +| HoloLens 2 | [MPEG-4](https://en.wikipedia.org/wiki/MPEG-4) | .mp4 | 1920x1080px | 30fps | 48kHz Stereo | +| HoloLens (1st gen) | [MPEG-4](https://en.wikipedia.org/wiki/MPEG-4) | .mp4 | 1216x684px | 24fps | 48kHz Stereo | diff --git a/devices/hololens/holographic-store-apps.md b/devices/hololens/holographic-store-apps.md index 6d0e0d820a..085f14c50e 100644 --- a/devices/hololens/holographic-store-apps.md +++ b/devices/hololens/holographic-store-apps.md @@ -3,7 +3,7 @@ title: Find, install, and uninstall applications description: The Microsoft Store is your source for apps and games that work with HoloLens. Learn more about finding, installing, and uninstalling holographic apps. ms.assetid: cbe9aa3a-884f-4a92-bf54-8d4917bc3435 ms.reviewer: v-miegge -ms.date: 8/30/2019 +ms.date: 08/30/2019 manager: jarrettr keywords: hololens, store, uwp, app, install ms.prod: hololens @@ -11,7 +11,7 @@ ms.sitesec: library author: mattzmsft ms.author: mazeller ms.topic: article -ms.localizationpriority: medium +ms.localizationpriority: high appliesto: - HoloLens (1st gen) - HoloLens 2 @@ -33,7 +33,7 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games ## Install apps -To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](http://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. +To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. 1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist. 2. Select the Store app and then tap to place this tile into your world. diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md new file mode 100644 index 0000000000..203d5185f8 --- /dev/null +++ b/devices/hololens/hololens-FAQ.md @@ -0,0 +1,217 @@ +--- +title: Frequently asked questions about HoloLens and holograms +description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources. +keywords: hololens, faq, known issue, help +ms.prod: hololens +ms.sitesec: library +author: Teresa-Motiv +ms.author: v-tea +ms.topic: article +audience: ITPro +ms.localizationpriority: medium +ms.date: 10/30/2019 +ms.reviewer: +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# HoloLens and holograms: Frequently asked questions + +Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more. + +Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md). + +For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq). + +This FAQ addresses the following questions and issues: + + +- [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around) +- [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space) +- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space) +- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want) +- [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects) +- [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall) +- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float) +- [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them) +- [I'm getting a low disk space error](#im-getting-a-low-disk-space-error) +- [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures) +- [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice) +- [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device) +- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) +- [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) +- [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [How do I delete all spaces?](#how-do-i-delete-all-spaces) +- [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) + +## My holograms don't look right or are moving around + +If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes: + +- [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors. +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Try walking around and gazing at your surroundings so HoloLens can scan them more completely. +- If you've placed a lot of holograms, try removing some. + +If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**. + +[Back to list](#list) + +## I see a message that says Finding your space + +When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." + +These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment. + +If you see these messages often, try the following: + +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning). +- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**. +- Try moving more slowly. + +[Back to list](#list) + +## I'm not seeing the holograms I expect to see in my space + +If you don't see holograms you placed, or you're seeing some you don't expect, try the following: + +- Try turning on some lights. HoloLens works best in a well-lit space. +- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. + + > [!NOTE] + > If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms. + +[Back to list](#list) + +## I can't place holograms where I want + +Here are some things to try if you're having trouble placing holograms: + +- Stand about 1 to 3 meters from where you're trying to place the hologram. +- Don't place holograms on black or reflective surfaces. +- Make sure you're in a well-lit room without a lot of direct sunlight. +- Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic. + +[Back to list](#list) + +## Holograms disappear or are encased in other holograms or objects + +If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few. + +Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following: + +- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it. +- If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall. +- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location. + +[Back to list](#list) + +## I can see holograms that are on the other side of a wall + +If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it. + +If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall. + +[Back to list](#list) + +## When I place a hologram on a wall, it seems to float + +Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following: + +- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on. +- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again. +- If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**. + +[Back to list](#list) + +## Apps appear too close to me when I'm trying to move them + +Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. + +[Back to list](#list) + +## I'm getting a low disk space error + +Free up some storage space by doing one or more of the following: + +- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](hololens-find-and-save-files.md) +- Delete some pictures and videos in the Photos app. +- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) + +[Back to list](#list) + +## HoloLens doesn't respond to my gestures + +To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). + +[Back to list](#list) + +## HoloLens doesn't respond to my voice + +If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). + +[Back to list](#list) + +## I'm having problems pairing or using a Bluetooth device + +If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following: + +- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again. +- Make sure your Bluetooth device is fully charged or has fresh batteries. +- If you still can't connect, [restart your HoloLens](hololens-recovery.md). + +If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include: + +- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard. +- Bluetooth mice. +- The [HoloLens clicker](hololens1-clicker.md). + +Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens. + +HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. + +[Back to list](#list) + +## I'm having problems with the HoloLens clicker + +Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app. + +If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). + +If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. + +If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). + +[Back to list](#list) + +## I can't connect to Wi-Fi + +Here are some things to try if you can't connect to Wi-Fi on HoloLens: + +- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again. +- Move closer to the router or access point. +- Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again. +- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website. + +[Back to list](#list) + +## My HoloLens isn't running well, is unresponsive, or won't start + +If your device isn't performing properly, see [Restart, reset, or recover HoloLens](hololens-recovery.md). + +[Back to list](#list) + +## How do I delete all spaces? + +*Coming soon* + +[Back to list](#list) + +## I cannot find or use the keyboard to type in the HoloLens 2 Emulator + +*Coming soon* + +[Back to list](#list) diff --git a/devices/hololens/hololens-commercial-features.md b/devices/hololens/hololens-commercial-features.md index 1b3fdcdcd4..309d81e904 100644 --- a/devices/hololens/hololens-commercial-features.md +++ b/devices/hololens/hololens-commercial-features.md @@ -1,11 +1,12 @@ --- title: Commercial features description: The Microsoft HoloLens Commercial Suite includes features that make it easier for businesses to manage HoloLens devices. HoloLens 2 devices are equipped with commercial features by default. +keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk mode author: scooley ms.author: scooley -ms.date: 08/26/19 +ms.date: 08/26/2019 ms.topic: article -keywords: HoloLens, commercial, features, mdm, mobile device management, kiosk mode +audience: ITPro ms.prod: hololens ms.sitesec: library ms.localizationpriority: high @@ -53,7 +54,7 @@ HoloLens (1st gen) came with two licensing options, the developer license and a |Ability to block unenrollment | |✔️ |✔️ | |Cert-based corporate Wi-Fi access | |✔️ |✔️ | |Microsoft Store (Consumer) |Consumer |Filter by using MDM |Filter by using MDM | -[Business Store Portal](https://docs.microsoft.com/microsoft-store/working-with-line-of-business-apps) | |✔️ |✔️ | +|[Business Store Portal](https://docs.microsoft.com/microsoft-store/working-with-line-of-business-apps) | |✔️ |✔️ | |**Security and identity** | | | | |Sign in by using Azure Active Directory (AAD) account |✔️ |✔️ |✔️ | |Sign in by using Microsoft Account (MSA) |✔️ |✔️ |✔️ | diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index 6e8f48fa30..bbe2dad4d3 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -7,8 +7,8 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.localizationpriority: medium -ms.date: 9/13/2019 +ms.localizationpriority: high +ms.date: 09/13/2019 manager: jarrettr appliesto: - HoloLens (1st gen) @@ -34,7 +34,7 @@ Classes of Bluetooth devices supported by HoloLens (1st gen): - HoloLens (1st gen) clicker > [!NOTE] -> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](http://go.microsoft.com/fwlink/p/?LinkId=746660). +> Other types of Bluetooth devices, such as speakers, headsets, smartphones, and game pads, may appear as available in HoloLens settings, but aren't supported on HoloLens (1st gen). [Learn more](https://go.microsoft.com/fwlink/p/?LinkId=746660). ### Pair a Bluetooth keyboard or mouse diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 5ffe60d2e1..f95a0321eb 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -106,7 +106,7 @@ Here are some things you can try saying (remember to say "Hey Cortana" first). - Stop recording. (Stops recording a video.) - Call <*contact*>. (Requires Skype.) - What time is it? -- Show me the latest NBA scores. +- Show me the latest NBA scores. - How much battery do I have left? - Tell me a joke. diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 62352e9767..6c8b9118e6 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -50,6 +50,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. Find the XML license file that was provided when you purchased the Commercial Suite. +1. Browse to and select the XML license file that was provided when you purchased the Commercial Suite. >[!NOTE] >You can configure [additional settings in the provisioning package](hololens-provisioning.md). @@ -87,7 +88,7 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. >[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +>If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. ## Verify device encryption diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 2fd5775041..dc042a0f9f 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -1,16 +1,19 @@ --- -title: Enroll HoloLens in MDM (HoloLens) +title: Enroll HoloLens in MDM description: Enroll HoloLens in mobile device management (MDM) for easier management of multiple devices. ms.prod: hololens -ms.mktglfcycl: manage ms.sitesec: library -author: dansimp -ms.author: dansimp +ms.assetid: 2a9b3fca-8370-44ec-8b57-fb98b8d317b0 +author: scooley +ms.author: scooley ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 07/15/2019 ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Enroll HoloLens in MDM @@ -39,3 +42,7 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When 1. Upon successful authentication to the MDM server, a success message is shown. Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management. + +## Unenroll HoloLens from Intune + +You cannot [unenroll](https://docs.microsoft.com/intune-user-help/unenroll-your-device-from-intune-windows) HoloLens from Intune remotely. If the administrator unenrolls the device using MDM, the device will age out of the Intune dashboard. \ No newline at end of file diff --git a/devices/hololens/hololens-environment-considerations.md b/devices/hololens/hololens-environment-considerations.md new file mode 100644 index 0000000000..ec56133a01 --- /dev/null +++ b/devices/hololens/hololens-environment-considerations.md @@ -0,0 +1,121 @@ +--- +title: Environment considerations for HoloLens +description: Get the best possible experience using HoloLens when you optimize the device for your eyes and environment. Many different environmental factors are fused together to enable tracking, but as a Mixed Reality developer, there are several factors you can keep in mind to tune a space for better holograms. +keywords: holographic frame, field of view, fov, calibration, spaces, environment, how-to +author: dorreneb +ms.author: dobrown +manager: jarrettr +ms.date: 8/29/2019 +ms.prod: hololens +ms.topic: article +audience: ITPro +ms.localizationpriority: high +appliesto: +- HoloLens (1st gen) +- HoloLens 2 +--- + +# Environment considerations for HoloLens + +HoloLens blends the holographic with the "real" world, placing holograms in your surroundings. A holographic app window "hangs" on the wall, a holographic ballerina spins on the tabletop, bunny ears sit on top of your unwitting friend’s head. When you’re using an immersive game or app, the holographic world will spread to fill your surroundings but you’ll still be able to see and move around the space. + +The holograms you place will stay where you’ve put them, even if you turn off your device. + +## Setting up an environment + +HoloLens devices know how to place stable and accurate holograms by *tracking* users in a space. Without proper tracking, the device does not understand the environment or the user within it so holograms can appear in the wrong places, not appear in the same spot every time, or not appear at all. The data used to track users is represented in the *spatial map*. + +Tracking performance is heavily influenced by the environment the user is in, and tuning an environment to induce stable and consistent tracking is an art rather than a science. Many different environmental factors are fused together to enable tracking, but as a Mixed Reality developer, there are several factors you can keep in mind to tune a space for better tracking. + +### Lighting + +Windows Mixed Reality uses visual light to track the user's location. When an environment is too bright, the cameras can get saturated, and nothing is seen. If the environment is too dark, the cameras cannot pick up enough information, and nothing is seen. Lighting should be even and sufficiently bright that a human can see without effort, but not so bright that the light is painful to look at. + +Areas where there are points of bright light in an overall dim area are also problematic, as the camera has to adjust when moving in and out of bright spaces. This can cause the device to "get lost" and think that the change in light equates to a change in location. Stable light levels in an area will lead to better tracking. + +Any outdoor lighting can also cause instability in the tracker, as the sun may vary considerably over time. For example, tracking in the same space in the summer vs. winter can produce drastically different results, as the secondhand light outside may be higher at different times of year. + +If you have a luxmeter, a steady 500-1000 lux is a good place to start. + +#### Types of lighting + +Different types of light in a space can also influence tracking. Light bulbs pulse with the AC electricity running through it - if the AC frequency is 50Hz, then the light pulses at 50Hz. For a human, this pulsing is not noticed. However, HoloLens' 30fps camera sees these changes - some frames will be well-lit, some will be poorly lit, and some will be over-exposed as the camera tries to compensate for light pulses. + +In the USA, electricity frequency standard is 60Hz, so light bulb pulses are harmonized with HoloLens' framerate - 60Hz pulses align with HoloLens' 30 FPS framerate. However, many countries have an AC frequency standard of 50Hz, which means some HoloLens frames will be taken during pulses, and others will not. In particular, fluorescent lighting in Europe has been known to cause issues. + +There are a few things you can try to resolve flickering issues. Temperature, bulb age, and warm-up cycles are common causes of fluorescent flickering and replacing bulbs may help. Tightening bulbs and making sure current draws are constant can also help. + +### Items in a space + +HoloLens uses unique environmental landmarks, also known as *features*, to locate itself in a space. + +A device can almost never track in a feature-poor area, as the device has no way of knowing where in space it is. Adding features to the walls of a space is usually a good way to improve tracking. Posters, symbols taped to a wall, plants, unique objects, or other similar items all help. A messy desk is a good example of an environment that leads to good tracking - there are a lot of different features in a single area. + +Additionally, use unique features in the same space. The same poster repeated multiple times over a wall, for example, will cause device confusion as the HoloLens won't know which of the repetitive posters it is looking at. One common way of adding unique features is to use lines of masking tape to create unique, non-repetitive patterns along the walls and floor of a space. + +A good question to ask yourself is: if you saw just a small amount of the scene, could you uniquely locate yourself in the space? If not, it's likely the device will have problems tracking as well. + +#### Wormholes + +If you have two areas or regions that look the same, the tracker may think they are the same. This results in the device tricking itself into thinking it is somewhere else. We call these types of repetitive areas *wormholes*. + +To prevent wormholes, try to prevent identical areas in the same space. Identical areas can sometimes include factory stations, windows on a building, server racks, or work stations. Labelling areas or adding unique features to each similar-looking areas can help mitigate wormholes. + +### Movement in a space + +If your environment is constantly shifting and changing, the device has no stable features to locate against. + +The more moving objects that are in a space, including people, the easier it is to lose tracking. Moving conveyor belts, items in different states of construction, and lots of people in a space have all been known to cause tracking issues. + +The HoloLens can quickly adapt to these changes, but only when that area is clearly visible to the device. Areas that are not seen as frequently may lag behind reality, which can cause errors in the spatial map. For example, a user scans a friend and then turns around while the friend leaves the room. A 'ghost' representation of the friend will persist in the spatial mapping data until the user re-scans the now empty space. + +### Proximity of the user to items in the space + +Similarly to how humans cannot focus well on objects close to the eyes, HoloLens struggles when objects are close to it's cameras. If an object is too close to be seen with both cameras, or if an object is blocking one camera, the device will have far more issues with tracking against the object. + +The cameras can see no closer than 15cm from an object. + +### Surfaces in a space + +Strongly reflective surfaces will likely look different depending on the angle, which affects tracking. Think of a brand new car - when you move around it, light reflects and you see different objects in the surface as you move. To the tracker, the different objects reflected in the surface represent a changing environment, and the device loses tracking. + +Less shiny objects are easier to track against. + +### Wi-Fi fingerprint considerations + +As long as Wi-Fi is enabled, map data will be correlated with a Wi-Fi fingerprint, even when not connected to an actual WiFi network/router. Without Wi-Fi info, the space and holograms may be slightly slower to recognize. If the Wi-Fi signals change significantly, the device may think it is in a different space altogether. + +Network identification (such as SSID or MAC address) is not sent to Microsoft, and all Wi-Fi references are kept local on the HoloLens. + +## Mapping new spaces + +When you enter a new space (or load an existing one), you’ll see a mesh graphic spreading over the space. This means your device is mapping your surroundings. While a HoloLens will learn a space over time, there are tips and tricks to map spaces. + +## Environment management + +There are two settings which enable users to “clean up” holograms and cause HoloLens to “forget" a space. They exist in **Holograms and environments** in the settings app, with the second setting also appearing under **Privacy** in the settings app. + +1. **Delete nearby holograms**. When you select this setting, HoloLens will erase all anchored holograms and all stored map data for the “current space” where the device is located. A new map section would be created and stored in the database for that location once holograms are again placed in that same space. + +1. **Delete all holograms**.By selecting this setting, HoloLens will erase ALL map data and anchored holograms in the entire databases of spaces. No holograms will be rediscovered and any holograms need to be newly placed to again store map sections in the database. + +## Hologram quality + +Holograms can be placed throughout your environment—high, low, and all around you—but you’ll see them through a [holographic frame](https://docs.microsoft.com/windows/mixed-reality/holographic-frame) that sits in front of your eyes. To get the best view, make sure to adjust your device so you can see the entire frame. And don’t hesitate to walk around your environment and explore! + +For your [holograms](https://docs.microsoft.com/windows/mixed-reality/hologram) to look crisp, clear, and stable, your HoloLens needs to be calibrated just for you. When you first set up your HoloLens, you’ll be guided through this process. Later on, if holograms don’t look right or you’re seeing a lot of errors, you can make adjustments. + +If you are having trouble mapping spaces, try deleting nearby holograms and remapping the space. + +### Calibration + +If your holograms look jittery or shaky, or if you’re having trouble placing holograms, the first thing to try is the [Calibration app](hololens-calibration.md). This app can also help if you’re experiencing any discomfort while using your HoloLens. + +To get to the Calibration app, go to **Settings** > **System** > **Utilities**. Select **Open Calibration** and follow the instructions. + +If someone else is going to be using your HoloLens, they should run the Calibration app first so the device is set up properly for them. + +## See also + +- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design) +- [Holograms](https://docs.microsoft.com/windows/mixed-reality/hologram) diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md index 51509d0833..3199517a90 100644 --- a/devices/hololens/hololens-feedback.md +++ b/devices/hololens/hololens-feedback.md @@ -80,4 +80,3 @@ To easily direct other people (such as co-workers, Microsoft staff, [forum](http 1. Enter your feedback. 1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback. 1. Select **Post feedback**, and you’re done. - diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md index 8a9687ea25..098b387e5b 100644 --- a/devices/hololens/hololens-find-and-save-files.md +++ b/devices/hololens/hololens-find-and-save-files.md @@ -12,6 +12,9 @@ author: v-miegge ms.author: v-miegge ms.topic: article ms.localizationpriority: medium +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Find and save files on HoloLens diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 5eaf9ad296..604048e203 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -10,6 +10,9 @@ ms.localizationpriority: medium ms.date: 10/23/2018 ms.reviewer: manager: dansimp +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- # Insider preview for Microsoft HoloLens diff --git a/devices/hololens/hololens-known-issues.md b/devices/hololens/hololens-known-issues.md new file mode 100644 index 0000000000..2fa916f8d0 --- /dev/null +++ b/devices/hololens/hololens-known-issues.md @@ -0,0 +1,169 @@ +--- +title: HoloLens known issues +description: This is the list of known issues that may affect HoloLens developers. +keywords: troubleshoot, known issue, help +author: mattzmsft +ms.author: mazeller +ms.date: 8/30/2019 +ms.topic: article +HoloLens and holograms: Frequently asked questions +manager: jarrettr +ms.prod: hololens +appliesto: +- HoloLens 1 +--- + +# HoloLens known issues + +This is the current list of known issues for HoloLens that affect developers. Check here first if you are seeing an odd behavior. This list will be kept updated as new issues are discovered or reported, or as issues are addressed in future HoloLens software updates. + +## Unable to connect and deploy to HoloLens through Visual Studio + +>[!NOTE] +>Last Update: 8/8 @ 5:11PM - Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error. + +Visual Studio has released VS 2019 Version 16.2 which includes a fix to this issue. We recommend updating to this newest version to avoid experiencing this error. + +Issue root-cause: Users who used Visual Studio 2015 or early releases of Visual Studio 2017 to deploy and debug applications on their HoloLens and then subsequently used the latest versions of Visual Studio 2017 or Visual Studio 2019 with the same HoloLens will be affected. The newer releases of Visual Studio deploy a new version of a component, but files from the older version are left over on the device, causing the newer version to fail. This causes the following error message: DEP0100: Please ensure that target device has developer mode enabled. Could not obtain a developer license on \ due to error 80004005. + +### Workaround + +Our team is currently working on a fix. In the meantime, you can use the following steps to work around the issue and help unblock deployment and debugging: + +1. Open Visual Studio +1. Select **File** > **New** > **Project**. +1. Select **Visual C#** > **Windows Desktop** > **Console App (.NET Framework)**. +1. Give the project a name (such as "HoloLensDeploymentFix") and make sure the Framework is set to at least .NET Framework 4.5, then Select **OK**. +1. Right-click on the **References** node in Solution Explorer and add the following references (select to the **Browse** section and select **Browse**): + + ``` CMD + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Deploy.dll + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\Microsoft.Tools.Connectivity.dll + C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\SirepInterop.dll + ``` + + >[!NOTE] + >If you don't have 10.0.18362.0 installed, use the most recent version that you have. + +1. Right-click on the project in Solution Explorer and select **Add** > **Existing Item**. +1. Browse to C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86 and change the filter to **All Files (\*.\*)**. +1. Select both SirepClient.dll and SshClient.dll, and Select **Add**. +1. Locate and select both files in Solution Explorer (they should be at the bottom of the list of files) and change **Copy to Output Directory** in the **Properties** window to **Copy always**. +1. At the top of the file, add the following to the existing list of `using` statements: + + ``` CMD + using Microsoft.Tools.Deploy; + using System.Net; + ``` + +1. Inside of `static void Main(...)`, add the following code: + + ``` PowerShell + RemoteDeployClient client = RemoteDeployClient.CreateRemoteDeployClient(); + client.Connect(new ConnectionOptions() + { + Credentials = new NetworkCredential("DevToolsUser", string.Empty), + IPAddress = IPAddress.Parse(args[0]) + }); + client.RemoteDevice.DeleteFile(@"C:\Data\Users\DefaultAccount\AppData\Local\DevelopmentFiles\VSRemoteTools\x86\CoreCLR\mscorlib.ni.dll"); + ``` + +1. Select **Build** > **Build Solution**. +1. Open a Command Prompt Window and cd to the folder that contains the compiled .exe file (for example, C:\MyProjects\HoloLensDeploymentFix\bin\Debug) +1. Run the executable and provide the device's IP address as a command-line argument. (If connected using USB, you can use 127.0.0.1, otherwise use the device’s Wi-Fi IP address.) For example, "HoloLensDeploymentFix 127.0.0.1" + +1. After the tool has exited without any messages (this should only take a few seconds), you will now be able to deploy and debug from Visual Studio 2017 or newer. Continued use of the tool is not necessary. + +We will provide further updates as they become available. + +## Issues launching the Microsoft Store and apps on HoloLens + +> [!NOTE] +> Last Update: 4/2 @ 10 AM - Issue resolved. + +You may experience issues when trying to launch the Microsoft Store and apps on HoloLens. We've determined that the issue occurs when background app updates deploy a newer version of framework packages in specific sequences while one or more of their dependent apps are still running. In this case, an automatic app update delivered a new version of the .NET Native Framework (version 10.0.25531 to 10.0.27413) caused the apps that are running to not correctly update for all running apps consuming the prior version of the framework. The flow for framework update is as follows: + +1. The new framework package is downloaded from the store and installed +1. All apps using the older framework are ‘updated’ to use the newer version + +If step 2 is interrupted before completion then any apps for which the newer framework wasn’t registered will fail to launch from the start menu. We believe any app on HoloLens could be affected by this issue. + +Some users have reported that closing hung apps and launching other apps such as Feedback Hub, 3D Viewer or Photos resolves the issue for them—however, this does not work 100% of the time. + +We have root caused that this issue was not caused the update itself, but a bug in the OS that resulted in the .NET Native framework update being handled incorrectly. We are pleased to announce that we have identified a fix and have released an update (OS version 17763.380) containing the fix. + +To see if your device can take the update, please: + +1. Go to the Settings app and open **Update & Security**. +1. Select **Check for Updates**. +1. If update to 17763.380 is available, please update to this build to receive the fix for the App Hang bug +1. Upon updating to this version of the OS, the Apps should work as expected. + +Additionally, as we do with every HoloLens OS release, we have posted the FFU image to the [Microsoft Download Center](https://aka.ms/hololensdownload/10.0.17763.380). + +If you would not like to take the update, we have released a new version of the Microsoft Store UWP app as of 3/29. After you have the updated version of the Store: + +1. Open the Store and confirm that it loads. +1. Use the bloom gesture to open the menu. +1. Attempt to open previously broken apps. +1. If it still cannot be launched, tap and hold the icon of the broken app and select uninstall. +1. Resinstall these apps from the store. + +If your device is still unable to load apps, you can sideload a version of the .NET Native Framework and Runtime through the download center by following these steps: + +1. Please download [this zip file](https://download.microsoft.com/download/8/5/C/85C23745-794C-419D-B8D7-115FBCCD6DA7/netfx_1.7.zip) from the Microsoft Download Center. Unzipping will produce two files. Microsoft.NET.Native.Runtime.1.7.appx and Microsoft.NET.Native.Framework.1.7.appx +1. Please verify that your device is dev unlocked. If you haven’t done that before the instructions to do that are [here](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). +1. You then want to get into the Windows Device Portal. Our recommendation is to do this over USB and you would do that by typing http://127.0.0.1:10080 into your browser. +1. After you have the Windows Device Portal up we need you to “side load” the two files that you downloaded. To do that you need to go down the left side bar until you get to the **Apps** section and select **Apps**. +1. You will then see a screen that is similar to the below. You want to go to the section that says **Install App** and browse to where you unzipped those two APPX files. You can only do one at a time, so after you select the first one, then click on “Go” under the Deploy section. Then do this for the second APPX file. + + ![Windows Device Portal to Install Side-Loaded app](images/20190322-DevicePortal.png) +1. At this point we believe your applications should start working again and that you can also get to the Store. +1. In some cases, it is necessary run the additional step of launching the 3D Viewer app before affected apps will launch. + +We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences. + +## Connecting to WiFi + +During HoloLens Setup, there is a credential timeout of 2 minutes. The username/password needs to be entered within 2 minutes otherwise the username field will be automatically cleared. + +We recommend using a Bluetooth keyboard for entering long passwords. + +> [!NOTE] +> If the wrong network is selected during HoloLens Setup, the device will need to be fully reset. Instructions can be found [here.](hololens-restart-recover.md) + +## Device Update + +- 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session. + +## Visual Studio + +- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Visual Studio that is recommended for HoloLens development. +- When deploying an app from Visual Studio to your HoloLens, you may see the error: **The requested operation cannot be performed on a file with a user-mapped section open. (Exception from HRESULT: 0x800704C8)**. If this happens, try again and your deployment will generally succeed. + +## Emulator + +- Not all apps in the Microsoft Store are compatible with the emulator. For example, Young Conker and Fragments are not playable on the emulator. +- You cannot use the PC webcam in the Emulator. +- The Live Preview feature of the Windows Device Portal does not work with the emulator. You can still capture Mixed Reality videos and images. + +## Unity + +- See [Install the tools](https://docs.microsoft.com/windows/mixed-reality/install-the-tools) for the most up-to-date version of Unity recommended for HoloLens development. +- Known issues with the Unity HoloLens Technical Preview are documented in the [HoloLens Unity forums](https://forum.unity3d.com/threads/known-issues.394627/). + +## Windows Device Portal + +- The Live Preview feature in Mixed Reality capture may exhibit several seconds of latency. +- On the Virtual Input page, the Gesture and Scroll controls under the Virtual Gestures section are not functional. Using them will have no effect. The virtual keyboard on the same page works correctly. +- After enabling Developer Mode in Settings, it may take a few seconds before the switch to turn on the Device Portal is enabled. + +## API + +- If the application sets the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) behind the user or the normal to camera.forward, holograms will not appear in Mixed Reality Capture photos or videos. Until this bug is fixed in Windows, if applications actively set the [focus point](https://docs.microsoft.com/windows/mixed-reality/focus-point-in-unity) they should ensure the plane normal is set opposite camera-forward (for example, normal = -camera.forward). + +## Xbox Wireless Controller + +- Xbox Wireless Controller S must be updated before it can be used with HoloLens. Ensure you are [up to date](https://support.xbox.com/xbox-one/accessories/update-controller-for-stereo-headset-adapter) before attempting to pair your controller with a HoloLens. +- If you reboot your HoloLens while the Xbox Wireless Controller is connected, the controller will not automatically reconnect to HoloLens. The Guide button light will flash slowly until the controller powers off after 3 minutes. To reconnect your controller immediately, power off the controller by holding the Guide button until the light turns off. When you power your controller on again, it will reconnect to HoloLens. +- If your HoloLens enters standby while the Xbox Wireless Controller is connected, any input on the controller will wake the HoloLens. You can prevent this by powering off your controller when you are done using it. diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md index 70bee8bc2d..d9d6704c78 100644 --- a/devices/hololens/hololens-multiple-users.md +++ b/devices/hololens/hololens-multiple-users.md @@ -21,6 +21,8 @@ It's common to share one HoloLens with many people or to have many people share ## Share with multiple people, each using their own account +**Prerequisite**: The HoloLens device must be running Windows 10, version 1803 or later. HoloLens (1st gen) also need to be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). + When they use their own Azure Active Directory (Azure AD) accounts, multiple users can each keep their own user settings and user data on the device. To make sure that multiple people can use their own accounts on your HoloLens, follow these steps to configure it: diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index 908a2bbb45..6ee4fb35c1 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -1,17 +1,17 @@ --- title: Use HoloLens offline description: To set up HoloLens, you'll need to connect to a Wi-Fi network -ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 -ms.reviewer: jarrettrenshaw +keywords: hololens, offline, OOBE +audience: ITPro ms.date: 07/01/2019 -manager: v-miegge -keywords: hololens -ms.prod: hololens -ms.sitesec: library +ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 author: v-miegge ms.author: v-miegge +manager: v-miegge ms.topic: article -ms.localizationpriority: medium +ms.prod: hololens +ms.sitesec: library +ms.localizationpriority: high appliesto: - HoloLens (1st gen) - HoloLens 2 @@ -35,6 +35,10 @@ HoloLens need a network connection to go through initial device set up. If your | MSA | https://login.live.com/ppsecure/inlineconnect.srf?id=80600 | | MSA Pin | https://account.live.com/msangc?fl=enroll | +Additional references: + +- [Technical reference for AAD related IP ranges and URLs](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges) + ## HoloLens limitations After your HoloLens is set up, you can use it without a Wi-Fi connection, but apps that use Internet connections will have limited capabilities when you use HoloLens offline. diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index b0f40d77cc..0585bf89f7 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -1,55 +1,103 @@ --- -title: Restore HoloLens 2 using Advanced Recovery Companion -ms.reviewer: -manager: dansimp +title: Reset or recover your HoloLens +ms.reviewer: Both basic and advanced instructions for rebooting or resetting your HoloLens. description: How to use Advanced Recovery Companion to flash an image to HoloLens 2. +keywords: how-to, reboot, reset, recover, hard reset, soft reset, power cycle, HoloLens, shut down, arc, advanced recovery companion ms.prod: hololens ms.sitesec: library -author: dansimp -ms.author: dansimp +author: mattzmsft +ms.author: mazeller +ms.date: 08/30/2019 ms.topic: article -ms.localizationpriority: medium +ms.localizationpriority: high +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Restore HoloLens 2 using Advanced Recovery Companion +# Restart, reset, or recover HoloLens ->[!TIP] ->If you're having issues with HoloLens (the first device released), see [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens). Advanced Recovery Companion is only supported for HoloLens 2. +If you’re experiencing problems with your HoloLens you may want to try a restart, reset, or even re-flash with device recovery. ->[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +Here are some things to try if your HoloLens isn’t running well. This article will guide you through the recommended recovery steps in succession. -The Advanced Recovery Companion is a new app in Microsoft Store that you can use to restore the operating system image to your HoloLens device. +This article focuses on the HoloLens device and software, if your holograms don't look right, [this article](hololens-environment-considerations.md) talks about environmental factors that improve hologram quality. -When your HoloLens 2 is unresponsive, not running properly, or is experiencing software or update problems, try these things in order: +## Restart your HoloLens -1. [Restart](#restart-hololens-2) the HoloLens 2. -2. [Reset](#reset-hololens-2) the HoloLens 2. -3. [Recover](#recover-hololens-2) the HoloLens 2. +First, try restarting the device. ->[!IMPORTANT] ->Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. +### Perform a safe restart by using Cortana -## Restart HoloLens 2 +The safest way to restart the HoloLens is by using Cortana. This is generally a great first-step when experiencing an issue with HoloLens: -A device restart can often "fix" a computer issue. First, say "Hey Cortana, restart the device." +1. Put on your device +1. Make sure it’s powered on, a user is logged in, and the device is not waiting for a password to unlock it. +1. Say “Hey Cortana, reboot” or "Hey Cortana, restart." +1. When she acknowledges she will ask you for confirmation. Wait a second for a sound to play after she has finished her question, indicating she is listening to you and then say “Yes.” +1. The device will now restart. -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. +### Perform a safe restart by using the power button -If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. +If you still can't restart your device, you can try to restart it by using the power button: -## Reset HoloLens 2 +1. Press and hold the power button for five seconds. + 1. After one second, you will see all five LEDs illuminate, then slowly turn off from right to left. + 1. After five seconds, all LEDs will be off, indicating the shutdown command was issued successfully. + 1. Note that it’s important to stop pressing the button immediately after all the LEDs have turned off. +1. Wait one minute for the shutdown to cleanly succeed. Note that the shutdown may still be in progress even if the displays are turned off. +1. Power on the device again by pressing and holding the power button for one second. -If the device is still having a problem after restart, use reset to return the HoloLens 2 to factory settings. +### Perform a safe restart by using Windows Device Portal -To reset your HoloLens 2, go to **Settings > Update > Reset** and select **Reset device**. +> [!NOTE] +> To do this, HoloLens has to be configured as a developer device. +> Read more about [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). + +If the previous procedure doesn't work, you can try to restart the device by using [Windows Device Portal](https://docs.microsoft.com/windows/mixed-reality/using-the-windows-device-portal). In the upper right corner, there is an option to restart or shut down the device. + +### Perform an unsafe forced restart + +If none of the previous methods are able to successfully restart your device, you can force a restart. This method is equivalent to pulling the battery from the HoloLens. It is a dangerous operation which may leave your device in a corrupt state. If that happens, you'll have to flash your HoloLens. + +> [!WARNING] +> This is a potentially harmful method and should only be used in the event none of the above methods work. + +1. Press and hold the power button for at least 10 seconds. + + - It’s okay to hold the button for longer than 10 seconds. + - It’s safe to ignore any LED activity. +1. Release the button and wait for two or three seconds. +1. Power on the device again by pressing and holding the power button for one second. +If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out and the screen stops displaying holograms. Wait 1 minute, then press the power button again to turn on the device. + +## Reset to factory settings >[!NOTE] >The battery needs at least 40 percent charge to reset. -## Recover HoloLens 2 +If your HoloLens is still experiencing issues after restarting, try resetting it to factory state. Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. -If the device is still having a problem after reset, you can use Advanced Recovery Companion to flash the device with a new image. +If you reset your device, all your personal data, apps, and settings will be erased. Resetting will only install the latest installed version of Windows Holographic and you will have to redo all the initialization steps (calibrate, connect to Wi-Fi, create a user account, download apps, and so forth). + +1. Launch the Settings app, and then select **Update** > **Reset**. +1. Select the **Reset device** option and read the confirmation message. +1. If you agree to reset your device, the device will restart and display a set of spinning gears with a progress bar. +1. Wait about 30 minutes for this process to complete. +1. The reset will complete and the device will restart into the out-of-the-box experience. + +## Re-install the operating system + +If the device is still having a problem after rebooting and resetting, you can use a recovery tool on your computer to reinstall the HoloLens' operating system and firmware. + +HoloLens (1st gen) and HoloLens 2 use different tools but both tools will auto-detect your HoloLens and install new software. + +All of the data HoloLens needs to reset is packaged in a Full Flash Update (ffu). This is similar to an iso, wim, or vhd. [Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats) + +### HoloLens 2 + +The Advanced Recovery Companion is a new app in Microsoft Store restore the operating system image to your HoloLens 2 device. 1. On your computer, get [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from Microsoft Store. 2. Connect HoloLens 2 to your computer. @@ -58,5 +106,18 @@ If the device is still having a problem after reset, you can use Advanced Recove 5. On the **Device info** page, select **Install software** to install the default package. (If you have a Full Flash Update (FFU) image that you want to install instead, select **Manual package selection**.) 6. Software installation will begin. Do not use the device or disconnect the cable during installation. When you see the **Installation finished** page, you can disconnect and use your device. ->[!NOTE] ->[Learn about FFU image file formats.](https://docs.microsoft.com/windows-hardware/manufacture/desktop/wim-vs-ffu-image-file-formats) +### HoloLens (1st gen) + +If necessary, you can install a completely new operating system on your HoloLens (1st gen) with the Windows Device Recovery Tool. + +Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time. When you're done, the latest version of the Windows Holographic software approved for your HoloLens will be installed. + +To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. + +To recover your HoloLens + +1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. +1. Connect the HoloLens (1st gen) to your computer using the Micro USB cable that came with your HoloLens. +1. Run the Windows Device Recovery Tool and follow the instructions. + +If the HoloLens (1st gen) isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-restart-recover.md b/devices/hololens/hololens-restart-recover.md deleted file mode 100644 index 9bf0cddb37..0000000000 --- a/devices/hololens/hololens-restart-recover.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Restart, reset, or recover HoloLens -description: Restart, reset, or recover HoloLens -ms.assetid: 9a546416-1648-403c-9e0c-742171b8812e -ms.reviewer: jarrettrenshaw -ms.date: 07/01/2019 -manager: v-miegge -keywords: hololens -ms.prod: hololens -ms.sitesec: library -author: v-miegge -ms.author: v-miegge -ms.topic: article -ms.localizationpriority: medium ---- - -# Restart, reset, or recover HoloLens - -Here are some things to try if your HoloLens is unresponsive, isn’t running well, or is experiencing software or update problems. - -## Restart your HoloLens - -If your HoloLens isn’t running well or is unresponsive, try the following things. - -First, try restarting the device: say, "Hey Cortana, restart the device." - -If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. - -If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. - -## Reset or recover your HoloLens - -If restarting your HoloLens doesn’t help, another option is to reset it. If resetting it doesn’t fix the problem, the Windows Device Recovery Tool can help you recover your device. - ->[!IMPORTANT] ->Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. - -## Reset - -Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. - -To reset your HoloLens, go to **Settings** > **Update** > **Reset** and select **Reset device**. The battery will need to have at least a 40 percent charge remaining to reset. - -## Recover using the Windows Device Recovery Tool - -Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time, and the latest version of the Windows Holographic software approved for your HoloLens will be installed. - -To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. -To recover your HoloLens - -1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. -1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens. -1. Run the Windows Device Recovery Tool and follow the instructions. - -If the clicker isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md index b8f98ea416..26790eacca 100644 --- a/devices/hololens/hololens-spaces.md +++ b/devices/hololens/hololens-spaces.md @@ -9,7 +9,7 @@ keywords: hololens, Windows Mixed Reality, design, spatial mapping, HoloLens, su ms.prod: hololens ms.sitesec: library ms.topic: article -ms.localizationpriority: medium +ms.localizationpriority: high appliesto: - HoloLens 1 (1st gen) - HoloLens 2 diff --git a/devices/hololens/hololens-status.md b/devices/hololens/hololens-status.md index 9438c6d9d2..e6ccdbd207 100644 --- a/devices/hololens/hololens-status.md +++ b/devices/hololens/hololens-status.md @@ -8,7 +8,7 @@ manager: jarrettr audience: Admin ms.topic: article ms.prod: hololens -ms.localizationpriority: Medium +ms.localizationpriority: high ms.sitesec: library --- @@ -16,7 +16,7 @@ ms.sitesec: library ✔️ **All services are active** -**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical +**Key** ✔️ Good, ⓘ Information, ⚠ Warning, ❌ Critical Area|HoloLens (1st gen)|HoloLens 2 ----|:----:|:----: @@ -27,10 +27,10 @@ Area|HoloLens (1st gen)|HoloLens 2 ## Notes and related topics -[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/en/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens) +[Frequently asked questions about using Skype for HoloLens](https://support.skype.com/faq/FA34641/frequently-asked-questions-about-using-skype-for-hololens) For more details about the status of the myriad Azure Services that can connect to HoloLens, see [Azure status](https://azure.microsoft.com/status/). -For more details about current known issues, see [HoloLens known issues](https://docs.microsoft.com/windows/mixed-reality/hololens-known-issues). +For more details about current known issues, see [HoloLens known issues](hololens-known-issues.md). Follow HoloLens on [Twitter](https://twitter.com/HoloLens) and subscribe on [Reddit](https://www.reddit.com/r/HoloLens/). diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index 8cceafc45f..e0b662bd3d 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -1,23 +1,76 @@ --- -title: Manage updates to HoloLens (HoloLens) +title: Managing updates to HoloLens description: Administrators can use mobile device management to manage updates to HoloLens devices. ms.prod: hololens ms.sitesec: library -author: dansimp -ms.author: dansimp +author: Teresa-Motiv +ms.author: v-tea +audience: ITPro ms.topic: article -ms.localizationpriority: medium -ms.date: 04/30/2018 -ms.reviewer: -manager: dansimp +ms.localizationpriority: high +ms.date: 11/7/2019 +ms.reviewer: jarrettr +manager: jarrettr +appliesto: +- HoloLens (1st gen) +- HoloLens 2 --- -# Manage updates to HoloLens +# Managing HoloLens updates + +HoloLens uses Windows Update, just like other Windows 10 devices. When an update is available, it will be automatically downloaded and installed the next time your device is plugged in and connected to the Internet. + +This article will walk through all of the way to manage updates on HoloLens. + +## Manually check for updates + +While HoloLens periodically checks for system updates so you don't have to, there may be circumstances in which you want to manually check. + +To manually check for updates, go to **Settings** > **Update & Security** > **Check for updates**. If the Settings app says your device is up to date, you have all the updates that are currently available. + +## Go back to a previous version (HoloLens 2) + +In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Advanced Recovery Companion to reset your HoloLens to the earlier version. + +> [!NOTE] +> Going back to an earlier version deletes your personal files and settings. + +To go back to a previous version of HoloLens 2, follow these steps: + +1. Make sure that you don't have any phones or Windows devices plugged in to your PC. +1. On your PC, download the [Advanced Recovery Companion](https://www.microsoft.com/p/advanced-recovery-companion/9p74z35sfrs8?activetab=pivot:overviewtab) from the Microsoft Store. +1. Download the [most recent HoloLens 2 release](https://aka.ms/hololens2download). +1. When you have finished these downloads, open **File explorer** > **Downloads**. Right-click the zipped folder that you just downloaded, and select **Extract all** > **Extract** to unzip it. +1. Connect your HoloLens to your PC using a USB-A to USB-C cable . (Even if you've been using other cables to connect your HoloLens, this one works best.) +1. The Advanced Recovery Companion automatically detects your HoloLens. Select the **Microsoft HoloLens** tile. +1. On the next screen, select **Manual package selection** and then select the installation file contained in the folder that you unzipped in step 4. (Look for a file with the .ffu extension.) +1. Select **Install software**, and follow the instructions. + +## Go back to a previous version (HoloLens (1st gen)) + +In some cases, you might want to go back to a previous version of the HoloLens software. You can do this by using the Windows Device Recovery Tool to reset your HoloLens to the earlier version. + +> [!NOTE] +> Going back to an earlier version deletes your personal files and settings. + +To go back to a previous version of HoloLens (1st gen), follow these steps: + +1. Make sure that you don't have any phones or Windows devices plugged in to your PC. +1. On your PC, download the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +1. Download the [HoloLens Anniversary Update recovery package](https://aka.ms/hololensrecovery). +1. When the downloads finish, open **File explorer** > **Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all** > **Extract** to unzip it. +1. Connect your HoloLens to your PC using the micro-USB cable that it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.) +1. The WDRT will automatically detect your HoloLens. Select the **Microsoft HoloLens** tile. +1. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the .ffu extension.) +1. Select **Install software**, and follow the instructions. + +> [!NOTE] +> If the WDRT doesn't detect your HoloLens, try restarting your PC. If that doesn't work, select **My device was not detected**, select **Microsoft HoloLens**, and then follow the instructions. + +# Use policies to manage updates to HoloLens >[!NOTE] ->HoloLens devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates. - -For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). +>HoloLens (1st gen) devices must be [upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md) to manage updates. To configure how and when updates are applied, use the following policies: @@ -37,7 +90,8 @@ For devices on Windows 10, version 1607 only: You can use the following update p - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -## Related topics +For more information about using policies to manage HoloLens, see the following articles: +- [Policies supported by HoloLens 2](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-hololens-2) - [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) - [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) diff --git a/devices/hololens/hololens1-clicker.md b/devices/hololens/hololens1-clicker.md index 9e8d26b69d..9da6a40ba5 100644 --- a/devices/hololens/hololens1-clicker.md +++ b/devices/hololens/hololens1-clicker.md @@ -10,7 +10,7 @@ ms.sitesec: library author: v-miegge ms.author: v-miegge ms.topic: article -ms.localizationpriority: medium +ms.localizationpriority: high appliesto: - HoloLens (1st gen) --- diff --git a/devices/hololens/hololens1-fit-comfort-faq.md b/devices/hololens/hololens1-fit-comfort-faq.md new file mode 100644 index 0000000000..d76375918c --- /dev/null +++ b/devices/hololens/hololens1-fit-comfort-faq.md @@ -0,0 +1,64 @@ +--- +title: HoloLens (1st gen) fit and comfort frequently asked questions +description: Answers to frequently asked questions about how to fit your HoloLens (1st gen). +ms.prod: hololens +ms.sitesec: library +author: Teresa-Motiv +ms.author: v-tea +ms.topic: article +ms.localizationpriority: high +ms.date: 10/09/2019 +ms.reviewer: jarrettr +audience: ITPro +manager: jarrettr +appliesto: +- HoloLens (1st gen) +--- + +# HoloLens (1st gen) fit and comfort frequently asked questions + +Here are some tips on how to stay comfortable and have the best experience using your HoloLens. + +For step-by-step instructions and a video about putting on and adjusting your device, see [Get your HoloLens (1st gen) ready to use](hololens1-setup.md). + +> [!NOTE] +> The fit and comfort tips in this topic are meant only as general guidance—they don't replace any laws or regulations, or your good judgment when using HoloLens. Stay safe, and have fun! + +Here are some tips on how to stay comfortable and have the best experience using your HoloLens. + +## I'm experiencing discomfort when I use my device. What should I do? + +If you experience discomfort, take a break until you feel better. Try sitting in a well-lit room and relaxing for a bit. The next time your use your HoloLens, try using it for a shorter period of time at first. + +For more information, see [Health and safety on HoloLens](https://go.microsoft.com/fwlink/p/?LinkId=746661). + +## I can't see the whole holographic frame, or my holograms are cut off + +To see the top edge of the holographic frame, move the device so it sits higher on your head, or angle the headband up slightly in front. To see the bottom edge, move the device to sit lower on your head, or angle the headband down slightly in front. If the left or right edge of the view frame isn't visible, make sure the HoloLens visor is centered on your forehead. + +## I need to look up or down to see holograms + +Try adjusting the position of your device visor so the holographic frame matches your natural gaze. Here's how: + +- **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame. +- **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame. + +## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure + +The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens1-setup.md#adjust-fit). + +You can also experiment with the positioning of the headband—depending on your head size and shape, you may need to slide it up or down to reposition it on your forehead. + +## My HoloLens feels heavy on my nose + +If your HoloLens is adjusted correctly, the nose pad should rest lightly on your nose. If it feels heavy on your nose, try rotating the visor up or adjusting the angle of the headband. You can also slide the device visor out—grasp the device arms just behind the visor and pull forward gently. + +## How can I adjust HoloLens to fit with my glasses? + +The device visor can slide in and out to accommodate eyewear. Grasp the device arms just behind the visor and pull forward gently to adjust it. + +## My arm gets tired when I use gestures. What can I do? + +When using gestures, there's no need to extend your arm out far from your body. Keep it closer to your side, where it's more comfortable and will get less tired. [Learn more about gestures](hololens1-basic-usage.md#use-hololens-with-your-hands). + +And be sure to try out [voice commands](hololens-cortana.md) and the [HoloLens clicker](hololens1-clicker.md). diff --git a/devices/hololens/hololens1-hardware.md b/devices/hololens/hololens1-hardware.md index aced822bd4..285f44dd6a 100644 --- a/devices/hololens/hololens1-hardware.md +++ b/devices/hololens/hololens1-hardware.md @@ -15,7 +15,7 @@ appliesto: - HoloLens (1st gen) --- -# HoloLens (1st Gen) hardware +# HoloLens (1st gen) hardware ![Microsoft HoloLens (1st gen)](images/see-through-400px.jpg) @@ -48,6 +48,14 @@ The HoloLens box contains the following items: >[!TIP] >The [clicker](hololens1-clicker.md) ships with HoloLens (1st Gen), in a separate box. +### Power Supply details + +The power supply and the USB cable that come with the device are the best supported mechanism for charging. The power supply is an 18W charger. It supplies 9V at 2A. + +Charging rate and speed may vary depending on the environment in which the device is running. + +In order to maintain/advance Internal Battery Charge Percentage while the device is on, it must be connected minimum to a 15W charger. + ## Device specifications ### Display diff --git a/devices/hololens/hololens1-setup.md b/devices/hololens/hololens1-setup.md index 4aefbad094..cbbc2315b7 100644 --- a/devices/hololens/hololens1-setup.md +++ b/devices/hololens/hololens1-setup.md @@ -7,7 +7,7 @@ author: JesseMcCulloch ms.author: jemccull ms.topic: article ms.localizationpriority: high -ms.date: 8/12/19 +ms.date: 8/12/2019 ms.reviewer: manager: jarrettr appliesto: @@ -29,6 +29,10 @@ When your HoloLens is on, the battery indicator shows the battery level in incre > [!TIP] > To get an estimate of your current battery level, say "Hey Cortana, how much battery do I have left?" +The power supply and USB cable that come with the device are the best way to charge your HoloLens (1st gen). The power supply provides 18W of power (9V 2A). + +Charging rate and speed may vary depending on the environment in which the device is running. + ## Adjust fit > [!VIDEO https://www.microsoft.com/videoplayer/embed/be3cb527-f2f1-4f85-b4f7-a34fbaba980d] diff --git a/devices/hololens/hololens2-basic-usage.md b/devices/hololens/hololens2-basic-usage.md index e15003a8f4..d8cc60064a 100644 --- a/devices/hololens/hololens2-basic-usage.md +++ b/devices/hololens/hololens2-basic-usage.md @@ -28,7 +28,7 @@ This guide provides an intro to: On HoloLens, holograms blend the digital world with your physical environment to look and sound like they're part of your world. Even when holograms are all around you, you can always see your surroundings, move freely, and interact with people and objects. We call this experience "mixed reality". -The holographic frame positions your holograms where your eyes are most sensitive to detail and the see-through lenses leave your peripheral vision unobscured. With spatial sound, you can pinpoint a hologram by listening, even if it’s behind you. And, because HoloLens understands your physical environment, you can place holograms on and around real objects such as tables and walls. +The holographic frame positions your holograms where your eyes are most sensitive to detail and the see-through lenses leave your peripheral vision clear. With spatial sound, you can pinpoint a hologram by listening, even if it’s behind you. And, because HoloLens understands your physical environment, you can place holograms on and around real objects such as tables and walls. Getting around HoloLens is a lot like using your smart phone. You can use your hands to touch and manipulate holographic windows, menus, and buttons. @@ -54,6 +54,8 @@ To bring up a **context menu**, like the ones you'll find on an app tile in the ## Use hand ray for holograms out of reach +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3ZOum] + When there are no holograms near your hands, the **touch cursor** will hide automatically and **hand rays** will appear from the palm of your hands. Hand rays allow you to interact with holograms from a distance. > [!TIP] @@ -71,6 +73,8 @@ To select something using **hand ray**, follow these steps: ### Grab using air tap and hold +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3Wxnh] + To grab a hologram or scroll app window content using **hand ray**, start with an **air tap**, but keep your fingers together instead of releasing them. Use **air tap and hold** to perform the following actions with hand ray: @@ -81,7 +85,9 @@ Use **air tap and hold** to perform the following actions with hand ray: ## Start gesture -The Start gesture opens the **Start menu**. To perform the Start gesture, hold out your hand with your palm facing you. You’ll see a **Start icon** appear over your inner wrist. Tap this icon using your other hand. The Start menu will open **where you’re looking**. +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3Wxng] + +The Start gesture opens the **Start menu**. To perform the Start gesture, hold out your hand with your palm facing you. You’ll see a **Start icon** appear over your inner wrist. Tap this icon using your other hand. The Start menu will open **where you’re looking**. > [!TIP] > @@ -135,6 +141,8 @@ Move a hologram or app by following these steps: ### Resizing holograms +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3ZYIb] + Grab and use the **resize handles** that appear on the corners of 3D holograms and app windows to resize them. For an app window, when resized this way the window content correspondingly increases in size and becomes easier to read. diff --git a/devices/hololens/hololens2-fit-comfort-faq.md b/devices/hololens/hololens2-fit-comfort-faq.md new file mode 100644 index 0000000000..397d61bb67 --- /dev/null +++ b/devices/hololens/hololens2-fit-comfort-faq.md @@ -0,0 +1,60 @@ +--- +title: HoloLens 2 fit and comfort FAQ +description: Answers to frequently asked questions about how to fit your HoloLens 2. +ms.prod: hololens +ms.sitesec: library +author: Teresa-Motiv +ms.author: v-tea +ms.topic: article +audience: ItPro +ms.localizationpriority: high +ms.date: 11/07/2019 +ms.reviewer: jarrettr +manager: jarrettr +appliesto: +- HoloLens 2 +--- + +# HoloLens 2 fit and comfort frequently asked questions + +Here are some tips on how to stay comfortable and have the best experience using your HoloLens. + +For step-by-step instructions and a video about putting on and adjusting your device, see [Get your HoloLens 2 ready to use](hololens2-setup.md). + +> [!NOTE] +> The fit and comfort tips in this topic are meant only as general guidance—they don't replace any laws or regulations, or your good judgment when using HoloLens. Stay safe, and have fun! + +Here are some tips on how to stay comfortable and have the best experience using your HoloLens. + +## I'm experiencing discomfort when I use my device. What should I do? + +If you experience discomfort, take a break until you feel better. Try sitting in a well-lit room and relaxing for a bit. The next time your use your HoloLens, try using it for a shorter period of time at first. + +For more information, see [Health and safety on HoloLens](https://go.microsoft.com/fwlink/p/?LinkId=746661). + +## I can't see the whole holographic frame, or my holograms are cut off + +To see the top edge of the holographic frame, move the device so it sits higher on your head, or angle the headband up slightly in front. To see the bottom edge, move the device to sit lower on your head, or angle the headband down slightly in front. If the left or right edge of the view frame isn't visible, make sure the HoloLens visor is centered on your forehead. + +## I need to look up or down to see holograms + +Try adjusting the position of your device visor so the holographic frame matches your natural gaze. Here's how: + +- **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame. +- **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame. + +## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure + +The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens2-setup.md#adjust-fit). + +You can also experiment with the positioning of the headband—depending on your head size and shape, you may need to slide it up or down to reposition it on your forehead. + +## How can I adjust HoloLens to fit with my glasses? + +To accommodate eyewear, you can tilt the visor. + +## My arm gets tired when I use gestures. What can I do? + +When using gestures, there's no need to extend your arm out far from your body. Keep it closer to your side, where it's more comfortable and will get less tired. You can also use hand rays to interact with holograms without raising your arms [Learn more about gestures and hand rays](hololens2-basic-usage.md#the-hand-tracking-frame). + +And be sure to try out [voice commands](hololens-cortana.md). diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md index dd81a50803..ca62dbf852 100644 --- a/devices/hololens/hololens2-hardware.md +++ b/devices/hololens/hololens2-hardware.md @@ -35,6 +35,14 @@ Microsoft HoloLens 2 is an untethered holographic computer. It refines the holo - **Power supply**. Plugs into a power outlet. - **Microfiber cloth**. Use to clean your HoloLens visor. +### Power Supply details + +The power supply and the USB cable that come with the device are the best supported mechanism for charging. The power supply is an 18W charger. It's supplies 9V at 2A. + +Charging rate and speed may vary depending on the environment in which the device is running. + +In order to maintain/advance Internal Battery Charge Percentage while the device is on, it must be connected minimum to a 15W charger. + ## Device specifications ### Display @@ -75,6 +83,16 @@ Microsoft HoloLens 2 is an untethered holographic computer. It refines the holo | Bluetooth | 5.0 | | USB | USB Type-C | +### Power + +| | | +| - | - | +| Battery Life | 2-3 hours of active use. Up to 2 weeks of standby time. | +| Battery technology | [Lithium batteries](https://www.microsoft.com/download/details.aspx?id=43388) | +| Charging behavior | Fully functional when charging | +| Cooling type | Passively cooled (no fans) | +| Power draw | In order to maintain/advance Internal Battery Charge Percentage while the device is on, it must be connected minimum to a 15W charger. | + ### Fit | | | diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md new file mode 100644 index 0000000000..760880135d --- /dev/null +++ b/devices/hololens/hololens2-language-support.md @@ -0,0 +1,45 @@ +--- +title: Supported languages for HoloLens 2 +description: +ms.prod: hololens +ms.sitesec: library +author: Teresa-Motiv +ms.author: v-tea +ms.topic: article +ms.localizationpriority: medium +ms.date: 9/12/2019 +audience: ITPro +ms.reviewer: jarrettr +manager: jarrettr +appliesto: +- HoloLens 2 +--- + +# Supported languages for HoloLens 2 + +HoloLens 2 supports the following languages. This support includes voice commands and dictation features. + +- Chinese Simplified (China) +- English (Australia) +- English (Canada) +- English (Great Britain) +- English (United States) +- French (Canada) +- French (France) +- German (Germany) +- Italian (Italy) +- Japanese (Japan) +- Spanish (Mexico) +- Spanish (Spain) + +Windows Mixed Reality is also available in the following languages. However, this support does not include speech commands or dictation features. + +- Chinese Traditional (Taiwan and Hong Kong) +- Dutch (Netherlands) +- Korean (Korea) +- Changing language or keyboard + +> [!NOTE] +> Your speech and dictation language depends on the Windows display language. +> +To change the Windows display language, region, or keyboard settings, use the start gesture to open the **Start** menu, and then select **Settings** > **Time and Language** > **Language**. diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index d007628794..319644824d 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -1,6 +1,7 @@ --- title: Prepare a new HoloLens 2 description: This guide walks through first time set up and hardware guide. +keywords: hololens, lights, fit, comfort, parts ms.assetid: 02692dcf-aa22-4d1e-bd00-f89f51048e32 ms.date: 9/17/2019 keywords: hololens @@ -20,7 +21,9 @@ The procedures below will help you set up a HoloLens 2 for the first time. ## Charge your HoloLens -Connect the power supply to the charging port by using the USB-C cable (included). Plug the power supply into a power outlet. +Connect the power supply to the charging port by using the USB-C cable (included). Plug the power supply into a power outlet. The power supply and USB-C-to-C cable that come with the device are the best way to charge your HoloLens 2. The charger supplies 18W of power (9V at 2A). + +Charging rate and speed may vary depending on the environment in which the device is running. - When the device is charging, the battery indicator lights up to indicate the current level of charge. The last light will fade in and out to indicate active charging. - When your HoloLens is on, the battery indicator displays the battery level in increments. @@ -62,9 +65,20 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | -## HoloLens indicator lights +## HoloLens behavior reference -Not sure what the indicator lights on your HoloLens mean? Here's some help! +Not sure what the indicator lights on your HoloLens mean? Want to know how HoloLens should behave while charging? Here's some help! + +### Charging behavior + +| State of the Device | Action | HoloLens 2 will do this | +| - | - | - | +| OFF | Plug in USB Cable | Device transitions to ON with indicator lights showing battery level and device starts charging. +| ON | Remove USB Cable | Device stops charging +| ON | Plug in USB Cable | Device starts charging +| SLEEP | Plug in USB Cable | Device starts charging +| SLEEP | Remove USB Cable | Device stops charging +| ON with USB cable plugged in | Turn off Device | Device transitions to ON with indicator lights showing battery level and device will start charging | ### Lights that indicate the battery level @@ -76,12 +90,21 @@ Not sure what the indicator lights on your HoloLens mean? Here's some help! | One solid light, one light fading in and out | Between 40% and 21% | | One light fading in and out | Between 20% and 5% or lower (critical battery) | +### Sleep Behavior + +| State of the Device | Action | HoloLens 2 will do this | +| - | - | - | +| ON | Single Power button press | Device transitions to SLEEP and turns off all indicator lights | +| ON | No movement for 3 minutes | Device transition to SLEEP and turns off all indicator lights | +| SLEEP | Single Power button Press | Device transitions to ON and turns on indicator lights | + ### Lights to indicate problems | When you do this | The lights do this | It means this | | - | - | - | | You press the Power button. | One light flashes five times, then turns off. | The HoloLens battery is critically low. Charge your HoloLens. | -| You press the Power button. | All five lights flash five times, then turn off. | HoloLens cannot start correctly and is in an error state. | +| You press the Power button. | All five lights flash five times, then turn off. | HoloLens cannot start correctly and is in an error state. [Reinstall the operating system](hololens-recovery.md) to recover your device. | +| You press the Power button. | The 1st, 3rd, and 5th lights flash together continually. | HoloLens may have a hardware failure. To be sure, [reinstall the OS](hololens-recovery.md#hololens-2), and try again. After reinstalling the OS, if the light-flash pattern persists, contact [support](https://support.microsoft.com/en-us/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb). | ## Safety and comfort diff --git a/devices/hololens/images/20190322-DevicePortal.png b/devices/hololens/images/20190322-DevicePortal.png new file mode 100644 index 0000000000..7fdd2e34b3 Binary files /dev/null and b/devices/hololens/images/20190322-DevicePortal.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 2db4f6d0c9..6725da5e81 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -1,6 +1,6 @@ --- -title: Microsoft HoloLens (HoloLens) -description: Landing page for HoloLens commercial and enterprise management. +title: Microsoft HoloLens +description: Landing page Microsoft HoloLens. ms.prod: hololens ms.sitesec: library ms.assetid: 0947f5b3-8f0f-42f0-aa27-6d2cad51d040 @@ -8,7 +8,12 @@ author: scooley ms.author: scooley ms.topic: article ms.localizationpriority: medium -ms.date: 07/14/2019 +ms.date: 10/14/2019 +audience: ITPro +appliesto: +- HoloLens 1 +- HoloLens 2 + --- # Microsoft HoloLens @@ -21,33 +26,33 @@ ms.date: 07/14/2019

To learn more about HoloLens 2 for developers, check out the mixed reality developer documentation.

-HoloLens 2 side view +

To buy HoloLens, check out HoloLens pricing and sales on microsoft.com/HoloLens.

+ + +HoloLens 2 side view ## Guides in this section | Guide | Description | | --- | --- | -| [Get started with HoloLens](hololens1-setup.md) | Set up HoloLens for the first time. | -| [Deploy HoloLens in a commercial environment](hololens-requirements.md) | Configure HoloLens for scale enterprise deployment and ongoing device management. | -| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Get support](https://support.microsoft.com/products/hololens) |Connect with Microsoft support resources for HoloLens in enterprise. | +| [Get started with HoloLens 2](hololens2-setup.md) | Set up HoloLens 2 for the first time. | +| [Get started with HoloLens (1st gen)](hololens1-setup.md) | Set up HoloLens (1st gen) for the first time. | +| [Get started with HoloLens in a commercial or classroom environment](hololens-requirements.md) | Plan for a multi-device HoloLens deployment and create a strategy for ongoing device management.
This section is tailored to IT professionals managing devices with existing device management infrastructure. | ## Quick reference by topic | Topic | Description | | --- | --- | -| [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover new features in the latest updates. | -| [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | -| [HoloLens MDM support](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using Mobile Device Management (MDM) solutions like Microsoft Intune. | +| [What's new in HoloLens](hololens-whats-new.md) | Discover new features in the latest updates via HoloLens release notes. | +| [Install and manage applications on HoloLens](hololens-install-apps.md) | Install and manage important applications on HoloLens at scale. | | [HoloLens update management](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | | [HoloLens user management](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | -| [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens. | -| [Install localized version of HoloLens](hololens1-install-localized.md) | Configure HoloLens for different locale. | +| [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | +| [Get support](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in enterprise. | ## Related resources * [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development) -* [HoloLens Commercial Suite](https://www.microsoft.com/microsoft-hololens/hololens-commercial) * [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 2f7fc9fd1f..aa2c651d1a 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -22,6 +22,8 @@ ## Deploy ### [Surface Hub 2S adoption and training](surface-hub-2s-adoption-kit.md) +### [Surface Hub 2S adoption videos](surface-hub-2s-adoption-videos.md) + ### [First time setup for Surface Hub 2S](surface-hub-2s-setup.md) ### [Connect devices to Surface Hub 2S](surface-hub-2s-connect.md) ### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md) diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md index 2058fcd918..78ec22ee3d 100644 --- a/devices/surface-hub/surface-hub-2s-adoption-kit.md +++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md @@ -9,7 +9,7 @@ ms.author: greglin manager: laurawi audience: Admin ms.topic: article -ms.date: 08/22/2019 +ms.date: 11/04/2019 ms.localizationpriority: Medium --- @@ -17,6 +17,10 @@ ms.localizationpriority: Medium Whether you are a small or large business, a Surface Hub adoption plan is critical in generating the right use cases and helping your users become comfortable with the device. Check out these downloadable guides designed to help you deliver training across your organization. +## On-demand training + +- [Surface Hub 2S adoption and training videos](surface-hub-2s-adoption-videos.md) + ## Adoption toolkit - [Surface Hub adoption toolkit](downloads/SurfaceHubAdoptionToolKit.pdf) @@ -28,7 +32,7 @@ Whether you are a small or large business, a Surface Hub adoption plan is critic - [Training guide – help desk](downloads/TrainingGuide-SurfaceHub2S-HelpDesk.pdf) - [Training guide – Microsoft Teams desktop](downloads/Guide-SurfaceHub2S-Teams.pptx) -[Download all training guides](http://download.microsoft.com/download/2/2/3/2234F70E-E65A-4790-93DF-F4C373A75B8E/SurfaceHub2S-TrainerGuides-July2019.zip) +[Download all training guides](https://download.microsoft.com/download/2/2/3/2234F70E-E65A-4790-93DF-F4C373A75B8E/SurfaceHub2S-TrainerGuides-July2019.zip) ## End user guides @@ -37,7 +41,7 @@ Whether you are a small or large business, a Surface Hub adoption plan is critic - [Guide to Microsoft Whiteboard on Surface Hub](downloads/Guide-SurfaceHub2S-Whiteboard.pptx) - [Guide to Microsoft Teams on Surface Hub](downloads/Guide-SurfaceHub2S-Teams.pptx) -[Download all end user guides](http://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip) +[Download all end user guides](https://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip) ## Quick reference cards @@ -52,4 +56,4 @@ Whether you are a small or large business, a Surface Hub adoption plan is critic - [Whiteboard advanced](downloads/QRCWhiteboardAdvanced.pdf) - [Whiteboard tools](downloads/QRCWhiteboardTools.pdf) -[Download all quick reference cards](http://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip) +[Download all quick reference cards](https://download.microsoft.com/download/E/7/F/E7FC6611-BB55-43E1-AF36-7BD5CE6E0FE0/SurfaceHub2S-EndUserGuides-July2019.zip) diff --git a/devices/surface-hub/surface-hub-2s-adoption-videos.md b/devices/surface-hub/surface-hub-2s-adoption-videos.md new file mode 100644 index 0000000000..67fa4e4570 --- /dev/null +++ b/devices/surface-hub/surface-hub-2s-adoption-videos.md @@ -0,0 +1,137 @@ +--- +title: "Surface Hub 2S on-demand adoption and training videos" +description: "This page contains comprehensive training for Surface Hub 2S via on-demand streaming" +keywords: separate values with commas +ms.prod: surface-hub +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +manager: laurawi +audience: Admin +ms.topic: article +ms.date: 11/04/2019 +ms.localizationpriority: Medium +--- + +# Surface Hub 2S on-demand adoption and training videos + +This page contains comprehensive training for Surface Hub 2S, available on demand. + +## Chapter 1 - Training overview + +> ![VIDEO ]
+ +- Welcome and introduction +- Training overview and agenda +- Software and technology reference +- Surface Hub messaging +- Industries and user roles +- Overview of training services +- Training best practices + +## Chapter 2 - Getting started with Surface Hub + +> ![VIDEO ]
+ +- What is Surface Hub? +- Technical overview +- Steelcase Roam and the mobility story +- Surface Hub services +- Getting started with Surface Hub +- Gathering expectations + +## Chapter 3 - Navigating Surface Hub + +> ![VIDEO ]
+ +- Welcome screen +- Start menu +- Full screen +- Clip to Whiteboard +- Task bar menu +- Teams/Skype +- End Session + +## Chapter 4 - Whiteboarding and collaboration + +> ![VIDEO ]
+ +- Whiteboard introduction +- Starting the Whiteboard +- Whiteboard tools +- Inserting pictures +- Changing the background +- Sharing the whiteboard +- Export the Whiteboard + +## Chapter 5 - Exploring Surface Hub apps + +> ![VIDEO ]
+ +- Surface Hub apps introduction +- PowerPoint overview +- Microsoft Word +- Microsoft Excel +- Microsoft Edge + +## Chapter 6 - Advanced apps and Office 365 + +> ![VIDEO ]
+ +- Advanced apps introduction +- Microsoft Maps +- Photos +- Power BI +- Sign in to Office 365 +- OneDrive +- CoAuthor documents + +## Chapter 7 - Connecting devices + +> ![VIDEO ]
+ +- Connect introduction +- Miracast overview +- Touch and Pen Input +- Wired connect overview +- Line of Business app workflows +- Troubleshooting Miracast and wired connect + +## Chapter 8 - Skype for Business meetings + +> ![VIDEO ]
+ +- Introduction to Skype for Business +-Scheduling Skype for Business meetings +- Start a meeting +- Start an ad hoc meeting +- Join a meeting on your calendar +- Managing a Skype for Business meeting +- Present content + +## Chapter 9 - Microsoft Teams meetings + +> ![VIDEO ]
+ +- Introduction to Microsoft Teams +- Scheduling Microsoft Teams meetings +- Start a meeting +- Start an ad hoc meeting +- Join a meeting on your calendar +- Managing a Microsoft Teams meeting +- Present content +- Conclusion + +## Chapter 10 - Basic troubleshooting + +> ![VIDEO ]
+ +- Introduction to Surface Hub troubleshooting +- Application troubleshooting +- End Session +- Restart the device +- Power cycle the device +- Factory reset +- Settings +- Manage Surface Hub +- Conclusion \ No newline at end of file diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index 3fdc6c7cf0..e71d37def0 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a ### Auto registration — Azure Active Directory Affiliated -When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. +When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). ## Windows 10 Team Edition settings diff --git a/devices/surface-hub/surface-hub-site-readiness-guide.md b/devices/surface-hub/surface-hub-site-readiness-guide.md index cf21867432..b3f42b32cf 100644 --- a/devices/surface-hub/surface-hub-site-readiness-guide.md +++ b/devices/surface-hub/surface-hub-site-readiness-guide.md @@ -99,8 +99,8 @@ There are three ways to mount your Surface Hub: For specifications on available mounts for the original Surface Hub, see the following: -- [Surface Hub Mounts and Stands Datasheet](http://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) -- [Surface Hub Stand and Wall Mount Specifications](http://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) +- [Surface Hub Mounts and Stands Datasheet](https://download.microsoft.com/download/5/0/1/501F98D9-1BCC-4448-A1DB-47056CEE33B6/20160711_Surface_Hub_Mounts_and_Stands_Datasheet.pdf) +- [Surface Hub Stand and Wall Mount Specifications](https://download.microsoft.com/download/7/A/7/7A75BD0F-5A46-4BCE-B313-A80E47AEB581/20160720_Combined_Stand_Wall_Mount_Drawings.pdf) ## The Connect experience diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index 48b26edcc5..c5d75cda00 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -6,22 +6,26 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: dansimp -ms.date: 10/02/2018 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article +ms.localizationpriority: medium +ms.audience: itpro --- # Battery Limit setting Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions. -## Battery Limit information +## How Battery Limit works Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. -Adding the Battery Limit option to Surface UEFI requires a [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. Currently, Battery Limit is supported on a subset of Surface devices and will be available in the future on other Surface device models. +## Supported devices +The Battery Limit UEFI setting is built into the latest Surface devices including Surface Pro 7 and Surface Laptop 3. Earlier devices require a + [Surface UEFI firmware update](update.md), available through Windows Update or via the MSI driver and firmware packages on the [Surface Support site](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface). Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each supported device. ## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index 1bdd0dac8d..cf84fec23c 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -11,17 +11,14 @@ ms.author: dansimp ms.topic: article ms.localizationpriority: medium ms.audience: itpro -ms.date: 10/21/2019 +ms.date: 10/24/2019 ms.reviewer: manager: dansimp --- # Considerations for Surface and System Center Configuration Manager -Fundamentally, management and deployment of Surface devices with System Center Configuration Manager is the same as the management and deployment of any other PC. Like any other PC, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device. - -> [!NOTE] -> SCCM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). +Fundamentally, management and deployment of Surface devices with System Center Configuration Manager (SCCM) is the same as the management and deployment of any other PC. Like other PCs, a deployment to Surface devices includes importing drivers, importing a Windows image, preparing a deployment task sequence, and then deploying the task sequence to a collection. After deployment, Surface devices are like any other Windows client – to publish apps, settings, and policies, you use the same process that you would use for any other device. You can find more information about how to use Configuration Manager to deploy and manage devices in the [Documentation for System Center Configuration Manager](https://docs.microsoft.com/sccm/index). @@ -30,6 +27,11 @@ Although the deployment and management of Surface devices is fundamentally the s >[!NOTE] >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager. +## Support for Surface Pro X +Beginning in version 1802, SCCM includes client management support for Surface Pro X. Note however that running the SCCM agent on Surface Pro X may accelerate battery consumption. In addition, SCCM operating system deployment is not supported on Surface Pro X. For more information, refer to: +- [What's new in version 1802 of System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802) +- [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) + ## Updating Surface device drivers and firmware For devices that receive updates through Windows Update, drivers for Surface components – and even firmware updates – are applied automatically as part of the Windows Update process. For devices with managed updates, such as those updated through Windows Server Update Services (WSUS), the option to install drivers and firmware through Windows Update is not available. For these managed devices, the recommended driver management process is the deployment of driver and firmware updates using the Windows Installer (.msi) files, which are provided through the Microsoft Download Center. You can find a list of these downloads at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 08149e26b7..68749b654c 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -11,6 +11,8 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.topic: article +ms.localizationpriority: medium +ms.audience: itpro --- # Deploy Surface devices @@ -39,19 +41,7 @@ Learn about about deploying ARM- and Intel-based Surface devices. | [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. | [Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. - - -  - ## Related topics -[Surface for IT pros blog](http://blogs.technet.com/b/surface/) - -  - -  - - - - +[Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro) diff --git a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md index 3fa2512ccf..855d637526 100644 --- a/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md +++ b/devices/surface/enable-surface-keyboard-for-windows-pe-deployment.md @@ -9,12 +9,15 @@ ms.sitesec: library author: Teresa-Motiv ms.author: v-tea ms.topic: article -ms.date: 10/2/2019 +ms.date: 10/31/2019 ms.reviewer: scottmca +ms.localizationpriority: medium +ms.audience: itpro manager: jarrettr appliesto: - Surface Laptop (1st Gen) - Surface Laptop 2 +- Surface Laptop 3 --- # How to enable the Surface Laptop keyboard during MDT deployment @@ -30,44 +33,77 @@ On most types of Surface devices, the keyboard should work during Lite Touch Ins To add the keyboard drivers to the selection profile, follow these steps: 1. Download the latest Surface Laptop MSI file from the appropriate locations: - - [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489) - - [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515) + - [Surface Laptop (1st Gen) Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=55489) + - [Surface Laptop 2 Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=57515) + - [Surface Laptop 3 with Intel Processor Drivers and Firmware](https://www.microsoft.com/download/details.aspx?id=100429) -1. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the following command: +2. Extract the contents of the Surface Laptop MSI file to a folder that you can easily locate (for example, c:\surface_laptop_drivers). To extract the contents, open an elevated Command Prompt window and run the command from the following example: ```cmd Msiexec.exe /a SurfaceLaptop_Win10_15063_1703008_1.msi targetdir=c:\surface_laptop_drivers /qn ``` -1. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder. +3. Open the Deployment Workbench and expand the **Deployment Shares** node and your deployment share, then navigate to the **WindowsPEX64** folder. ![Image that shows the location of the WindowsPEX64 folder in the Deployment Workbench](./images/surface-laptop-keyboard-1.png) -1. Right-click the **WindowsPEX64** folder and select **Import Drivers**. -1. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder. - - To support Surface Laptop (1st Gen), import the following folders: - - SurfacePlatformInstaller\Drivers\System\GPIO - - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver - - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver - - To support Surface Laptop 2, import the following folders: - - SurfacePlatformInstaller\Drivers\System\GPIO - - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver - - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver - - SurfacePlatformInstaller\Drivers\System\I2C - - SurfacePlatformInstaller\Drivers\System\SPI - - SurfacePlatformInstaller\Drivers\System\UART +4. Right-click the **WindowsPEX64** folder and select **Import Drivers**. +5. Follow the instructions in the Import Driver Wizard to import the driver folders into the WindowsPEX64 folder. -1. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following: +> [!NOTE] +> Check the downloaded MSI package to determine the format and directory structure. The directory structure will start with either SurfacePlatformInstaller (older MSI files) or SurfaceUpdate (Newer MSI files) depending on when the MSI was released. + +To support Surface Laptop (1st Gen), import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHidMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\SurfaceHidMiniDriver +- SurfaceUpdate\SurfaceSerialHubDriver + +To support Surface Laptop 2, import the following folders: + + - SurfacePlatformInstaller\Drivers\System\GPIO + - SurfacePlatformInstaller\Drivers\System\SurfaceHIDMiniDriver + - SurfacePlatformInstaller\Drivers\System\SurfaceSerialHubDriver + - SurfacePlatformInstaller\Drivers\System\I2C + - SurfacePlatformInstaller\Drivers\System\SPI + - SurfacePlatformInstaller\Drivers\System\UART + +Or for newer MSI files beginning with "SurfaceUpdate", use: + +- SurfaceUpdate\SerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub + + +To support Surface Laptop 3 with Intel Processor, import the following folders: + +- SurfaceUpdate\IclSerialIOGPIO +- SurfaceUpdate\IclSerialIOI2C +- SurfaceUpdate\IclSerialIOSPI +- SurfaceUpdate\IclSerialIOUART +- SurfaceUpdate\SurfaceHidMini +- SurfaceUpdate\SurfaceSerialHub +- SurfaceUpdate\SurfaceHotPlug + + +6. Verify that the WindowsPEX64 folder now contains the imported drivers. The folder should resemble the following: ![Image that shows the newly imported drivers in the WindowsPEX64 folder of the Deployment Workbench](./images/surface-laptop-keyboard-2.png) -1. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following: +7. Configure a selection profile that uses the WindowsPEX64 folder. The selection profile should resemble the following: ![Image that shows the WindowsPEX64 folder selected as part of a selection profile](./images/surface-laptop-keyboard-3.png) -1. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows: +8. Configure the Windows PE properties of the MDT deployment share to use the new selection profile, as follows: - For **Platform**, select **x64**. - For **Selection profile**, select the new profile. @@ -75,7 +111,7 @@ To add the keyboard drivers to the selection profile, follow these steps: ![Image that shows the Windows PE properties of the MDT Deployment Share](./images/surface-laptop-keyboard-4.png) -1. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. +9. Verify that you have configured the remaining Surface Laptop drivers by using either a selection profile or a **DriverGroup001** variable. - For Surface Laptop (1st Gen), the model is **Surface Laptop**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop folder as shown in the figure that follows this list. - For Surface Laptop 2, the model is **Surface Laptop 2**. The remaining Surface Laptop drivers should reside in the \MDT Deployment Share\Out-of-Box Drivers\Windows10\X64\Surface Laptop 2 folder. diff --git a/devices/surface/get-started.md b/devices/surface/get-started.md index 7f694266e4..ff37d7a72e 100644 --- a/devices/surface/get-started.md +++ b/devices/surface/get-started.md @@ -14,7 +14,7 @@ ms.localizationpriority: High --- # Get started with Surface devices -Harness the power of Surface, Windows,and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization. +Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface for Business devices in your organization.
  • @@ -29,7 +29,7 @@ Harness the power of Surface, Windows,and Office connected together through the

    Plan

    Surface and SCCM considerations

    -

    Deploy Surface app with Microsoft Store for Business

    +

    Wake On LAN for Surface devices

    @@ -86,8 +86,8 @@ Harness the power of Surface, Windows,and Office connected together through the

    Secure

    -

    Surface Enterprise Management Mode (SEMM)

    -

    Manage UEFI

    +

    Intune management of Surface UEFI settings

    +

    Surface Enterprise Management Mode (SEMM)

    Surface Data Eraser tool

    @@ -105,6 +105,8 @@ Harness the power of Surface, Windows,and Office connected together through the

    Support

    +

    Maximize your Surface battery life

    +

    Troubleshoot Surface Dock and docking stations

    Top support solutions

    diff --git a/devices/surface/images/df1.png b/devices/surface/images/df1.png index 3f5b4e1bee..cd55014d27 100644 Binary files a/devices/surface/images/df1.png and b/devices/surface/images/df1.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig5a.png b/devices/surface/images/manage-surface-uefi-fig5a.png new file mode 100644 index 0000000000..7baecb2fff Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5a.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig7a.png b/devices/surface/images/manage-surface-uefi-fig7a.png new file mode 100644 index 0000000000..62e6536ea8 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig7a.png differ diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index 225135d993..5e14c8444d 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -10,6 +10,8 @@ ms.author: dansimp ms.topic: article ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Long-Term Servicing Channel (LTSC) for Surface devices @@ -28,23 +30,7 @@ General-purpose Surface devices are intended to run on the Semi-Annual Channel t Surface devices in specialized scenarios–such as PCs that control medical equipment, point-of-sale systems, and ATMs–might consider the use of LTSC. These special-purpose systems typically perform a single task and do not require feature updates as frequently as other devices in the organization. - - - - ## Related topics -- [Surface TechCenter](https://technet.microsoft.com/windows/surface) - -- [Surface for IT pros blog](http://blogs.technet.com/b/surface/) - - - -  - -  - - - - +- [Surface IT Pro Blog](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro) diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index ede174d674..e43a14a63b 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -1,6 +1,6 @@ --- title: Best practice power settings for Surface devices -description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. +description: This topic provides best practice recommendations for maintaining optimal power settings and explains how Surface streamlines the power management experience. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -9,7 +9,9 @@ ms.author: dansimp ms.topic: article ms.reviewer: manager: dansimp -ms.date: 08/21/2019 +ms.localizationpriority: medium +ms.audience: itpro +ms.date: 10/28/2019 --- # Best practice power settings for Surface devices @@ -49,7 +51,7 @@ module (SAM). The SAM chip functions as the Surface device power-policy owner, using algorithms to calculate optimal power requirements. It works in conjunction with Windows power manager to allocate or throttle only the exact amount of power required for hardware components to -function. +function. This article applies to all currently supported Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. ## Utilizing the custom power profile in Surface diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index 4de1914275..d205908048 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -17,22 +17,25 @@ manager: dansimp # Manage Surface UEFI settings -Current and future generations of Surface devices, including Surface Pro 7, Surface Book 2, and Surface Studio 2,use a unique UEFI firmware engineered by Microsoft specifically for these devices. This firmware allows for significantly greater control of the device’s operation over firmware versions in earlier generation Surface devices, including the support for touch, mouse, and keyboard operation. By using the Surface UEFI settings you can easily enable or disable internal devices or components, configure security to protect UEFI settings from being changed, and adjust the Surface device boot settings. - ->[!NOTE] ->Surface Pro 3, Surface 3, Surface Pro 2, Surface 2, Surface Pro, and Surface do not use the Surface UEFI and instead use firmware provided by third-party manufacturers, such as AMI. - -You can enter the Surface UEFI settings on your Surface device by pressing the **Volume Up** button and the **Power** button simultaneously. Hold the **Volume Up** button until the Surface logo is displayed, which indicates that the device has begun to boot. +All current and future generations of Surface devices use a unique Unified Extensible Firmware Interface (UEFI) engineered by Microsoft specifically for these devices. Surface UEFI settings provide the ability to enable or disable built-in devices and components, protect UEFI settings from being changed, and adjust the Surface device boot settings. ## Support for cloud-based management + With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. DFCI is currently available for Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). +## Open Surface UEFI menu -## PC information +To adjust UEFI settings during system startup: -On the **PC information** page, detailed information about your Surface device is provided: +1. Shut down your Surface and wait about 10 seconds to make sure it's off. +2. Press and hold the **Volume-up** button and - at the same time - press and release the **Power button.** +3. As the Microsoft or Surface logo appears on your screen, continue to hold the **Volume-up** button until the UEFI screen appears. -- **Model** – Your Surface device’s model will be displayed here, such as Surface Book or Surface Pro 4. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). +## UEFI PC information page + +The PC information page includes detailed information about your Surface device: + +- **Model** – Your Surface device’s model will be displayed here, such as Surface Book 2 or Surface Pro 7. The exact configuration of your device is not shown, (such as processor, disk size, or memory size). - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. @@ -56,9 +59,9 @@ You will also find detailed information about the firmware of your Surface devic You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) for your device. -## Security +## UEFI Security page -On the **Security** page of Surface UEFI settings, you can set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): +The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): - Uppercase letters: A-Z @@ -74,21 +77,21 @@ The password must be at least 6 characters and is case sensitive. *Figure 2. Add a password to protect Surface UEFI settings* -On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. +On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. ![Configure Secure Boot](images/manage-surface-uefi-fig3.png "Configure Secure Boot") *Figure 3. Configure Secure Boot* -You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. +You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. ![Configure Surface UEFI security settings](images/manage-surface-uefi-fig4.png "Configure Surface UEFI security settings") *Figure 4. Configure Surface UEFI security settings* -## Devices +## UEFI menu: Devices -On the **Devices** page you can enable or disable specific devices and components of your Surface device. Devices that you can enable or disable on this page include: +The Devices page allows you to enable or disable specific devices and components including: - Docking and USB Ports @@ -106,13 +109,13 @@ On the **Devices** page you can enable or disable specific devices and component Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. -![Enable and disable specific devices](images/manage-surface-uefi-fig5.png "Enable and disable specific devices") +![Enable and disable specific devices](images/manage-surface-uefi-fig5a.png "Enable and disable specific devices") *Figure 5. Enable and disable specific devices* -## Boot configuration +## UEFI menu: Boot configuration -On the **Boot Configuration** page, you can change the order of your boot devices and/or enable or disable boot of the following devices: +The Boot Configuration page allows you to change the order of your boot devices as well as enable or disable boot of the following devices: - Windows Boot Manager @@ -132,68 +135,83 @@ For the specified boot order to take effect, you must set the **Enable Alternate You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. +## UEFI menu: Management +The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3. -## Exit +![Manage access to Zero Touch UEFI Management and other features](images/manage-surface-uefi-fig7a.png "Manage access to Zero Touch UEFI Management and other features") +*Figure 7. Manage access to Zero Touch UEFI Management and other features* -Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 7. + +Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**. + +> [!NOTE] +> The UEFI Management settings page and use of DFCI is only available on Surface Pro 7, Surface Pro X, and Surface Laptop 3. + +For more information, refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). + +## UEFI menu: Exit + +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. ![Exit Surface UEFI and restart the device](images/manage-surface-uefi-fig7.png "Exit Surface UEFI and restart the device") -*Figure 7. Click Restart Now to exit Surface UEFI and restart the device* +*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* ## Surface UEFI boot screens -When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 8 through 17. +When you update Surface device firmware, by using either Windows Update or manual installation, the updates are not applied immediately to the device, but instead during the next reboot cycle. You can find out more about the Surface firmware update process in [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). The progress of the firmware update is displayed on a screen with progress bars of differing colors to indicate the firmware for each component. Each component’s progress bar is shown in Figures 9 through 18. ![Surface UEFI firmware update with blue progress bar](images/manage-surface-uefi-fig8.png "Surface UEFI firmware update with blue progress bar") -*Figure 8. The Surface UEFI firmware update displays a blue progress bar* +*Figure 9. The Surface UEFI firmware update displays a blue progress bar* ![System Embedded Controller firmware with green progress bar](images/manage-surface-uefi-fig9.png "System Embedded Controller firmware with green progress bar") -*Figure 9. The System Embedded Controller firmware update displays a green progress bar* +*Figure 10. The System Embedded Controller firmware update displays a green progress bar* ![SAM Controller firmware update with orange progress bar](images/manage-surface-uefi-fig10.png "SAM Controller firmware update with orange progress bar") -*Figure 10. The SAM Controller firmware update displays an orange progress bar* +*Figure 11. The SAM Controller firmware update displays an orange progress bar* ![Intel Management Engine firmware with red progress bar](images/manage-surface-uefi-fig11.png "Intel Management Engine firmware with red progress bar") -*Figure 11. The Intel Management Engine firmware update displays a red progress bar* +*Figure 12. The Intel Management Engine firmware update displays a red progress bar* ![Surface touch firmware with gray progress bar](images/manage-surface-uefi-fig12.png "Surface touch firmware with gray progress bar") -*Figure 12. The Surface touch firmware update displays a gray progress bar* +*Figure 13. The Surface touch firmware update displays a gray progress bar* ![Surface KIP firmware with light green progress bar](images/manage-surface-uefi-fig13.png "Surface touch firmware with light green progress bar") -*Figure 13. The Surface KIP firmware update displays a light green progress bar* +*Figure 14. The Surface KIP firmware update displays a light green progress bar* ![Surface ISH firmware with pink progress bar](images/manage-surface-uefi-fig14.png "Surface ISH firmware with pink progress bar") -*Figure 14. The Surface ISH firmware update displays a light pink progress bar* +*Figure 15. The Surface ISH firmware update displays a light pink progress bar* ![Surface Trackpad firmware with gray progress bar](images/manage-surface-uefi-fig15.png "Surface Trackpad firmware with gray progress bar") -*Figure 15. The Surface Trackpad firmware update displays a pink progress bar* +*Figure 16. The Surface Trackpad firmware update displays a pink progress bar* ![Surface TCON firmware with light gray progress bar](images/manage-surface-uefi-fig16.png "Surface TCON firmware with light gray progress bar") -*Figure 16. The Surface TCON firmware update displays a light gray progress bar* +*Figure 17. The Surface TCON firmware update displays a light gray progress bar* ![Surface TPM firmware with light purple progress bar](images/manage-surface-uefi-fig17.png "Surface TPM firmware with purple progress bar") -*Figure 17. The Surface TPM firmware update displays a purple progress bar* +*Figure 18. The Surface TPM firmware update displays a purple progress bar* >[!NOTE] ->An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 18. +>An additional warning message that indicates Secure Boot is disabled is displayed, as shown in Figure 19. ![Surface boot screen that indicates Secure Boot has been disabled](images/manage-surface-uefi-fig18.png "Surface boot screen that indicates Secure Boot has been disabled") -*Figure 18. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* +*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* ## Related topics -[Advanced UEFI security features for Surface Pro 3](advanced-uefi-security-features-for-surface-pro-3.md) +- [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) + +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) \ No newline at end of file diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 4a37b1fd9d..8c512f48c2 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -8,9 +8,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 1/15/2019 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Surface Brightness Control diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index ce9f38dfc2..7fbd031cf5 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -4,7 +4,7 @@ description: Microsoft Surface Deployment Accelerator provides a quick and simpl ms.assetid: E7991E90-4AAE-44B6-8822-58BFDE3EADE4 ms.reviewer: hachidan manager: dansimp -ms.date: 07/27/2017 +ms.date: 10/31/2019 ms.localizationpriority: medium keywords: deploy, install, tool ms.prod: w10 @@ -19,16 +19,13 @@ ms.audience: itpro # Microsoft Surface Deployment Accelerator - Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. > [!NOTE] -> SDA is not currently supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). +> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution. -You can find more information about how to deploy to Surface devices, including step-by-step walkthroughs of customized deployment solution implementation, on the Deploy page of the [Surface TechCenter](https://technet.microsoft.com/windows/dn913725). - **Download Microsoft Surface Deployment Accelerator** You can download the installation files for SDA from the Microsoft Download Center. To download the installation files: diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 956924345f..488bd63a15 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -13,13 +13,16 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 07/27/2017 +ms.date: 10/31/2019 --- # Step by step: Surface Deployment Accelerator This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE). +> [!NOTE] +> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). + ## How to install Surface Deployment Accelerator For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md). diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index 51db33fb4e..8dd12ede7c 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -14,6 +14,7 @@ ms.author: dansimp ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium +ms.audience: itpro --- # Top support solutions for Surface devices @@ -47,7 +48,7 @@ These are the top Microsoft Support solutions for common issues experienced when - [Troubleshoot connecting Surface to a second screen](https://support.microsoft.com/help/4023496) -- [Microsoft Surface Dock Updater](https://docs.microsoft.com/surface/surface-dock-updater) +- [Microsoft Surface Dock Firmware Update](https://docs.microsoft.com/surface/surface-dock-updater) ## Surface Drivers and Firmware diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 28726e9c2d..62c4129d08 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -3,12 +3,12 @@ title: Deploy Surface Diagnostic Toolkit for Business description: This topic explains how to use the Surface Diagnostic Toolkit for Business. ms.prod: w10 ms.mktglfcycl: manage -ms.localizationpriority: normal +ms.localizationpriority: medium ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 09/27/2019 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp ms.audience: itpro @@ -172,9 +172,10 @@ You can select to run a wide range of logs across applications, drivers, hardwar ## Changes and updates ### Version 2.43.139.0 *Release date: October 21, 2019*
    -This version of Surface Diagnostic Toolkit for Business adds support for the following: --Surface Pro 7 --Surface Laptop 3 +This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Surface Pro 7 +- Surface Laptop 3 ### Version 2.42.139.0 *Release date: September 24, 2019*
    diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 7359067813..f1e3460df4 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -16,7 +16,7 @@ ms.audience: itpro # Run Surface Diagnostic Toolkit for Business using commands -Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). >[!NOTE] >To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 4d8b505670..738ec1ecae 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -7,36 +7,34 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 11/15/2018 +ms.date: 10/31/2019 ms.reviewer: hachidan manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- # Use Surface Diagnostic Toolkit for Business in desktop mode -This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. For a list of supported Surface devices in SDT, refer to [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md). + 1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. 2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1. ![Start SDT in desktop mode](images/sdt-desk-1.png) - - *Figure 1. SDT in desktop mode* +*Figure 1. SDT in desktop mode* 3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2. ![Select from SDT options](images/sdt-desk-2.png) - - *Figure 2. Select from SDT options* +*Figure 2. Select from SDT options* 4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. ![Select hardware tests](images/sdt-desk-3.png) - - *Figure 3. Select hardware tests* +*Figure 3. Select hardware tests* Hardware test | Description --- | --- @@ -55,6 +53,7 @@ This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help user + ## Running multiple hardware tests to troubleshoot issues SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. @@ -62,7 +61,6 @@ SDT is designed as an interactive tool that runs a series of tests. For each tes For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. ![Running hardware diagnostics](images/sdt-desk-4.png) - *Figure 4. Running hardware diagnostics* 1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. @@ -75,24 +73,18 @@ For each test, if functionality does not work as expected and the user clicks ** SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5. ![Running repairs](images/sdt-desk-5.png) - *Figure 5. Running repairs* - - - - + ### Generating logs for analyzing issues SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6. ![Generating logs](images/sdt-desk-6.png) - *Figure 6. Generating logs* - - + ### Generating detailed report comparing device vs. optimal configuration Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 35c9b5f49f..df3918d715 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -10,7 +10,7 @@ ms.topic: article ms.date: 06/11/2019 ms.reviewer: cottmca manager: dansimp -ms.localizationpriority: normal +ms.localizationpriority: medium ms.audience: itpro --- diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 7e2d530d26..0387d061e1 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 09/18/2019 +ms.date: 10/09/2019 ms.reviewer: scottmca manager: dansimp ms.audience: itpro @@ -50,8 +50,14 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm > [!NOTE] > A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" +> [!NOTE] +> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]" + For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation. +> [!IMPORTANT] +> If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details. + ## Intune deployment You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management). diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 32c1f38406..de1879bcba 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 01/06/2017 -ms.reviewer: +ms.date: 10/31/2019 +ms.reviewer: scottmca manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Microsoft Surface Enterprise Management Mode @@ -19,12 +21,14 @@ manager: dansimp Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware such as Surface Pro 4 and later, Surface Go, Surface Laptop, Surface Book, and Surface Studio. For more information about Surface UEFI, see [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). +>SEMM is only available on devices with Surface UEFI firmware. + When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm). + ## Microsoft Surface UEFI Configurator The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown in Figure 1. Microsoft Surface UEFI Configurator is a tool that is used to create Windows Installer (.msi) packages or WinPE images that are used to enroll, configure, and unenroll SEMM on a Surface device. These packages contain a configuration file where the settings for UEFI are specified. SEMM packages also contain a certificate that is installed and stored in firmware and used to verify the signature of configuration files before UEFI settings are applied. @@ -33,8 +37,6 @@ The primary workspace of SEMM is Microsoft Surface UEFI Configurator, as shown i *Figure 1. Microsoft Surface UEFI Configurator* ->[!NOTE] ->Windows 10 is required to run Microsoft Surface UEFI Configurator You can use the Microsoft Surface UEFI Configurator tool in three modes: @@ -62,17 +64,9 @@ See the [Surface Enterprise Management Mode certificate requirements](#surface-e After a device is enrolled in SEMM, the configuration file is read and the settings specified in the file are applied to UEFI. When you run a configuration package on a device that is already enrolled in SEMM, the signature of the configuration file is checked against the certificate that is stored in the device firmware. If the signature does not match, no changes are applied to the device. -You can use Surface UEFI settings to enable or disable the operation of individual components, such as cameras, wireless communication, or docking USB port (as shown in Figure 3), and configure advanced settings (as shown in Figure 4). +### Enable or disable devices in Surface UEFI with SEMM -![Enable or disable devices in Surface UEFI with SEMM](images/surface-ent-mgmt-fig3-enabledisable.png "Enable or disable devices in Surface UEFI with SEMM") - -*Figure 3. Enable or disable devices in Surface UEFI with SEMM* - -![Configure advanced settings in SEMM](images/surface-ent-mgmt-fig4-advancedsettings.png "Configure advanced settings in SEMM") - -*Figure 4. Configure advanced settings with SEMM* - -You can enable or disable the following devices with SEMM: +The following list shows all the available devices you can manage in SEMM: * Docking USB Port * On-board Audio @@ -86,31 +80,40 @@ You can enable or disable the following devices with SEMM: * Wi-Fi and Bluetooth * LTE -You can configure the following advanced settings with SEMM: + >[!NOTE] +>The built-in devices that appear in the UEFI Devices page may vary depending on your device or corporate environment. For example, the UEFI Devices page is not supported on Surface Pro X; LTE only appears on LTE-equipped devices. +### Configure advanced settings with SEMM +**Table 1. Advanced settings** + +| Setting | Description | +| ---------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| IPv6 for PXE Boot | Allows you to manage Ipv6 support for PXE boot. If you do not configure this setting, IPv6 support for PXE boot is disabled. | +| Alternate Boot | Allows you to manage use of an Alternate boot order to boot directly to a USB or Ethernet device by pressing both the Volume Down button and Power button during boot. If you do not configure this setting, Alternate boot is enabled. | +| Boot Order Lock | Allows you to lock the boot order to prevent changes. If you do not configure this setting, Boot Order Lock is disabled. | +| USB Boot | Allows you to manage booting to USB devices. If you do not configure this setting, USB Boot is enabled. | +| Network Stack | Allows you to manage Network Stack boot settings. If you do not configure this setting, the ability to manage Network Stack boot settings is enabled. | +| Auto Power On | Allows you to manage Auto Power On boot settings. If you do not configure this setting, Auto Power on is enabled. | +| Simultaneous Multi-Threading (SMT) | Allows you to manage Simultaneous Multi-Threading (SMT) to enable or disable hyperthreading. If you do not configure this setting, SMT is enabled. | +|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | +| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | +| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | + -* IPv6 support for PXE boot -* Alternate boot order, where the Volume Down button and Power button can be pressed together during boot, to boot directly to a USB or Ethernet device -* Lock the boot order to prevent changes -* Support for booting to USB devices -* Enable Network Stack boot settings -* Enable Auto Power On boot settings -* Display of the Surface UEFI **Security** page -* Display of the Surface UEFI **Devices** page -* Display of the Surface UEFI **Boot** page -* Display of the Surface UEFI **DateTime** page >[!NOTE] ->When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 5. +>When you create a SEMM configuration package, two characters are shown on the **Successful** page, as shown in Figure 3. ![Certificate thumbprint display](images/surface-ent-mgmt-fig5-success.png "Certificate thumbprint display") -*Figure 5. Display of the last two characters of the certificate thumbprint on the Successful page* +*Figure 3. Display of the last two characters of the certificate thumbprint on the Successful page* -These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 6. +These characters are the last two characters of the certificate thumbprint and should be written down or recorded. The characters are required to confirm enrollment in SEMM on a Surface device, as shown in Figure 4. ![Enrollment confirmation in SEMM](images/surface-ent-mgmt-fig6-enrollconfirm.png "Enrollment confirmation in SEMM") -*Figure 6. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* +*Figure 4. Enrollment confirmation in SEMM with the SEMM certificate thumbprint* >[!NOTE] >Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: @@ -132,11 +135,11 @@ A Surface UEFI reset package is used to perform only one task — to unenroll a ### Recovery request -In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 7) with a Recovery Request operation. +In some scenarios, it may be impossible to use a Surface UEFI reset package. (For example, if Windows becomes unusable on the Surface device.) In these scenarios you can unenroll the Surface device from SEMM through the **Enterprise Management** page of Surface UEFI (shown in Figure 5) with a Recovery Request operation. ![Initiate a SEMM recovery request](images/surface-ent-mgmt-fig7-semmrecovery.png "Initiate a SEMM recovery request") -*Figure 7. Initiate a SEMM recovery request on the Enterprise Management page* +*Figure 5. Initiate a SEMM recovery request on the Enterprise Management page* When you use the process on the **Enterprise Management** page to reset SEMM on a Surface device, you are provided with a Reset Request. This Reset Request can be saved as a file to a USB drive, copied as text, or read as a QR Code with a mobile device to be easily emailed or messaged. Use the Microsoft Surface UEFI Configurator Reset Request option to load a Reset Request file or enter the Reset Request text or QR Code. Microsoft Surface UEFI Configurator will generate a verification code that can be entered on the Surface device. If you enter the code on the Surface device and click **Restart**, the device will be unenrolled from SEMM. diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index 93d897f272..19a91301f7 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -17,11 +17,11 @@ ms.audience: itpro ## Introduction -The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in public preview), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. +The ability to manage devices from the cloud has dramatically simplified IT deployment and provisioning across the lifecycle. With Device Firmware Configuration Interface (DFCI) profiles built into Microsoft Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For answers to frequently asked questions, see [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333). ### Background -Like any computer running Windows 10, Surface devices rely on code stored in the SoC that enables the CPU to interface with hard drives, display devices, USB ports, and other devices. The programs stored in this read-only memory (ROM) are collectively known as firmware (while programs stored in dynamic media are known as software). +Like any computer running Windows 10, Surface devices rely on code stored in the SoC that enables the CPU to interface with hard drives, display devices, USB ports, and other devices. The programs stored in this read-only memory (ROM) are known as firmware (while programs stored in dynamic media are known as software). In contrast to other Windows 10 devices available in the market today, Surface provides IT admins with the ability to configure and manage firmware through a rich set of UEFI configuration settings. This provides a layer of hardware control on top of software-based policy management as implemented via mobile device management (MDM) policies, Configuration Manager or Group Policy. For example, organizations deploying devices in highly secure areas with sensitive information can prevent camera use by removing functionality at the hardware level. From a device standpoint, turning the camera off via a firmware setting is equivalent to physically removing the camera. Compare the added security of managing at the firmware level to relying only on operating system software settings. For example, if you disable the Windows audio service via a policy setting in a domain environment, a local admin could still re-enable the service. @@ -43,13 +43,13 @@ At this time, DFCI is supported in the following devices: ## Prerequisites -- Devices must be registered with Windows Autopilot by your reseller or distributor. For more information, refer to the [Microsoft Device Partner Center](https://devicepartner.microsoft.com/support). +- Devices must be registered with Windows Autopilot by a [Microsoft Cloud Solution Provider (CSP) partner](https://partner.microsoft.com/membership/cloud-solution-provider) or OEM distributor. -- Before configuring DFCI for Surface, you should already be familiar with [Microsoft Intune](https://docs.microsoft.com/intune/) and [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/) (Azure AD). +- Before configuring DFCI for Surface, you should be familiar with Autopilot configuration requirements in [Microsoft Intune](https://docs.microsoft.com/intune/) and [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/) (Azure AD). ## Before you begin -Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Azure AD documentation](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal). +Add your target Surface devices to an Azure AD security group. For more information about creating and managing security groups, refer to [Intune documentation](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows#create-your-azure-ad-security-groups). ## Configure DFCI management for Surface devices @@ -167,6 +167,7 @@ If the original DFCI profile has been deleted, you can remove policy settings by 6. Validate DFCI is removed from the device in the UEFI. ## Learn more -- [Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot) +- [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333) +[Windows Autopilot](https://www.microsoft.com/microsoft-365/windows/windows-autopilot) - [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) - [Use DFCI profiles on Windows devices in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows) diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index f877f0d659..2f8061c0b4 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -36,7 +36,7 @@ Organizations already using modern management, security, and productivity soluti ## Image-based deployment considerations -Surface Pro X will be released without a standard Windows .ISO deployment image, which means it’s not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. +Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM) operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. ## Managing Surface Pro X devices @@ -147,13 +147,12 @@ The following tables show the availability of selected key features on Surface P | Conditional Access | Yes | Yes | | | Secure Boot | Yes | Yes | | | Windows Information Protection | Yes | Yes | | -| Surface Data Eraser (SDE) | Yes | Yes | | - +| Surface Data Eraser (SDE) | Yes | Yes | ## FAQ -### Will an OS image be available at launch? +### Can I deploy Surface Pro X with MDT or SCCM? -No. Surface Pro X will be released without a standard Windows .ISO deployment image, which means it’s not supported on the Microsoft Deployment Toolkit (MDT) or operating system deployment methods using System Center Configuration Manager (SCCM) aka ConfiMgr. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. +The Microsoft Deployment Toolkit and System Center Configuration Manager operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. ### How can I deploy Surface Pro X? diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 6b6e75f7d4..74c348d2d1 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 03/20/2019 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # System SKU reference @@ -39,6 +41,11 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface Pro 6 Commercial | Surface Pro 6 | Surface_Pro_6_1796_Commercial | | Surface Laptop 2 Consumer | Surface Laptop 2 | Surface_Laptop_2_1769_Consumer | | Surface Laptop 2 Commercial | Surface Laptop 2 | Surface_Laptop_2_1769_Commercial | +| Surface Pro 7 | Surface Pro 7 | Surface_Pro_7_1866 | +| Surface Pro X | Surface Pro X | Surface_Pro_X_1876 | +| Surface Laptop 3 13" Intel | Surface Laptop 3 | Surface_Laptop_3_1867:1868 | +| Surface Laptop 3 15" Intel | Surface Laptop 3 | Surface_Laptop_3_1872 | +| Surface Laptop 3 15" AMD | Surface Laptop 3 | Surface_Laptop_3_1873 | ## Examples diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index fbbaec21e8..6e225137c2 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -6,16 +6,15 @@ ms.mktglfcycl: manage ms.sitesec: library author: dansimp ms.audience: itpro -ms.localizationpriority: normal +ms.localizationpriority: medium ms.author: dansimp ms.topic: article -ms.date: 08/15/2019 +ms.date: 10/31/2019 ms.reviewer: tokatz manager: dansimp --- # Optimize Wi-Fi connectivity for Surface devices -## Introduction To stay connected with all-day battery life, Surface devices implement wireless connectivity settings that balance performance and power conservation. Outside of the most demanding mobility scenarios, users can maintain sufficient wireless connectivity without modifying default network adapter or related settings. @@ -32,7 +31,7 @@ If you’re managing a wireless network that’s typically accessed by many diff - **802.11r.** “**Fast BSS Transition”** accelerates connecting to new wireless access points by reducing the number of frames required before your device can access another AP as you move around with your device. - **802.11k.** **“Neighbor Reports”** provides devices with information on current conditions at neighboring access points. It can help your Surface device choose the best AP using criteria other than signal strength such as AP utilization. -Surface Go devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. +Specific Surface devices can also use 802.11v “BSS Transition Management Frames,” which functions much like 802.11k in providing information on nearby candidate APs. These include Surface Go, Surface Pro 7, Surface Pro X, and Surface Laptop 3. ## Managing user settings diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index edcfcdf120..39b70f6006 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -12,6 +12,8 @@ ms.topic: article ms.date: 01/06/2017 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Unenroll Surface devices from SEMM diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 0432c65257..6c29966521 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -9,9 +9,11 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 02/01/2017 +ms.date: 10/31/2019 ms.reviewer: manager: dansimp +ms.localizationpriority: medium +ms.audience: itpro --- # Use System Center Configuration Manager to manage devices with SEMM @@ -382,7 +384,7 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. -The following tables show the available settings for Surface Pro 4 and Surface Book: +The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go. *Table 1. Surface UEFI settings for Surface Pro 4* diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md index 5ea2e92440..20ad4f6903 100644 --- a/devices/surface/using-the-sda-deployment-share.md +++ b/devices/surface/using-the-sda-deployment-share.md @@ -23,7 +23,7 @@ With Microsoft Surface Deployment Accelerator (SDA), you can quickly and easily For more information about SDA and information on how to download SDA, see [Microsoft Surface Deployment Accelerator (SDA)](https://technet.microsoft.com/itpro/surface/microsoft-surface-deployment-accelerator). > [!NOTE] -> SDA is not currently supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). +> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). Using SDA provides these primary benefits: diff --git a/education/developers.yml b/education/developers.yml new file mode 100644 index 0000000000..5c73169853 --- /dev/null +++ b/education/developers.yml @@ -0,0 +1,33 @@ +### YamlMime:Hub + +title: M365 Education Documentation for developers +summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. + +metadata: + title: M365 Education Documentation for developers + description: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. + ms.service: help + ms.topic: hub-page + author: LaurenMoynihan + ms.author: v-lamoyn + ms.date: 10/24/2019 + +additionalContent: + sections: + - items: + # Card + - title: UWP apps for education + summary: Learn how to write universal apps for education. + url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/ + # Card + - title: Take a test API + summary: Learn how web applications can use the API to provide a locked down experience for taking tests. + url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api + # Card + - title: Office Education Dev center + summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app + url: https://dev.office.com/industry-verticals/edu + # Card + - title: Data Streamer + summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. + url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer \ No newline at end of file diff --git a/education/docfx.json b/education/docfx.json index 15587928ef..91c875c200 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -32,9 +32,8 @@ "audience": "ITPro", "breadcrumb_path": "/education/breadcrumb/toc.json", "ms.date": "05/09/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.education", diff --git a/education/images/EDU-Apps-Mgmt.svg b/education/images/EDU-Apps-Mgmt.svg new file mode 100644 index 0000000000..862f0e12ff --- /dev/null +++ b/education/images/EDU-Apps-Mgmt.svg @@ -0,0 +1 @@ +EDU-Apps-Mgmt-50px \ No newline at end of file diff --git a/education/images/EDU-Deploy.svg b/education/images/EDU-Deploy.svg new file mode 100644 index 0000000000..1a0d67fd67 --- /dev/null +++ b/education/images/EDU-Deploy.svg @@ -0,0 +1 @@ +EDU-Deploy-50px \ No newline at end of file diff --git a/education/images/EDU-Device-Mgmt.svg b/education/images/EDU-Device-Mgmt.svg new file mode 100644 index 0000000000..92fb95141f --- /dev/null +++ b/education/images/EDU-Device-Mgmt.svg @@ -0,0 +1 @@ +EDU-Device-Mgmt-50px \ No newline at end of file diff --git a/education/images/EDU-Education.svg b/education/images/EDU-Education.svg new file mode 100644 index 0000000000..146dd00257 --- /dev/null +++ b/education/images/EDU-Education.svg @@ -0,0 +1 @@ +EDU-Education-50px \ No newline at end of file diff --git a/education/images/EDU-Lockbox.svg b/education/images/EDU-Lockbox.svg new file mode 100644 index 0000000000..8133127433 --- /dev/null +++ b/education/images/EDU-Lockbox.svg @@ -0,0 +1 @@ +EDU-Lockbox-50px \ No newline at end of file diff --git a/education/images/EDU-Tasks.svg b/education/images/EDU-Tasks.svg new file mode 100644 index 0000000000..f1339ea705 --- /dev/null +++ b/education/images/EDU-Tasks.svg @@ -0,0 +1 @@ +EDU-Tasks-50px \ No newline at end of file diff --git a/education/images/EDUAdmins.svg b/education/images/EDUAdmins.svg new file mode 100644 index 0000000000..d512fb942f --- /dev/null +++ b/education/images/EDUAdmins.svg @@ -0,0 +1 @@ +EDUAdmins-50px \ No newline at end of file diff --git a/education/images/EDUDevelopers.svg b/education/images/EDUDevelopers.svg new file mode 100644 index 0000000000..900159699a --- /dev/null +++ b/education/images/EDUDevelopers.svg @@ -0,0 +1 @@ +EDUDevelopers-50px \ No newline at end of file diff --git a/education/images/EDUPartners.svg b/education/images/EDUPartners.svg new file mode 100644 index 0000000000..01b80c9a42 --- /dev/null +++ b/education/images/EDUPartners.svg @@ -0,0 +1 @@ +EDUPartners-50px \ No newline at end of file diff --git a/education/index.md b/education/index.md deleted file mode 100644 index c36a33ee36..0000000000 --- a/education/index.md +++ /dev/null @@ -1,253 +0,0 @@ ---- -layout: HubPage -hide_bc: true -title: Microsoft 365 Education documentation and resources | Microsoft Docs -description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. -author: dansimp -ms.topic: hub-page -ms.author: dansimp -ms.collection: ITAdminEDU -ms.date: 10/30/2017 -ms.prod: w10 ---- -
    -
    -

    Microsoft Education documentation and resources

    -
    -
    diff --git a/education/index.yml b/education/index.yml new file mode 100644 index 0000000000..9d3a74a32c --- /dev/null +++ b/education/index.yml @@ -0,0 +1,35 @@ +### YamlMime:Hub + +title: M365 Education Documentation +summary: Microsoft 365 Education empowers educators to unlock creativity, promote teamwork, and provide a simple and safe experience in a single, affordable solution built for education. + +metadata: + title: M365 Education Documentation + description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. + ms.service: help + ms.topic: hub-page + author: LaurenMoynihan + ms.author: v-lamoyn + ms.date: 10/24/2019 + +productDirectory: + items: + # Card + - title: IT Admins + # imageSrc should be square in ratio with no whitespace + imageSrc: ./images/EDUAdmins.svg + links: + - url: itadmins.yml + text: Get started with deploying and managing a full cloud IT solution for your school. + # Card + - title: Developers + imageSrc: ./images/EDUDevelopers.svg + links: + - url: developers.yml + text: Looking for information about developing solutions on Microsoft Education products? Start here. + # Card + - title: Partners + imageSrc: ./images/EDUPartners.svg + links: + - url: partners.yml + text: Looking for resources available to Microsoft Education partners? Start here. \ No newline at end of file diff --git a/education/itadmins.yml b/education/itadmins.yml new file mode 100644 index 0000000000..25eabd906a --- /dev/null +++ b/education/itadmins.yml @@ -0,0 +1,96 @@ +### YamlMime:Hub + +title: M365 Education Documentation for IT admins +summary: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync. + +metadata: + title: M365 Education Documentation for IT admins + description: M365 Education consists of Office 365 Education, Windows 10 Education, and security and management tools such as Intune for Education and School Data Sync. + ms.service: help + ms.topic: hub-page + author: LaurenMoynihan + ms.author: v-lamoyn + ms.date: 10/24/2019 + +productDirectory: + summary: This guide is designed for IT admins looking for the simplest way to move their platform to the cloud. It does not capture all the necessary steps for large scale or complex deployments. Check out at https://edujourney.microsoft.com/. Find help now at https://docs.microsoft.com/microsoft-365/education/deploy/find-deployment-help. + items: + # Card + - title: Phase 1 - Cloud deployment + imageSrc: ./images/EDU-Deploy.svg + links: + - url: https://docs.microsoft.com/microsoft-365/education/deploy/create-your-office-365-tenant + text: 1. Create your Office 365 tenant + - url: https://docs.microsoft.com/microsoft-365/education/deploy/secure-and-configure-your-network + text: 2. Secure and configure your network + - url: https://docs.microsoft.com/microsoft-365/education/deploy/aad-connect-and-adfs + text: 3. Sync your active directory + - url: https://docs.microsoft.com/microsoft-365/education/deploy/school-data-sync + text: 4. Sync you SIS using School Data Sync + - url: https://docs.microsoft.com/microsoft-365/education/deploy/license-users + text: 5. License users + # Card + - title: Phase 2 - Device management + imageSrc: ./images/EDU-Device-Mgmt.svg + links: + - url: https://docs.microsoft.com/en-us/education/windows/ + text: 1. Get started with Windows 10 for Education + - url: https://docs.microsoft.com/microsoft-365/education/deploy/set-up-windows-10-education-devices + text: 2. Set up Windows 10 devices + - url: https://docs.microsoft.com/microsoft-365/education/deploy/intune-for-education + text: 3. Get started with Intune for Education + - url: https://docs.microsoft.com/microsoft-365/education/deploy/use-intune-for-education + text: 4. Use Intune to manage groups, apps, and settings + - url: https://docs.microsoft.com/en-us/intune/enrollment/enrollment-autopilot + text: 5. Enroll devices using Windows Autopilot + # Card + - title: Phase 3 - Apps management + imageSrc: ./images/EDU-Apps-Mgmt.svg + links: + - url: https://docs.microsoft.com/microsoft-365/education/deploy/configure-admin-settings + text: 1. Configure admin settings + - url: https://docs.microsoft.com/microsoft-365/education/deploy/set-up-teams-for-education + text: 2. Set up Teams for Education + - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-office-365 + text: 3. Set up Office 365 + - url: https://docs.microsoft.com/microsoft-365/education/deploy/microsoft-store-for-education + text: 4. Install apps from Microsoft Store for Education + - url: https://docs.microsoft.com/microsoft-365/education/deploy/minecraft-for-education + text: 5. Install Minecraft - Education Edition + # Card + - title: Complete your deployment + # imageSrc should be square in ratio with no whitespace + imageSrc: ./images/EDU-Tasks.svg + links: + - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-exchange-online + text: Deploy Exchange Online + - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-sharepoint-online-and-onedrive + text: Deploy SharePoint Online and OneDrive + - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-exchange-server-hybrid + text: Deploy Exchange Server hybrid + - url: https://docs.microsoft.com/microsoft-365/education/deploy/deploy-sharepoint-server-hybrid + text: Deploy SharePoint Server Hybrid + # Card + - title: Security & Compliance + imageSrc: ./images/EDU-Lockbox.svg + links: + - url: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-deployment-checklist-p2 + text: AAD feature deployment guide + - url: https://techcommunity.microsoft.com/t5/Azure-Information-Protection/Azure-Information-Protection-Deployment-Acceleration-Guide/ba-p/334423 + text: Azure information protection deployment acceleration guide + - url: https://docs.microsoft.com/en-us/cloud-app-security/getting-started-with-cloud-app-security + text: Microsoft Cloud app security + - url: https://docs.microsoft.com/microsoft-365/compliance/create-test-tune-dlp-policy + text: Office 365 data loss prevention + - url: https://docs.microsoft.com/microsoft-365/compliance/ + text: Office 365 advanced compliance + - url: https://social.technet.microsoft.com/wiki/contents/articles/35748.office-365-what-is-customer-lockbox-and-how-to-enable-it.aspx + text: Deploying Lockbox + # Card + - title: Analytics & Insights + imageSrc: ./images/EDU-Education.svg + links: + - url: https://docs.microsoft.com/en-us/power-bi/service-admin-administering-power-bi-in-your-organization + text: Power BI for IT admins + - url: https://docs.microsoft.com/en-us/dynamics365/#pivot=get-started + text: Dynamics 365 \ No newline at end of file diff --git a/education/partners.yml b/education/partners.yml new file mode 100644 index 0000000000..05d585f5f5 --- /dev/null +++ b/education/partners.yml @@ -0,0 +1,33 @@ +### YamlMime:Hub + +title: M365 Education Documentation for partners +summary: Looking for resources available to Microsoft Education partners? Start here. + +metadata: + title: M365 Education Documentation for partners + description: Looking for resources available to Microsoft Education partners? Start here. + ms.service: help + ms.topic: hub-page + author: LaurenMoynihan + ms.author: v-lamoyn + ms.date: 10/24/2019 + +additionalContent: + sections: + - items: + # Card + - title: Microsoft Partner Network + summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness. + url: https://partner.microsoft.com/solutions/education + # Card + - title: Authorized Education Partner (AEP) program + summary: Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEUs). + url: https://www.mepn.com/ + # Card + - title: Authorized Education Partner Directory + summary: Search through the list of Authorized Education Partners worldwide who can deliver on customer licensing requirements, and provide solutions and services to current and future school needs. + url: https://www.mepn.com/MEPN/AEPSearch.aspx + # Card + - title: Education Partner community Yammer group + summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer. + url: https://www.yammer.com/mepn/ \ No newline at end of file diff --git a/mdop/agpm/whats-new-in-agpm-40-sp3.md b/mdop/agpm/whats-new-in-agpm-40-sp3.md index dbe0512e16..d60031b011 100644 --- a/mdop/agpm/whats-new-in-agpm-40-sp3.md +++ b/mdop/agpm/whats-new-in-agpm-40-sp3.md @@ -189,7 +189,7 @@ The following table describes the behavior of AGPM 4.0 SP3 Client and Server in ## How to Get MDOP Technologies -AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +AGPM 4.0 SP3 is a part of the Microsoft Desktop Optimization Pack (MDOP) since MDOP 2015. MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). ## Related topics diff --git a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md index fda09c81df..56bd58a27e 100644 --- a/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md +++ b/mdop/appv-v5/creating-and-managing-app-v-50-virtualized-applications.md @@ -20,7 +20,7 @@ ms.date: 06/16/2016 After you have properly deployed the Microsoft Application Virtualization (App-V) 5.0 sequencer, you can use it to monitor and record the installation and setup process for an application to be run as a virtualized application. **Note**   -For more information about configuring the Microsoft Application Virtualization (App-V) 5.0 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). +For more information about configuring the Microsoft Application Virtualization (App-V) 5.0 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx) (https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx). diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index cc24ad5c89..eefee88047 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -110,7 +110,7 @@ Choose a server that meets the hardware configuration as explained in the [MBAM .NET Framework Environment
    Configuration APIs -For the self-service portal to work, you should also [download and install ASP.NET MVC 4.0](http://go.microsoft.com/fwlink/?linkid=392271). +For the self-service portal to work, you should also [download and install ASP.NET MVC 4.0](https://go.microsoft.com/fwlink/?linkid=392271). The next step is to create the required MBAM users and groups in Active Directory. diff --git a/smb/docfx.json b/smb/docfx.json index f4e4a7783a..14448aa33c 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -30,9 +30,8 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "TechNet.smb", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 2825ff309d..760a988add 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -40,9 +40,8 @@ "searchScope": [ "Store" ], - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.store-for-business", diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index b7fda33af3..2ae0e03c13 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: msfttracyp +author: dansimp ms.author: dansimp ms.topic: article ms.date: 10/24/2017 diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index ee08c91bcf..6f3c2b6c50 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -36,9 +36,7 @@ "audience": "ITPro", "ms.topic": "article", "ms.author": "elizapo", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-app-management", diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index a9bdc7b123..dc56d686c7 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -1,5 +1,5 @@ --- -author: msfttracyp +author: dansimp title: Remove background task resource restrictions description: Allow enterprise background tasks unrestricted access to computer resources. ms.author: dansimp @@ -8,7 +8,6 @@ ms.reviewer: manager: dansimp ms.topic: article ms.prod: w10 -ms.technology: uwp keywords: windows 10, uwp, enterprise, background task, resources --- diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 74edf682a0..205e2c3711 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -author: msfttracyp +author: dansimp ms.author: dansimp ms.topic: article --- @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index 84c3b8c3d2..35c0f225b0 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -4,11 +4,11 @@ description: Administrative Tools is a folder in Control Panel that contains too ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 ms.reviewer: manager: dansimp -ms.author: tracyp +ms.author: dansimp ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: msfttracyp +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.topic: article diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 878b065aa7..267386adc6 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -5,9 +5,9 @@ manager: dansimp description: Learn how 802.1X Authentication works keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi ms.prod: w10 -ms.mktglfcycl: +ms.mktglfcycl: ms.sitesec: library -author: msfttracyp +author: dansimp ms.localizationpriority: medium ms.author: tracyp ms.topic: troubleshooting diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index 4acac6acd7..a9442e6fe9 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -1,11 +1,11 @@ --- title: Advanced troubleshooting for Windows boot problems -description: Learn how to troubleshoot when Windows is unable to boot +description: Learn how to troubleshoot when Windows is unable to boot ms.prod: w10 ms.sitesec: library -author: msfttracyp +author: dansimp ms.localizationpriority: medium -ms.author: tracyp +ms.author: dansimp ms.date: 11/16/2018 ms.reviewer: manager: dansimp diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md index dbd429f2e5..c04dae805a 100644 --- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -5,11 +5,11 @@ manager: dansimp description: Learn how troubleshooting of establishing Wi-Fi connections keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi ms.prod: w10 -ms.mktglfcycl: +ms.mktglfcycl: ms.sitesec: library -author: msfttracyp +author: dansimp ms.localizationpriority: medium -ms.author: tracyp +ms.author: dansimp ms.topic: troubleshooting --- @@ -92,7 +92,7 @@ The following is a high-level view of the main wifi components in Windows. - Scanning for wireless networks in range - Managing connectivity of wireless networks The Media Specific Module (MSM) handles security aspects of connection being established. -The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. +The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index 771366616a..4f2cab1d56 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -7,8 +7,8 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: msfttracyp -ms.author: tracyp +author: dansimp +ms.author: dansimp ms.date: 12/06/2018 ms.reviewer: manager: dansimp diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index e1365a820c..44260b0181 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -32,7 +32,8 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. -- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. +- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined. Remote connection to an Azure AD joined PC from an unjoined device or a non-Windows 10 device is not supported. +Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. @@ -81,7 +82,8 @@ In organizations using only Azure AD, you can connect from an Azure AD-joined PC - Password - Windows Hello for Business, with or without an MDM subscription. - +> [!NOTE] +> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities). ## Related topics diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 052d05d6a0..cb636ce3ef 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -117,16 +117,7 @@ Value type is char. To use ApplicationControl CSP, you must: - Know a generated policy’s GUID, which can be found in the policy xml as ``. - Convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. -- Create a policy node (a Base64-encoded blob of the binary policy representation) using the [certutil -encode](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_encode) command line tool. -Here is a sample certutil invocation: -``` -certutil -encode WinSiPolicy.p7b WinSiPolicy.cer -``` -An alternative to using certutil would be to use the following PowerShell invocation: -``` -[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) -``` If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 922ed015a1..68141ff2a5 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2699,8 +2699,8 @@ Additional lists: ## CSP DDF files download You can download the DDF files for various CSPs from the links below: -- [Download all the DDF files for Windows 10, version 1903](http://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) -- [Download all the DDF files for Windows 10, version 1809](http://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1809](https://download.microsoft.com/download/6/A/7/6A735141-5CFA-4C1B-94F4-B292407AF662/Windows10_1809_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1803](https://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1709](https://download.microsoft.com/download/9/7/C/97C6CF99-F75C-475E-AF18-845F8CECCFA4/Windows10_1709_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 044b5dd851..a24f114581 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -504,7 +504,7 @@ Supported operation is Get. -**AppInstallation/*PackageFamilyName*/LastErrorDescription** +**AppInstallation/*PackageFamilyName*/LastErrorDesc** Required. Description of last error relating to the app installation. Supported operation is Get. diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md index 9ab64f1f8b..18a0174509 100644 --- a/windows/client-management/mdm/get-product-details.md +++ b/windows/client-management/mdm/get-product-details.md @@ -1,6 +1,6 @@ --- title: Get product details -description: The Get product details operation retrieves the product information from the Micosoft Store for Business for a specific application. +description: The Get product details operation retrieves the product information from the Microsoft Store for Business for a specific application. ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get product details -The **Get product details** operation retrieves the product information from the Micosoft Store for Business for a specific application. +The **Get product details** operation retrieves the product information from the Microsoft Store for Business for a specific application. ## Request diff --git a/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png b/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png new file mode 100644 index 0000000000..226f4850aa Binary files /dev/null and b/windows/client-management/mdm/images/custom-profile-prevent-device-instance-ids.png differ diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5a33e8eda5..4ced8ce8ab 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -777,7 +777,7 @@ ADMX Info: -To enable this policy, use the following SyncML. +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with device instance IDs of USB\VID_1F75 and USB\VID_0781. To configure multiple classes, use `` as a delimiter. ``` xml @@ -805,6 +805,25 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i <<< Section end 2018/11/15 12:26:41.751 <<< [Exit status: SUCCESS] ``` + +You can also block installation and usage of prohibited peripherals by using a custom profile in Intune. + +For example, this custom profile prevents installation of devices with matching device instance IDs. + +![Custom profile](images/custom-profile-prevent-device-instance-ids.png) + +To prevent installation of devices with matching device instance IDs by using custom profile in Intune: +1. Locate the device instance ID. +2. Replace `&` in the device instance IDs with `&`. +For example: +Replace +```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` +with +```USBSTOR\DISK&VEN_SAMSUNG&PROD_FLASH_DRIVE&REV_1100\0376319020002347&0``` + > [!Note] + > Do not use spaces in the value. +3. Replace the device instance IDs with `&` into the sample SyncML. Add the SyncML into the Intune custom device configuration profile. + diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index beb25c4bea..a5298bf190 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -20,10 +20,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy* You can view various Policy DDF files by clicking the following links: -- [View the Policy DDF file for Windows 10, version 1903](http://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) -- [View the Policy DDF file for Windows 10, version 1809](http://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) +- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) +- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) - [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1803 release C](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) +- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) - [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) - [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) - [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 9711b4b2a4..70668fa9de 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -38,9 +38,11 @@ The following diagram shows the Reboot configuration service provider management

    The supported operation is Get.

    **Schedule/Single** -

    This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required.
    +

    This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
    Example to configure: 2018-10-25T18:00:00

    +Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. +

    The supported operations are Get, Add, Replace, and Delete.

    **Schedule/DailyRecurrent** @@ -53,13 +55,3 @@ Example to configure: 2018-10-25T18:00:00

    [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index cb2908dda2..7b4f4424be 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -25,7 +25,13 @@ manager: dansimp ## Overview -Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. +Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. + +NOTE: Starting from the following Windows 10 version Replace command is supported +- Windows 10, version 1903 with KB4512941 and KB4517211 installed +- Windows 10, version 1809 with KB4512534 and KB installed +- Windows 10, version 1803 with KB4512509 and KB installed +- Windows 10, version 1709 with KB4516071 and KB installed When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: @@ -48,6 +54,8 @@ When the ADMX policies are imported, the registry keys to which each policy is w - software\microsoft\exchange\ - software\policies\microsoft\vba\security\ - software\microsoft\onedrive +- software\Microsoft\Edge +- Software\Microsoft\EdgeUpdate\ > [!Warning] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 0c13fc8950..719976a254 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -22,9 +22,9 @@ ms.author: dansimp A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers: -- atikmpag.sys -- igdkmd64.sys -- nvlddmkm.sys +- `atikmpag.sys` +- `igdkmd64.sys` +- `nvlddmkm.sys` There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on. @@ -61,7 +61,7 @@ To troubleshoot Stop error messages, follow these general steps: 4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. -5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10 to 15 percent free disk space. +5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space. 6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: @@ -90,12 +90,12 @@ To configure the system for memory dump files, follow these steps: 5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. 6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs. -The memory dump file is saved at the following locations. +The memory dump file is saved at the following locations: | Dump file type | Location | |----------------|----------| -|(none) | %SystemRoot%\MEMORY.DMP (inactive, or greyed out) | -|Small memory dump file (256kb) | %SystemRoot%\Minidump | +|(none) | %SystemRoot%\MEMORY.DMP (inactive, or grayed out) | +|Small memory dump file (256 kb) | %SystemRoot%\Minidump | |Kernel memory dump file | %SystemRoot%\MEMORY.DMP | | Complete memory dump file | %SystemRoot%\MEMORY.DMP | | Automatic memory dump file | %SystemRoot%\MEMORY.DMP | @@ -118,7 +118,7 @@ More information on how to use Dumpchk.exe to check your dump files: ### Memory dump analysis -Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in a variety of symptoms. +Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in various symptoms. When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause. @@ -138,8 +138,8 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 1. Verify that the computer is set up to generate a complete memory dump file when a crash occurs. See the steps [here](troubleshoot-windows-freeze.md#method-1-memory-dump) for more information. 2. Locate the memory.dmp file in your Windows directory on the computer that is crashing, and copy that file to another computer. -3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk). -4. Start the install and choose **Debugging Tools for Windows**. This will install the WinDbg tool. +3. On the other computer, download the [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk). +4. Start the install and choose **Debugging Tools for Windows**. This installs the WinDbg tool. 5. Open the WinDbg tool and set the symbol path by clicking **File** and then clicking **Symbol File Path**.
    a. If the computer is connected to the Internet, enter the [Microsoft public symbol server](https://docs.microsoft.com/windows-hardware/drivers/debugger/microsoft-public-symbols) (https://msdl.microsoft.com/download/symbols) and click **OK**. This is the recommended method.
    b. If the computer is not connected to the Internet, you must specify a local [symbol path](https://docs.microsoft.com/windows-hardware/drivers/debugger/symbol-path). @@ -149,7 +149,7 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols 8. A detailed bugcheck analysis will appear. See the example below. ![Bugcheck analysis](images/bugcheck-analysis.png) 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL. -10. See [Using the !analyze Exension](https://docs.microsoft.com/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. +10. See [Using the !analyze Extension](https://docs.microsoft.com/windows-hardware/drivers/debugger/using-the--analyze-extension) for details about how to interpret the STACK_TEXT output. There are many possible causes of a bugcheck and each case is unique. In the example provided above, the important lines that can be identified from the STACK_TEXT are 20, 21, and 22: @@ -213,7 +213,7 @@ Use the following guidelines when you use Driver Verifier: - Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic). - If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers. -- Enable concurrent verification on groups of 10 to 20 drivers. +- Enable concurrent verification on groups of 10–20 drivers. - Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode. For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier). @@ -233,13 +233,13 @@ SYSTEM_SERVICE_EXCEPTION
    Stop error code c000021a {Fatal System Error} The W NTFS_FILE_SYSTEM
    Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. KMODE_EXCEPTION_NOT_HANDLED
    Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

    If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:

    Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. DPC_WATCHDOG_VIOLATION
    Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump. -USER_MODE_HEALTH_MONITOR
    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process.Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
    Event ID: 4870
    Source: Microsoft-Windows-FailoverClustering
    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action will be taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). +USER_MODE_HEALTH_MONITOR
    Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
    This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process. Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
    Event ID: 4870
    Source: Microsoft-Windows-FailoverClustering
    Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action is taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
    For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). ## Debugging examples ### Example 1 -This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** will tell you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. +This bugcheck is caused by a driver hang during upgrade, resulting in a bugcheck D1 in NDIS.sys (a Microsoft driver). The **IMAGE_NAME** tells you the faulting driver, but since this is Microsoft driver it cannot be replaced or removed. The resolution method is to disable the network device in device manager and try the upgrade again. ``` 2: kd> !analyze -v @@ -391,7 +391,7 @@ ANALYSIS_SESSION_ELAPSED_TIME: 8377 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_ndis!ndisqueueioworkitem FAILURE_ID_HASH: {10686423-afa1-4852-ad1b-9324ac44ac96} -FAILURE_ID_REPORT_LINK: http://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=10686423-afa1-4852-ad1b-9324ac44ac96 +FAILURE_ID_REPORT_LINK: https://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=10686423-afa1-4852-ad1b-9324ac44ac96 Followup: ndiscore --------- ``` @@ -564,7 +564,7 @@ ANALYSIS_SESSION_ELAPSED_TIME: 162bd ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_r_invalid_wwanusbmp!unknown_function FAILURE_ID_HASH: {31e4d053-0758-e43a-06a7-55f69b072cb3} -FAILURE_ID_REPORT_LINK: http://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=31e4d053-0758-e43a-06a7-55f69b072cb3 +FAILURE_ID_REPORT_LINK: https://go.microsoft.com/fwlink/?LinkID=397724&FailureHash=31e4d053-0758-e43a-06a7-55f69b072cb3 Followup: MachineOwner --------- diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 39080a98d6..c319034f39 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso ## Other Resources -### [Troubleshooting Windows Server components](https://docs.microsoft.com/en-us/windows-server/troubleshoot/windows-server-support-solutions) +### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions) diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index b9e7da8958..f13d6f81c8 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -191,7 +191,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index af378be469..4986e61b5d 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -35,9 +35,8 @@ "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-configuration", diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index eaa5591a59..57629adbe8 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -29,7 +29,7 @@ The following table lists changes to multi-app kiosk in recent updates. | New features and improvements | In update | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | - Configure [a single-app kiosk profile](#profile) in your XML file

    - Assign [group accounts to a config profile](#config-for-group-accounts)

    - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 | -| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

    - [Automatically launch an app](#allowedapps) when the user signs in

    - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

    **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`. | +| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

    - [Automatically launch an app](#allowedapps) when the user signs in

    - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

    **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. | >[!WARNING] >The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. @@ -88,8 +88,8 @@ You can start your file by pasting the following XML (or any other examples in t ```xml @@ -199,8 +199,8 @@ The following example shows how to allow user access to the Downloads folder in ```xml @@ -219,7 +219,7 @@ The following example shows how to allow user access to the Downloads folder in ``` -FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace http://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace http://schemas.microsoft.com/AssignedAccess/2020/config. +FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerelease for finer granularity and easier use, see in the [Assigned access XML reference.](kiosk-xml.md) for full samples. The changes will allow IT Admin to configure if user can access Downloads folder, Removable drives, or no restriction at all by using certain new elements. Note that FileExplorerNamesapceRestrictions and AllowedNamespace:Downloads are available in namespace https://schemas.microsoft.com/AssignedAccess/201810/config, AllowRemovableDrives and NoRestriction are defined in a new namespace https://schemas.microsoft.com/AssignedAccess/2020/config. * When FileExplorerNamespaceRestrictions node is not used, or used but left empty, user will not be able to access any folder in common dialog (e.g. Save As in Microsoft Edge browser). * When Downloads is mentioned in allowed namespace, user will be able to access Downloads folder. @@ -244,7 +244,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, ```xml - + @@ -423,9 +423,9 @@ Note: ```xml @@ -438,7 +438,7 @@ Note: - + diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 139dcce1bb..95cf9806b1 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -36,7 +36,7 @@ It is intended that shared PCs are joined to an Active Directory or Azure Active When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. ### Maintenance and sleep -Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. +Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not in use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 564f47ae8b..3dcf319a94 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -30,6 +30,8 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "feedback_system": "None", + "hideEdit": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-configure" diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 461bbb314e..2e88d65395 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -1,4 +1,5 @@ # [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment) +## [Deployment process posters](windows-10-deployment-posters.md) ## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) ## [What's new in Windows 10 deployment](deploy-whats-new.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index cf43dc83df..b5e2f332bb 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -21,7 +21,9 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif" + "**/*.gif", + "**/*.pdf", + "**/*.vsdx" ], "exclude": [ "**/obj/**", diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf new file mode 100644 index 0000000000..5ab6f1c52e Binary files /dev/null and b/windows/deployment/media/Windows10AutopilotFlowchart.pdf differ diff --git a/windows/deployment/media/Windows10Autopilotflowchart.vsdx b/windows/deployment/media/Windows10Autopilotflowchart.vsdx new file mode 100644 index 0000000000..ef702ab66b Binary files /dev/null and b/windows/deployment/media/Windows10Autopilotflowchart.vsdx differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf new file mode 100644 index 0000000000..ac27941579 Binary files /dev/null and b/windows/deployment/media/Windows10DeploymentConfigManager.pdf differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx new file mode 100644 index 0000000000..5c5328cb5f Binary files /dev/null and b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx differ diff --git a/windows/deployment/media/windows10-autopilot-flowchart.png b/windows/deployment/media/windows10-autopilot-flowchart.png new file mode 100644 index 0000000000..878c9d483d Binary files /dev/null and b/windows/deployment/media/windows10-autopilot-flowchart.png differ diff --git a/windows/deployment/media/windows10-deployment-config-manager.png b/windows/deployment/media/windows10-deployment-config-manager.png new file mode 100644 index 0000000000..af6c8313e0 Binary files /dev/null and b/windows/deployment/media/windows10-deployment-config-manager.png differ diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md index dc4e379e29..c46b4cc2da 100644 --- a/windows/deployment/update/PSFxWhitepaper.md +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -1,206 +1,114 @@ ---- -title: Windows Updates using forward and reverse differentials -description: A technique to produce compact software updates optimized for any origin and destination revision pair -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 10/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Updates using forward and reverse differentials - - -Windows 10 monthly quality updates are cumulative, containing all previously -released fixes to ensure consistency and simplicity. For an operating system -platform like Windows 10, which stays in support for multiple years, the size of -monthly quality updates can quickly grow large, thus directly impacting network -bandwidth consumption. - -Today, this problem is addressed by using express downloads, where differential -downloads for every changed file in the update are generated based on selected -historical revisions plus the base version. In this paper, we introduce a new -technique to build compact software update packages that are applicable to any -revision of the base version, and then describe how Windows 10 quality updates -uses this technique. - -## General Terms - -The following general terms apply throughout this document: - -- *Base version*: A major software release with significant changes, such as - Windows 10, version 1809 (Windows 10 Build 17763.1) - -- *Revision*: Minor releases in between the major version releases, such as - KB4464330 (Windows 10 Build 17763.55) - -- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that - contain full binaries or files - -## Introduction - -In this paper, we introduce a new technique that can produce compact software -updates optimized for any origin/destination revision pair. It does this by -calculating forward the differential of a changed file from the base version and -its reverse differential back to the base version. Both forward and reverse -differentials are then packaged as an update and distributed to the endpoints -running the software to be updated. The update package contents can be symbolized as follows: - -![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) - -The endpoints that have the base version of the file (V0) hydrate the target -revision (VN) by applying a simple transformation: - -![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) - -The endpoints that have revision N of the file (VN), hydrate the target revision -(VR) by applying the following set of transformations: - -![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) - -The endpoints retain the reverse differentials for the software revision they -are on, so that it can be used for hydrating and applying next revision update. - -By using a common baseline, this technique produces a single update package with -numerous advantages: - -- Compact in size - -- Applicable to all baselines - -- Simple to build - -- Efficient to install - -- Redistributable - -Historically, download sizes of Windows 10 quality updates (Windows 10, version -1803 and older supported versions of Windows 10) are optimized by using express -download. Express download is optimized such that updating Windows 10 systems -will download the minimum number of bytes. This is achieved by generating -differentials for every updated file based on selected historical base revisions -of the same file + its base or RTM version. - -For example, if the October monthly quality update has updated Notepad.exe, -differentials for Notepad.exe file changes from September to October, August to -October, July to October, June to October, and from the original feature release -to October are generated. All these differentials are stored in a Patch Storage -File (PSF, also referred to as “express download files”) and hosted or cached on -Windows Update or other update management or distribution servers (for example, -Windows Server Update Services (WSUS), System Center Configuration Manager, or a -non-Microsoft update management or distribution server that supports express -updates). A device leveraging express updates uses network protocol to determine -optimal differentials, then downloads only what is needed from the update -distribution endpoints. - -The flipside of express download is that the size of PSF files can be very large -depending on the number of historical baselines against which differentials were -calculated. Downloading and caching large PSF files to on-premises or remote -update distribution servers is problematic for most organizations, hence they -are unable to leverage express updates to keep their fleet of devices running -Windows 10 up to date. Secondly, due to the complexity of generating -differentials and size of the express files that need to be cached on update -distribution servers, it is only feasible to generate express download files for -the most common baselines, thus express updates are only applicable to selected -baselines. Finally, calculation of optimal differentials is expensive in terms -of system memory utilization, especially for low-cost systems, impacting their -ability to download and apply an update seamlessly. - -In the following sections, we describe how Windows 10 quality updates will -leverage this technique based on forward and reverse differentials for newer -releases of Windows 10 and Windows Server to overcome the challenges with -express downloads. - -## High-level Design - -### Update packaging - -Windows 10 quality update packages will contain forward differentials from -quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM -(∆N→RTM) for each file that has changed since RTM. By using the RTM version as -the baseline, we ensure that all devices will have an identical payload. Update -package metadata, content manifests, and forward and reverse differentials will -be packaged into a cabinet file (.cab). This .cab file, and the applicability -logic, will also be wrapped in Microsoft Standalone Update (.msu) format. - -There can be cases where new files are added to the system during servicing. -These files will not have RTM baselines, thus forward and reverse differentials -cannot be used. In these scenarios, null differentials will be used to handle -servicing. Null differentials are the slightly compressed and optimized version -of the full binaries. Update packages can have either -forward or reverse differentials, or null differential of any given binary in -them. The following image symbolizes the content of a Windows 10 quality update installer: - -![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) - -### Hydration and installation - -Once the usual applicability checks are performed on the update package and are -determined to be applicable, the Windows component servicing infrastructure will -hydrate the full files during pre-installation and then proceed with the usual -installation process. - -Below is a high-level sequence of activities that the component servicing -infrastructure will run in a transaction to complete installation of the update: - -- Identify all files that are required to install the update. - -- Hydrate each of necessary files using current version (VN) of the file, - reverse differential (VN--->RTM) of the file back to quality update RTM/base - version and forward differential (VRTM--->R) from feature update RTM/base - version to the target version. Also, use null differential hydration to - hydrate null compressed files. - -- Stage the hydrated files (full file), forward differentials (under ‘f’ - folder) and reverse differentials (under ‘r’ folder) or null compressed - files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). - -- Resolve any dependencies and install components. - -- Clean up older state (VN-1); the previous state VN is retained for - uninstallation and restoration or repair. - -### **Resilient Hydration** - -To ensure resiliency against component store corruption or missing files that -could occur due to susceptibility of certain types of hardware to file system -corruption, a corruption repair service has been traditionally used to recover -the component store automatically (“automatic corruption repair”) or on demand -(“manual corruption repair”) using an online or local repair source. This -service will continue to offer the ability to repair and recover content for -hydration and successfully install an update, if needed. - -When corruption is detected during update operations, automatic corruption -repair will start as usual and use the Baseless Patch Storage File published to -Windows Update for each update to fix corrupted manifests, binary differentials, -or hydrated or full files. Baseless patch storage files will contain reverse and -forward differentials and full files for each updated component. Integrity of -the repair files will be hash verified. - -Corruption repair will use the component manifest to detect missing files and -get hashes for corruption detection. During update installation, new registry -flags for each differential staged on the machine will be set. When automatic -corruption repair runs, it will scan hydrated files using the manifest and -differential files using the flags. If the differential cannot be found or -verified, it will be added to the list of corruptions to repair. - -### Lazy automatic corruption repair - -“Lazy automatic corruption repair” runs during update operations to detect -corrupted binaries and differentials. While applying an update, if hydration of -any file fails, "lazy" automatic corruption repair automatically starts, -identifies the corrupted binary or differential file, and then adds it to the -corruption list. Later, the update operation continues as far as it can go, so -that "lazy" automatic corruption repair can collect as many corrupted files to fix -as possible. At the end of the hydration section, the update fails, and -automatic corruption repair starts. Automatic corruption repair runs as usual -and at the end of its operation, adds the corruption list generated by "lazy" -automatic corruption repair on top of the new list to repair. Automatic -corruption repair then repairs the files on the corruption list and installation -of the update will succeed on the next attempt. +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Updates using forward and reverse differentials + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as Windows 10, version 1809 (Windows 10 Build 17763.1) +- *Revision*: Minor releases in between the major version releases, such as KB4464330 (Windows 10 Build 17763.55) +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size +- Applicable to all baselines +- Simple to build +- Efficient to install +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version 1803 and older supported versions of Windows 10) are optimized by using express download. Express download is optimized such that updating Windows 10 systems will download the minimum number of bytes. This is achieved by generating differentials for every updated file based on selected historical base revisions of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, differentials for Notepad.exe file changes from September to October, August to October, July to October, June to October, and from the original feature release to October are generated. All these differentials are stored in a Patch Storage File (PSF, also referred to as “express download files”) and hosted or cached on Windows Update or other update management or distribution servers (for example, Windows Server Update Services (WSUS), System Center Configuration Manager, or a non-Microsoft update management or distribution server that supports express updates). A device leveraging express updates uses network protocol to determine optimal differentials, then downloads only what is needed from the update distribution endpoints. + +The flip side of express download is that the size of PSF files can be very large depending on the number of historical baselines against which differentials were calculated. Downloading and caching large PSF files to on-premises or remote update distribution servers is problematic for most organizations, hence they are unable to leverage express updates to keep their fleet of devices running Windows 10 up to date. Secondly, due to the complexity of generating differentials and size of the express files that need to be cached on update distribution servers, it is only feasible to generate express download files for the most common baselines, thus express updates are only applicable to selected baselines. Finally, calculation of optimal differentials is expensive in terms of system memory utilization, especially for low-cost systems, impacting their ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will leverage this technique based on forward and reverse differentials for newer releases of Windows 10 and Windows Server to overcome the challenges with express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM (∆N→RTM) for each file that has changed since RTM. By using the RTM version as the baseline, we ensure that all devices will have an identical payload. Update package metadata, content manifests, and forward and reverse differentials will be packaged into a cabinet file (.cab). This .cab file, and the applicability logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are determined to be applicable, the Windows component servicing infrastructure will hydrate the full files during pre-installation and then proceed with the usual installation process. + +Below is a high-level sequence of activities that the component servicing infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. +- Hydrate each of necessary files using current version (VN) of the file, reverse differential (VN--->RTM) of the file back to quality update RTM/base version and forward differential (VRTM--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files. +- Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). +- Resolve any dependencies and install components. +- Clean up older state (VN-1); the previous state VN is retained for uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that could occur due to susceptibility of certain types of hardware to file system corruption, a corruption repair service has been traditionally used to recover the component store automatically (“automatic corruption repair”) or on demand (“manual corruption repair”) using an online or local repair source. This service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption repair will start as usual and use the Baseless Patch Storage File published to Windows Update for each update to fix corrupted manifests, binary differentials, or hydrated or full files. Baseless patch storage files will contain reverse and forward differentials and full files for each updated component. Integrity of the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and get hashes for corruption detection. During update installation, new registry flags for each differential staged on the machine will be set. When automatic corruption repair runs, it will scan hydrated files using the manifest and differential files using the flags. If the differential cannot be found or verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect corrupted binaries and differentials. While applying an update, if hydration of any file fails, "lazy" automatic corruption repair automatically starts, identifies the corrupted binary or differential file, and then adds it to the corruption list. Later, the update operation continues as far as it can go, so that "lazy" automatic corruption repair can collect as many corrupted files to fix as possible. At the end of the hydration section, the update fails, and automatic corruption repair starts. Automatic corruption repair runs as usual and at the end of its operation, adds the corruption list generated by "lazy" automatic corruption repair on top of the new list to repair. Automatic corruption repair then repairs the files on the corruption list and installation of the update will succeed on the next attempt. diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 20ecac8ae7..3534c08c5c 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -1,74 +1,69 @@ ---- -title: Introduction to the Windows Insider Program for Business -description: Introduction to the Windows Insider Program for Business and why IT Pros should join it -keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 03/01/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Introduction to the Windows Insider Program for Business - - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. - -The Windows Insider Program for Business gives you the opportunity to: - -* Get early access to Windows Insider Preview Builds. -* Provide feedback to Microsoft in real time by using the Feedback Hub app. -* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. -* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. -* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. -* Track feedback provided through the Feedback Hub App across your organization. - -Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. - -The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. - - -[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
    -Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. - - -## Explore new Windows 10 features in Insider Previews -Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| -|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | -|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
    - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
    - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
    - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
    - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | - -## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - -- Get a head start on your Windows validation process -- Identify issues sooner to accelerate your Windows deployment -- Engage Microsoft earlier for help with potential compatibility issues -- Deploy Windows 10 Semi-Annual releases faster and more confidently -- Maximize the 18-month support Window that comes with each Semi-Annual release. - - - -|Objective |Feature exploration| -|---------|---------| -|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| -|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| -|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | -|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
    - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
    - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
    - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| - +--- +title: Introduction to the Windows Insider Program for Business +description: Introduction to the Windows Insider Program for Business and why IT Pros should join +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Introduction to the Windows Insider Program for Business + +**Applies to** + +- Windows 10 + +> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT Pros, it's valuable to have visibility into feature updates early--before they’re available in the Semi-Annual Channel. With Windows 10, feature flighting enables participants in the Windows Insider Preview program can consume and deploy preproduction code to test devices, gaining early visibility into the next build. This is better for your organization because you can test the early builds of Windows 10 to discover possible issues with the code or with device and app compatibility in your organization before the update is ever publicly available. We at Microsoft also appreciate it because Insiders can report issues back to us in time for us to make improvements in a release before it is more generally available. + +The Windows Insider Program for Business gives you the opportunity to: + +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real time by using the Feedback Hub app. +* Sign in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. +* Register your Azure Active Directory domain in the program, allowing you to cover all users within your organization with just one registration. +* Starting with Windows 10, version 1709, enable, disable, defer, and pause the installation of preview builds through policies. +* Track feedback provided through the Feedback Hub App across your organization. + +Microsoft recommends that all organizations have at least a few devices enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans, and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub App. + +The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + +[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)
    +Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. + +## Explore new Windows 10 features in Insider Previews +Windows 10 Insider Preview builds offer organizations a valuable and exciting opportunity to evaluate new Windows features well before general release. What’s more, by providing feedback to Microsoft on these features, you and other Insiders in your organization can help shape Windows for your specific business needs. Here’s how to get the most out of your feature exploration: + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| +|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | +|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
    - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
    - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | +|Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
    - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
    - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | + +## Validate Insider Preview builds +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: + +- Get a head start on your Windows validation process +- Identify issues sooner to accelerate your Windows deployment +- Engage Microsoft earlier for help with potential compatibility issues +- Deploy Windows 10 Semi-Annual releases faster and more confidently +- Maximize the 18-month support Window that comes with each Semi-Annual release. + +|Objective |Feature exploration| +|---------|---------| +|Release channel |**Slow Ring:** Insider Preview builds in the Slow Ring are released approximately once a month. They are more stable than Fast Ring releases, making them better suited for validation purposes. Slow Ring releases can be run on either secondary or primary production devices by skilled users.| +|Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| +|Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | +|Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | +|Guidance | Application and infrastructure validation:
    - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
    - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
    - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| \ No newline at end of file diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index 135d1670a5..99bb88d5a4 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -1,52 +1,52 @@ ---- -title: Change history for Update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Change history for Update Windows 10 - -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). - ->If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). - -## September 2018 - -| New or changed topic | Description | -| --- | --- | -| [Get started with Windows Update](windows-update-overview.md) | New | - - -## RELEASE: Windows 10, version 1709 - -The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). - -## September 2017 - -| New or changed topic | Description | -| --- | --- | -| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | - -## July 2017 - -All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). - -## May 2017 - -| New or changed topic | Description | -| --- | --- | -| [Manage additional Windows Update settings](waas-wu-settings.md) | New | - -## RELEASE: Windows 10, version 1703 - -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) -* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + +## RELEASE: Windows 10, version 1709 + +The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). + +## September 2017 + +| New or changed topic | Description | +| --- | --- | +| [Olympia Corp](olympia/olympia-enrollment-guidelines.md) | New | + +## July 2017 + +All topics were updated to reflect the new [naming changes](waas-overview.md#naming-changes). + +## May 2017 + +| New or changed topic | Description | +| --- | --- | +| [Manage additional Windows Update settings](waas-wu-settings.md) | New | + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started) +* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 23a56637e9..e716dce744 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -4,7 +4,6 @@ description: Configure Device Health in Azure Monitor to monitor health (such as keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: manager: laurawi ms.pagetype: deploy @@ -19,7 +18,7 @@ ms.topic: article # Get started with Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic explains the steps necessary to configure your environment for Windows Analytics Device Health. @@ -30,7 +29,7 @@ This topic explains the steps necessary to configure your environment for Window - [Related topics](#related-topics) >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Add the Device Health solution to your Azure subscription diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index a87d7b2ed5..7274c2a591 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -6,7 +6,7 @@ description: You can use Device Health in Azure Portal to monitor the frequency keywords: oms, operations management suite, wdav, health, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + ms.localizationpriority: medium ms.pagetype: deploy audience: itpro @@ -19,7 +19,7 @@ ms.topic: article # Monitor the health of devices with Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Introduction diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 40bc6d5423..2bdfae2338 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -6,7 +6,7 @@ description: Explains how to begin using Device Health. ms.prod: w10 ms.mktglfcycl: deploy keywords: oms, operations management suite, wdav, health, log analytics -ms.sitesec: library + ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -18,7 +18,7 @@ ms.topic: article # Using Device Health >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This section describes how to use Device Health to monitor devices deployed on your network and troubleshoot the causes if they crash. diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md index 7cd119e52b..5c72afc8c0 100644 --- a/windows/deployment/update/feature-update-conclusion.md +++ b/windows/deployment/update/feature-update-conclusion.md @@ -1,24 +1,24 @@ ---- -title: Best practices for feature updates - conclusion -description: Final thoughts about how to deploy feature updates -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Conclusion - -**Applies to**: Windows 10 - -Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. - -Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. - +--- +title: Best practices for feature updates - conclusion +description: Final thoughts about how to deploy feature updates +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Conclusion + +**Applies to**: Windows 10 + +Mission critical devices that need to be online 24x7 pose unique challenges for the IT Pro looking to stay current with the latest Windows 10 feature update. Because these devices are online continually, providing mission critical services, with only a small window of time available to apply feature updates, specific procedures are required to effectively keep these devices current, with as little downtime as possible. + +Whether you have defined servicing windows at your disposal where feature updates can be installed automatically, or you require user initiated installs by a technician, this whitepaper provides guidelines for either approach. Improvements are continually being made to Windows 10 setup to reduce device offline time for feature updates. This whitepaper will be updated as enhancements become available to improve the overall servicing approach and experience. + diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md index 3a57b80ed7..da74aafced 100644 --- a/windows/deployment/update/feature-update-maintenance-window.md +++ b/windows/deployment/update/feature-update-maintenance-window.md @@ -1,265 +1,261 @@ ---- -title: Best practices - deploy feature updates during maintenance windows -description: Learn how to deploy feature updates during a maintenance window -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/09/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Deploy feature updates during maintenance windows - -**Applies to**: Windows 10 - -Use the following information to deploy feature updates during a maintenance window. - -## Get ready to deploy feature updates - -### Step 1: Configure maintenance windows - -1. In the Configuration Manager console, choose **Assets and Compliance > Device Collections**. -2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). -3. On the **Home** tab, in the **Properties** group, choose **Properties**. -4. In the **Maintenance Windows** tab of the **`` Properties** dialog box, choose the **New** icon. -5. Complete the **`` Schedule** dialog. -6. Select **Apply this schedule** from the drop-down list. -7. Choose **OK** and then close the **\ Properties** dialog box. - -### Step 2: Review computer restart device settings - -If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. - -For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. - -> [!NOTE] -> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. -> - **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** -> - **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** - -### Step 3: Enable Peer Cache - -Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. - -[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). - -> [!NOTE] -> Content delivery optimization via caching and peering solutions can avoid interruptions to business operations, especially when you download large payloads from the cloud (such as feature or quality updates). To avoid peering with clients that are not in the same physical location, you can logically group different sites via AD Site or SCCM boundary group, as the egress/ingress point may be a data center in another location, rather than a local internet connection. - -### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) - -If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. - -%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini - -```ini -[SetupConfig] -Priority=Normal -``` - -You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. - -```PowerShell -#Parameters -Param( - [string] $PriorityValue = "Normal" - ) - -#Variable for ini file path -$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" - -#Variables for SetupConfig -$iniSetupConfigSlogan = "[SetupConfig]" -$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} - -#Init SetupConfig content -$iniSetupConfigContent = @" -$iniSetupConfigSlogan -"@ - -#Build SetupConfig content with settings -foreach ($k in $iniSetupConfigKeyValuePair.Keys) -{ - $val = $iniSetupConfigKeyValuePair[$k] - - $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") -} - -#Write content to file -New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force - -Disclaimer -Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is -provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without -limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk -arising out of the use or performance of the sample script and documentation remains with you. In no event shall -Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable -for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, -loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script -or documentation, even if Microsoft has been advised of the possibility of such damages. -``` - -> [!NOTE] -> If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. - -## Manually deploy feature updates - -The following sections provide the steps to manually deploy a feature update. - -### Step 1: Specify search criteria for feature updates -There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. -3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: - - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. - - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. - -4. Save the search for future use. - -### Step 2: Download the content for the feature update(s) -Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. - -1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. -2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. - - The **Download Software Updates Wizard** opens. -3. On the **Deployment Package** page, configure the following settings: - **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: - - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. - - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. - - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. - - > [!NOTE] - > The deployment package source location that you specify cannot be used by another software deployment package. - - > [!IMPORTANT] - > The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. - - > [!IMPORTANT] - > You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. - - Click **Next**. -4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). - - > [!NOTE] - > The Distribution Points page is available only when you create a new software update deployment package. -5. On the **Distribution Settings** page, specify the following settings: - - - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. - - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). - - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: - - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. - - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. - - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. - - For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). - Click **Next**. -6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: - - - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. - - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. - - > [!NOTE] - > When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. - - Click **Next**. -7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. -8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. -9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. - -#### To monitor content status -1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. -2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. -3. Select the feature update package that you previously identified to download the feature updates. -4. On the **Home** tab, in the Content group, click **View Status**. - -### Step 3: Deploy the feature update(s) -After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). - -1. In the Configuration Manager console, click **Software Library**. -2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. -3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. - - The **Deploy Software Updates Wizard** opens. -4. On the General page, configure the following settings: - - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** - - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. - - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. - - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. - - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. -5. On the Deployment Settings page, configure the following settings: - - - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. - - > [!IMPORTANT] - > After you create the software update deployment, you cannot later change the type of deployment. - - > [!NOTE] - > A software update group deployed as **Required** will be downloaded in the background and honor BITS settings, if configured. - - - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. - - > [!WARNING] - > Before you can use this option, computers and networks must be configured for Wake On LAN. - - - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. -6. On the Scheduling page, configure the following settings: - - - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. - - > [!NOTE] - > When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. - - - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: - - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. - - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. - - > [!NOTE] - > You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. - - > [!NOTE] - > The actual installation deadline time is the specific time that you configure plus a random amount of time up to two hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting **Disable deadline randomization** to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). -7. On the User Experience page, configure the following settings: - - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. - - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). - - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. - - > [!IMPORTANT] - > Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. - - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. - - > [!NOTE] - > When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. - - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. -8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. - - > [!NOTE] - > You can review recent software updates alerts from the Software Updates node in the Software Library workspace. -9. On the Download Settings page, configure the following settings: - - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. - - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. - - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). - - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. - - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. - - > [!NOTE] - > Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). -10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. -11. Click **Next** to deploy the feature update(s). - -### Step 4: Monitor the deployment status -After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: - -1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. -2. Click the software update group or software update for which you want to monitor the deployment status. -3. On the **Home** tab, in the **Deployment** group, click **View Status**. +--- +title: Best practices - deploy feature updates during maintenance windows +description: Learn how to deploy feature updates during a maintenance window +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Deploy feature updates during maintenance windows + +**Applies to**: Windows 10 + +Use the following information to deploy feature updates during a maintenance window. + +## Get ready to deploy feature updates + +### Step 1: Configure maintenance windows + +1. In the Configuration Manager console, choose **Assets and Compliance> Device Collections**. +2. In the **Device Collections** list, select the collection for which you intended to deploy the feature update(s). +3. On the **Home** tab, in the **Properties** group, choose **Properties**. +4. In the **Maintenance Windows** tab of the `` Properties dialog box, choose the New icon. +5. Complete the `` Schedule dialog. +6. Select from the Apply this schedule to drop-down list. +7. Choose **OK** and then close the **\ Properties** dialog box. + +### Step 2: Review computer restart device settings + +If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration. + +For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update. + +>[!NOTE] +> The following settings must be shorter in duration than the shortest maintenance window applied to the computer. +>- **Display a temporary notification to the user that indicates the interval before the user is logged off or the computer restarts (minutes).** +>- **Display a dialog box that the user cannot close, which displays the countdown interval before the user is logged off or the computer restarts (minutes).** + +### Step 3: Enable Peer Cache + +Use **Peer Cache** to help manage deployment of content to clients in remote locations. Peer Cache is a built-in Configuration Manager solution that enables clients to share content with other clients directly from their local cache. + +[Enable Configuration Manager client in full OS to share content](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#enable-configuration-manager-client-in-full-os-to-share-content) if you have clients in remote locations that would benefit from downloading feature update content from a peer instead of downloading it from a distribution point (or Microsoft Update). + +### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later) + +If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted. + +%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini + +``` +[SetupConfig] +Priority=Normal +``` + +You can use the new [Run Scripts](https://docs.microsoft.com/sccm/apps/deploy-use/create-deploy-scripts) feature to run a PowerShell script like the sample below to create the SetupConfig.ini on target devices. + +``` +#Parameters +Param( + [string] $PriorityValue = "Normal" + ) + +#Variable for ini file path +$iniFilePath = "$env:SystemDrive\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini" + +#Variables for SetupConfig +$iniSetupConfigSlogan = "[SetupConfig]" +$iniSetupConfigKeyValuePair =@{"Priority"=$PriorityValue;} + +#Init SetupConfig content +$iniSetupConfigContent = @" +$iniSetupConfigSlogan +"@ + +#Build SetupConfig content with settings +foreach ($k in $iniSetupConfigKeyValuePair.Keys) +{ + $val = $iniSetupConfigKeyValuePair[$k] + + $iniSetupConfigContent = $iniSetupConfigContent.Insert($iniSetupConfigContent.Length, "`r`n$k=$val") +} + +#Write content to file +New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force + +Disclaimer +Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is +provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without +limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk +arising out of the use or performance of the sample script and documentation remains with you. In no event shall +Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable +for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, +loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script +or documentation, even if Microsoft has been advised of the possibility of such damages. +``` + +>[!NOTE] +>If you elect not to override the default setup priority, you will need to increase the [maximum run time](https://docs.microsoft.com/sccm/sum/get-started/manage-settings-for-software-updates#BKMK_SetMaxRunTime) value for Feature Update to Windows 10, version 1709 or higher from the default of 60 minutes. A value of 240 minutes may be required. Remember to ensure that your maintenance window duration is larger than your defined maximum run time value. + +## Manually deploy feature updates + +The following sections provide the steps to manually deploy a feature update. + +### Step 1: Specify search criteria for feature updates +There are potentially a thousand or more feature updates displayed in the Configuration Manager console. The first step in the workflow for manually deploying feature updates is to identify the feature updates that you want to deploy. + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. The synchronized feature updates are displayed. +3. In the search pane, filter to identify the feature updates that you need by using one or both of the following steps: + - In the search text box, type a search string that will filter the feature updates. For example, type the version number for a specific feature update, or enter a string that would appear in the title of the feature update. + - Click **Add Criteria**, select the criteria that you want to use to filter software updates, click **Add**, and then provide the values for the criteria. For example, Title contains 1803, Required is greater than or equal to 1, and Language equals English. + +4. Save the search for future use. + +### Step 2: Download the content for the feature update(s) +Before you deploy the feature updates, you can download the content as a separate step. Do this so you can verify that the content is available on the distribution points before you deploy the feature updates. This will help you to avoid any unexpected issues with the content delivery. Use the following procedure to download the content for feature updates before creating the deployment. + +1. In the Configuration Manager console, navigate to **Software Library > Windows 10 Servicing**. +2. Choose the feature update(s) to download by using your saved search criteria. Select one or more of the feature updates returned, right click, and select Download. + + The **Download Software Updates Wizard** opens. +3. On the **Deployment Package** page, configure the following settings: + **Create a new deployment package**: Select this setting to create a new deployment package for the software updates that are in the deployment. Configure the following settings: + - **Name**: Specifies the name of the deployment package. The package must have a unique name that briefly describes the package content. It is limited to 50 characters. + - **Description**: Specifies the description of the deployment package. The package description provides information about the package contents and is limited to 127 characters. + - **Package source**: Specifies the location of the feature update source files. Type a network path for the source location, for example, \\server\sharename\path, or click **Browse** to find the network location. You must create the shared folder for the deployment package source files before you proceed to the next page. + + >[!NOTE] + >The deployment package source location that you specify cannot be used by another software deployment package. + + >[!IMPORTANT] + >The SMS Provider computer account and the user that is running the wizard to download the feature updates must both have Write NTFS permissions on the download location. You should carefully restrict access to the download location to reduce the risk of attackers tampering with the feature update source files. + + >[!IMPORTANT] + >You can change the package source location in the deployment package properties after Configuration Manager creates the deployment package. But if you do so, you must first copy the content from the original package source to the new package source location. + + Click **Next**. +4. On the **Distribution Points** page, specify the distribution points or distribution point groups that will host the feature update files, and then click **Next**. For more information about distribution points, see [Distribution point configurations](https://docs.microsoft.com/sccm/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_configs). + + >[!NOTE] + >The Distribution Points page is available only when you create a new software update deployment package. +5. On the **Distribution Settings** page, specify the following settings: + + - **Distribution priority**: Use this setting to specify the distribution priority for the deployment package. The distribution priority applies when the deployment package is sent to distribution points at child sites. Deployment packages are sent in priority order: High, Medium, or Low. Packages with identical priorities are sent in the order in which they were created. If there is no backlog, the package will process immediately regardless of its priority. By default, packages are sent using Medium priority. + - **Enable for on-demand distribution**: Use this setting to enable on-demand content distribution to preferred distribution points. When this setting is enabled, the management point creates a trigger for the distribution manager to distribute the content to all preferred distribution points when a client requests the content for the package and the content is not available on any preferred distribution points. For more information about preferred distribution points and on-demand content, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). + - **Prestaged distribution point settings**: Use this setting to specify how you want to distribute content to prestaged distribution points. Choose one of the following options: + - **Automatically download content when packages are assigned to distribution points**: Use this setting to ignore the prestage settings and distribute content to the distribution point. + - **Download only content changes to the distribution point**: Use this setting to prestage the initial content to the distribution point, and then distribute content changes to the distribution point. + - **Manually copy the content in this package to the distribution point**: Use this setting to always prestage content on the distribution point. This is the default setting. + + For more information about prestaging content to distribution points, see [Use Prestaged content](https://docs.microsoft.com/sccm/core/servers/deploy/configure/deploy-and-manage-content#bkmk_prestage). + Click **Next**. +6. On the **Download Location** page, specify location that Configuration Manager will use to download the software update source files. As needed, use the following options: + + - **Download software updates from the Internet**: Select this setting to download the software updates from the location on the Internet. This is the default setting. + - **Download software updates from a location on the local network**: Select this setting to download software updates from a local folder or shared network folder. Use this setting when the computer running the wizard does not have Internet access. + + >[!NOTE] + >When you use this setting, download the software updates from any computer with Internet access, and then copy the software updates to a location on the local network that is accessible from the computer running the wizard. + + Click **Next**. +7. On the **Language Selection** page, specify the languages for which the selected feature updates are to be downloaded, and then click **Next**. Ensure that your language selection matches the language(s) of the feature updates selected for download. For example, if you selected English and German based feature updates for download, select those same languages on the language selection page. +8. On the **Summary** page, verify the settings that you selected in the wizard, and then click Next to download the software updates. +9. On the **Completion** page, verify that the software updates were successfully downloaded, and then click Close. + +#### To monitor content status +1. To monitor the content status for the feature updates, click **Monitoring** in the Configuration Manager console. +2. In the Monitoring workspace, expand **Distribution Status**, and then click **Content Status**. +3. Select the feature update package that you previously identified to download the feature updates. +4. On the **Home** tab, in the Content group, click **View Status**. + +### Step 3: Deploy the feature update(s) +After you determine which feature updates you intend to deploy, you can manually deploy the feature update(s). Use the following procedure to manually deploy the feature update(s). + +1. In the Configuration Manager console, click **Software Library**. +2. In the Software Library workspace, expand **Windows 10 Servicing**, and click **All Windows 10 Updates**. +3. Choose the feature update(s) to deploy by using your saved search criteria. Select one or more of the feature updates returned, right click, and select **Deploy**. + + The **Deploy Software Updates Wizard** opens. +4. On the General page, configure the following settings: + - **Name**: Specify the name for the deployment. The deployment must have a unique name that describes the purpose of the deployment and differentiates it from other deployments in the Configuration Manager site. By default, Configuration Manager automatically provides a name for the deployment in the following format: **Microsoft Software Updates - \\** + - **Description**: Specify a description for the deployment. The description provides an overview of the deployment and any other relevant information that helps to identify and differentiate the deployment among others in Configuration Manager site. The description field is optional, has a limit of 256 characters, and has a blank value by default. + - **Software Update/Software Update Group**: Verify that the displayed software update group, or software update, is correct. + - **Select Deployment Template**: Specify whether to apply a previously saved deployment template. You can configure a deployment template to contain multiple common software update deployment properties and then apply the template when you deploy subsequent software updates to ensure consistency across similar deployments and to save time. + - **Collection**: Specify the collection for the deployment, as applicable. Members of the collection receive the feature updates that are defined in the deployment. +5. On the Deployment Settings page, configure the following settings: + + - **Type of deployment**: Specify the deployment type for the software update deployment. Select **Required** to create a mandatory software update deployment in which the feature updates are automatically installed on clients before a configured installation deadline. + + >[!IMPORTANT] + > After you create the software update deployment, you cannot later change the type of deployment. + + >[!NOTE] + >A software update group deployed as Required will be downloaded in background and honor BITS settings, if configured. + + - **Use Wake-on-LAN to wake up clients for required deployments**: Specify whether to enable Wake On LAN at the deadline to send wake-up packets to computers that require one or more software updates in the deployment. Any computers that are in sleep mode at the installation deadline time will be awakened so the software update installation can initiate. Clients that are in sleep mode that do not require any software updates in the deployment are not started. By default, this setting is not enabled and is available only when Type of deployment is set to Required. + + >[!WARNING] + >Before you can use this option, computers and networks must be configured for Wake On LAN. + + - **Detail level**: Specify the level of detail for the state messages that are reported by client computers. +6. On the Scheduling page, configure the following settings: + + - **Schedule evaluation**: Specify whether the available time and installation deadline times are evaluated according to UTC or the local time of the computer running the Configuration Manager console. + + >[!NOTE] + >When you select local time, and then select **As soon as possible** for the **Software available time** or **Installation deadline**, the current time on the computer running the Configuration Manager console is used to evaluate when updates are available or when they are installed on a client. If the client is in a different time zone, these actions will occur when the client's time reaches the evaluation time. + + - **Software available time**: Select **As soon as possible** to specify when the software updates will be available to clients: + - **As soon as possible**: Select this setting to make the software updates in the deployment available to clients as soon as possible. When the deployment is created, the client policy is updated, the clients are made aware of the deployment at their next client policy polling cycle, and then the software updates are available for installation. + - **Installation deadline**: Select **Specific time** to specify the installation deadline for the software updates in the deployment. + + >[!NOTE] + >You can configure the installation deadline setting only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + - **Specific time**: Select this setting to automatically install the software updates in the deployment at a specific date and time. Set the date and time value to correspond with your defined maintenance window for the target collection. Allow sufficient time for clients to download the content in advance of the deadline. Adjust accordingly if clients in your environment will need additional download time. E.g., slow or unreliable network links. + + >[!NOTE] + >The actual installation deadline time is the specific time that you configure plus a random amount of time up to 2 hours. This reduces the potential impact of all client computers in the destination collection installing the software updates in the deployment at the same time. Configure the Computer Agent client setting, Disable deadline randomization to disable the installation randomization delay for the required software updates to allow a greater chance for the installation to start and complete within your defined maintenance window. For more information, see [Computer Agent](https://docs.microsoft.com/sccm/core/clients/deploy/about-client-settings#computer-agent). +7. On the User Experience page, configure the following settings: + - **User notifications**: Specify whether to display notification of the software updates in Software Center on the client computer at the configured **Software available time** and whether to display user notifications on the client computers. When **Type of deployment** is set to **Available** on the Deployment Settings page, you cannot select **Hide in Software Center and all notifications**. + - **Deadline behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify the behavior that is to occur when the deadline is reached for the software update deployment. Specify whether to install the software updates in the deployment. Also specify whether to perform a system restart after software update installation regardless of a configured maintenance window. For more information about maintenance windows, see [How to use maintenance windows](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). + - **Device restart behavior**: Available only when **Type of deployment** is set to **Required** on the Deployment Settings page. Specify whether to suppress a system restart on servers and workstations after software updates are installed and a system restart is required to complete the installation. + + >[!IMPORTANT] + >Suppressing system restarts can be useful in server environments or for cases in which you do not want the computers that are installing the software updates to restart by default. However, doing so can leave computers in an insecure state, whereas allowing a forced restart helps to ensure immediate completion of the software update installation. + - **Write filter handling for Windows Embedded devices**: When you deploy software updates to Windows Embedded devices that are write filter enabled, you can specify to install the software update on the temporary overlay and either commit changes later or commit the changes at the installation deadline or during a maintenance window. When you commit changes at the installation deadline or during a maintenance window, a restart is required and the changes persist on the device. + + >[!NOTE] + >When you deploy a software update to a Windows Embedded device, make sure that the device is a member of a collection that has a configured maintenance window. + - **Software updates deployment re-evaluation behavior upon restart**: Starting in Configuration Manager version 1606, select this setting to configure software updates deployments to have clients run a software updates compliance scan immediately after a client installs software updates and restarts. This enables the client to check for additional software updates that become applicable after the client restarts, and to then install them (and become compliant) during the same maintenance window. +8. On the Alerts page, configure how Configuration Manager and System Center Operations Manager will generate alerts for this deployment. You can configure alerts only when **Type of deployment** is set to **Required** on the Deployment Settings page. + + >[!NOTE] + >You can review recent software updates alerts from the Software Updates node in the Software Library workspace. +9. On the Download Settings page, configure the following settings: + - Specify whether the client will download and install the software updates when a client is connected to a slow network or is using a fallback content location. + - Specify whether to have the client download and install the software updates from a fallback distribution point when the content for the software updates is not available on a preferred distribution point. + - **Allow clients to share content with other clients on the same subnet**: Specify whether to enable the use of BranchCache for content downloads. For more information about BranchCache, see [Fundamental concepts for content management](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/fundamental-concepts-for-content-management#branchcache). + - **If software updates are not available on distribution point in current, neighbor or site groups, download content from Microsoft Updates**: Select this setting to have clients that are connected to the intranet download software updates from Microsoft Update if software updates are not available on distribution points. Internet-based clients can always go to Microsoft Update for software updates content. + - Specify whether to allow clients to download after an installation deadline when they use metered Internet connections. Internet providers sometimes charge by the amount of data that you send and receive when you are on a metered Internet connection. + + >[!NOTE] + >Clients request the content location from a management point for the software updates in a deployment. The download behavior depends upon how you have configured the distribution point, the deployment package, and the settings on this page. For more information, see [Content source location scenarios](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/content-source-location-scenarios). +10. On the Summary page, review the settings. To save the settings to a deployment template, click **Save As Template**, enter a name and select the settings that you want to include in the template, and then click **Save**. To change a configured setting, click the associated wizard page and change the setting. +11. Click **Next** to deploy the feature update(s). + +### Step 4: Monitor the deployment status +After you deploy the feature update(s), you can monitor the deployment status. Use the following procedure to monitor the deployment status: + +1. In the Configuration Manager console, navigate to **Monitoring > Overview > Deployments**. +2. Click the software update group or software update for which you want to monitor the deployment status. +3. On the **Home** tab, in the **Deployment** group, click **View Status**. diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index 61469bed82..37ed550405 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,43 +1,44 @@ ---- -title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices -description: Learn how to deploy feature updates to your mission critical devices -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/10/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices - -**Applies to**: Windows 10 - -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. - -For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). - -Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: - -- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. -- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. - -You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: - -- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. -- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. -- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. - -If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. - -Use the following information: - - -- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) -- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) -- [Conclusion](feature-update-conclusion.md) +--- +title: Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices +description: Learn how to deploy feature updates to your mission critical devices +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 07/10/2018 +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices + +**Applies to**: Windows 10 + +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the System Center Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. + +For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, please see [Using Windows 10 servicing plans to deploy Windows 10 feature updates](waas-manage-updates-configuration-manager.md#use-windows-10-servicing-plans-to-deploy-windows-10-feature-updates). + +Devices and shared workstations that are online and available 24 hours a day, 7 days a week, can be serviced via one of two primary methods: + +- **Service during maintenance windows** – Devices that have established maintenance windows will need to have feature updates scheduled to fit within these windows. +- **Service only when manually initiated** – Devices that need physical verification of the availability to update will need to have updates manually initiated by a technician. + +You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example: + +- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade. +- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments. +- **Language pack installs.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs. + +If you need to leverage a task sequence to deploy feature updates, please see [Using a task sequence to deploy Windows 10 updates](waas-manage-updates-configuration-manager.md#use-a-task-sequence-to-deploy-windows-10-updates) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, please see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You may be able to leverage this functionality with the software updates deployment method. + +Use the following information: + + +- [Deploy feature updates during maintenance windows](feature-update-maintenance-window.md) +- [Deploy feature updates for user-initiated installations](feature-update-user-install.md) +- [Conclusion](feature-update-conclusion.md) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 8b7e286eab..e22be01edd 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -3,11 +3,10 @@ title: Best practices - deploy feature updates for user-initiated installations description: Learn how to manually deploy feature updates ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.date: 07/10/2018 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md index 8e8e208b29..9dbe7740b3 100644 --- a/windows/deployment/update/fod-and-lang-packs.md +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -3,11 +3,11 @@ title: Windows 10 - How to make FoD and language packs available when you're usi description: Learn how to make FoD and language packs available when you're using WSUS/SCCM ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library + ms.pagetype: article -ms.author: greglin +ms.author: jaimeo audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.date: 03/13/2019 ms.reviewer: diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index e71e615d1f..1103564dea 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -1,146 +1,146 @@ ---- -title: How Windows Update works -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# How does Windows Update work? - -> Applies to: Windows 10 - -The Windows Update workflow has four core areas of functionality: - -### Scan - -1. Orchestrator schedules the scan. -2. Orchestrator verifies admin approvals and policies for download. - - -### Download -1. Orchestrator initiates downloads. -2. Windows Update downloads manifest files and provides them to the arbiter. -3. The arbiter evaluates the manifest and tells the Windows Update client to download files. -4. Windows Update client downloads files in a temporary folder. -5. The arbiter stages the downloaded files. - - -### Install -1. Orchestrator initiates the installation. -2. The arbiter calls the installer to install the package. - - -### Commit -1. Orchestrator initiates a restart. -2. The arbiter finalizes before the restart. - - -## How updating works -During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. - -## Scanning updates -![Windows Update scanning step](images/update-scan-step.png) - -The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. - -When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. - -Make sure you're familiar with the following terminology related to Windows Update scan: - -|Term|Definition| -|----|----------| -|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| -|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| -|Child update|Leaf update that's bundled by another update; contains payload.| -|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| -|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | -|Full scan|Scan with empty datastore.| -|Delta scan|Scan with updates from previous scan already cached in datastore.| -|Online scan|Scan that hits network and goes against server on cloud. | -|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | -|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| -|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| -|Software sync|Part of the scan that looks at software updates only (OS and apps).| -|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| -|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | - -### How Windows Update scanning works - -Windows Update takes the following sets of actions when it runs a scan. - -#### Starts the scan for updates -When users start scanning in Windows Update through the Settings panel, the following occurs: - -- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. -- "Agent" messages: queueing the scan, then actually starting the work: - - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. - - Windows Update uses the thread ID filtering to concentrate on one particular task. - - ![Windows Update scan log 1](images/update-scan-log-1.png) - -#### Identifies service IDs - -- Service IDs indicate which update source is being scanned. - Note The next screen shot shows Microsoft Update and the Flighting service. - -- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. - ![Windows Update scan log 2](images/update-scan-log-2.png) -- Common service IDs - - > [!IMPORTANT] - > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. - -|Service|ServiceId| -|-------|---------| -|Unspecified / Default|WU, MU or WSUS
    00000000-0000-0000-0000-000000000000 | -|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| -|MU|7971f918-a847-4430-9279-4a52d1efe18d| -|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| -|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| -|WSUS or SCCM|Via ServerSelection::ssManagedServer
    3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | -|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| - -#### Finds network faults -Common update failure is caused due to network issues. To find the root of the issue: - -- Look for "ProtocolTalker" messages to see client-server sync network traffic. -- "SOAP faults" can be either client- or server-side issues; read the message. -- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. - - > [!NOTE] - > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. - -- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. - ![Windows Update scan log 3](images/update-scan-log-3.png) - -## Downloading updates -![Windows Update download step](images/update-download-step.png) - -Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. - -To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. - -For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). - -## Installing updates -![Windows Update install step](images/update-install-step.png) - -When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". - -The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. - -## Committing Updates -![Windows Update commit step](images/update-commit-step.png) - -When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. - -For more information see [Manage device restarts after updates](waas-restart.md). +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# How does Windows Update work? + +> Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator verifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initiates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + > [!IMPORTANT] + > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
    00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
    3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + > [!NOTE] + > Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 9c45228695..d08ff458c4 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -3,8 +3,7 @@ title: Update Windows 10 in enterprise deployments (Windows 10) description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: Jaimeo +author: jaimeo manager: laurawi ms.localizationpriority: high ms.author: jaimeo diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index 4f38f8583c..adb1e56155 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,131 +1,136 @@ ---- -title: Olympia Corp enrollment guidelines -description: Olympia Corp enrollment guidelines -ms.author: greglin -ms.topic: article -ms.prod: w10 -ms.technology: windows -audience: itpro author: greg-lindsay -ms.reviewer: -manager: laurawi -keywords: insider, trial, enterprise, lab, corporation, test ---- - -# Olympia Corp - -## What is Windows Insider Lab for Enterprise and Olympia Corp? - -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. - -As an Olympia user, you will have an opportunity to: - -- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. - ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. - -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). - -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows 10 device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/1-3.png) - -4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/1-4.png) - -5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows 10 device - -- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). - - ![Settings -> Accounts](images/1-1.png) - -2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. - -3. Click **Connect**, then click **Join this device to Azure Active Directory**. - - ![Update your password](images/2-3.png) - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. - - ![Set up a work or school account](images/2-4.png) - -5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - - ![Update your password](images/2-5.png) - -6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. - +--- +title: Olympia Corp enrollment guidelines +description: Olympia Corp enrollment guidelines +ms.author: jaimeo +ms.topic: article +ms.prod: w10 +ms.technology: windows +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.reviewer: +manager: laurawi +keywords: insider, trial, enterprise, lab, corporation, test +--- + +# Olympia Corp + +## What is Windows Insider Lab for Enterprise and Olympia Corp? + +Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. + +As an Olympia user, you will have an opportunity to: + +- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). +- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. +- Validate and test pre-release software in your environment. +- Provide feedback. +- Interact with engineering team members through a variety of communication channels. + +>[!Note] +>Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + +For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). + +To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). + +## Enrollment guidelines + +Welcome to Olympia Corp. Here are the steps needed to enroll. + +As part of Windows Insider Lab for Enterprise, you can upgrade to Windows 10 Enterprise from Windows 10 Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows 10 Enterprise, we recommend you to upgrade. + +Choose one of the following two enrollment options: + +- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. + +- If you are running Windows 10 Pro, we recommend that you upgrade to Windows 10 Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. + + + +### Set up an Azure Active Directory-REGISTERED Windows 10 device + +This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information. + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/1-3.png) + +4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/1-4.png) + +5. Read the **Terms and Conditions**. Click **Accept** to participate in the program. + +6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. + +7. Create a PIN for signing into your Olympia corporate account. + +8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + + + +### Set up Azure Active Directory-JOINED Windows 10 device + +- This method will upgrade your Windows 10 Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup) for more information. + + > [!NOTE] + > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-edition-upgrades#upgrade-by-manually-entering-a-product-key). + +1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)). + + ![Settings -> Accounts](images/1-1.png) + +2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**. + +3. Click **Connect**, then click **Join this device to Azure Active Directory**. + + ![Update your password](images/2-3.png) + +4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**. + + ![Set up a work or school account](images/2-4.png) + +5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password. + + > [!NOTE] + > Passwords should contain 8-16 characters, including at least one special character or number. + + ![Update your password](images/2-5.png) + +6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. + +8. Create a PIN for signing into your Olympia corporate account. + +9. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**. + +10. Restart your device. + +11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows 10 Enterprise. + +12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Click on the current Windows Insider account, and click **Change**. Sign in with your **Olympia corporate account**. + + > [!NOTE] + > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). + +13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. + +>[!NOTE] +> Your Windows 10 Enterprise license will not be renewed if your device is not connected to Olympia. + diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 67d92aa201..b13b1e355c 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -1,58 +1,57 @@ ---- -title: Servicing stack updates (Windows 10) -description: Servicing stack updates improve the code that installs the other updates. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro -author: greg-lindsay -ms.localizationpriority: medium -ms.author: greglin -ms.date: 11/29/2018 -ms.reviewer: -manager: laurawi -ms.collection: M365-modern-desktop -ms.topic: article ---- - -# Servicing stack updates - - -**Applies to** - -- Windows 10, Windows 8.1, Windows 8, Windows 7 - -## What is a servicing stack update? -Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. - -## Why should servicing stack updates be installed and kept up to date? - -Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. - -## When are they released? - -Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." - ->[!NOTE] ->You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). - -## What's the difference between a servicing stack update and a cumulative update? - -Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. - -Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. - - -## Is there any special guidance? - -Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. - -Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. - -## Installation notes - -* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. -* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. -* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. -* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). -* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. +--- +title: Servicing stack updates (Windows 10) +description: Servicing stack updates improve the code that installs the other updates. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.collection: M365-modern-desktop +ms.topic: article +--- + +# Servicing stack updates + + +**Applies to** + +- Windows 10, Windows 8.1, Windows 8, Windows 7 + +## What is a servicing stack update? +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. + +## Why should servicing stack updates be installed and kept up to date? + +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. + +## When are they released? + +Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). + +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + + +## Is there any special guidance? + +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. + +## Installation notes + +* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. +* Installing servicing stack update does not require restarting the device, so installation should not be disruptive. +* Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). +* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine. \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index ef10467607..612c44e92a 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -5,7 +5,6 @@ manager: laurawi description: new Delivery Optimization data displayed in Update Compliance ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 8d6fa2501e..2d3216901c 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,49 +1,50 @@ ---- -title: Update Compliance - Feature Update Status report -ms.reviewer: -manager: laurawi -description: an overview of the Feature Update Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Feature Update Status - -![The Feature Update Status report](images/UC_workspace_FU_status.png) - -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). - -## Overall Feature Update Status - -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. - -## Deployment Status by Servicing Channel - -To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. - -Refer to the following list for what each state means: -* **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress**, it has begun the feature update installation. -* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. -* Devices that have failed the given feature update installation are counted as **Update failed**. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. - -## Compatibility holds - -Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. - -To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). - -### Opting out of compatibility hold - -Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. - - -Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. - +--- +title: Update Compliance - Feature Update Status report +ms.reviewer: +manager: laurawi +description: an overview of the Feature Update Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Feature Update Status + +![The Feature Update Status report](images/UC_workspace_FU_status.png) + +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). + +## Overall Feature Update Status + +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. + +## Deployment Status by Servicing Channel + +To effectively track deployment, **Deployment Status Blades** are divided into each Servicing Channel chosen for the device. This is because Deployment for each channel will happen at different periods in time and feature updates are targeted separately for each channel. Within each Deployment Status tile, devices are aggregated on their feature update distribution, and the columns list the states each device is in. + +Refer to the following list for what each state means: +* **Installed** devices are devices that have completed installation for the given update. +* When a device is counted as **In Progress**, it has begun the feature update installation. +* Devices that are **scheduled next 7 days** are all devices that were deferred from installing the Feature update using [Windows Update for Business Settings](waas-manage-updates-wufb.md) and are set to begin installation in the next 7 days. +* Devices that have failed the given feature update installation are counted as **Update failed**. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. + +## Compatibility holds + +Microsoft uses diagnostic data to determine whether devices that use Windows Update are ready for a feature update in order to ensure a smooth experience. When Microsoft determines a device is not ready to update due to a known issue, a *compatibility hold* is generated to delay the device’s upgrade and safeguard the end-user experience. Holds are released over time as diagnostic data is analyzed and fixes are addressed. Details are provided on some, but not all compatibility holds on the Windows 10 release information page for any given release. + +To learn how compatibility holds are reflected in the experience, see [Update compliance perspectives](update-compliance-perspectives.md#deployment-status). + +### Opting out of compatibility hold + +Microsoft will release a device from a compatibility hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired. To opt out, set the registry key **HKLM\Software\Microsoft\Windows NT\CurrentVersion\502505fe-762c-4e80-911e-0c3fa4c63fb0** to a name of **DataRequireGatedScanForFeatureUpdates** and a value of **0**. + + +Setting this registry key to **0** will force the device to opt out from *all* compatibility holds. Any other value, or deleting the key, will resume compatibility protection on the device. + diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 03cf9cabc8..5e81c8e5a0 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -6,7 +6,6 @@ description: Configure Update Compliance in Azure Portal to see the status of up keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -50,7 +49,7 @@ Update Compliance is offered as a solution which is linked to a new or existing ![Update Compliance solution creation](images/UC_01_marketplace_create.png) 4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. - - [Desktop Analytics](https://docs.microsoft.com/en-us/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. + - [Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/overview) customers are advised to use the same workspace for Update Compliance. - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. - For the resource group setting select **Create new** and use the same name you chose for your new workspace. @@ -90,7 +89,7 @@ Commercial ID can be deployed using Group Policy. The Group Policy for Commercia ![Commercial ID Group Policy location](images/UC_commercialID_GP.png) #### Deploying Commercial ID using MDM -Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp). +Commercial ID can be deployed through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy beginning with Windows 10, version 1607. Commercial ID is under the [DMClient configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp). ### Ensure endpoints are whitelisted To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to whitelist the following endpoints. You may need security group approval to do this. @@ -106,7 +105,7 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic | `https://login.live.com` | This endpoint is optional but allows for the Update Compliance service to more reliably identify and process devices. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | ### Set diagnostic data levels -Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). +Update Compliance requires that devices are configured to send Microsoft at least the Basic level of diagnostic data in order to function. For more information on Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization). #### Configuring Telemetry level using Group Policy You can set Allow Telemetry through Group Policy, this setting is in the same place as the Commercial ID policy, under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry**. Update Compliance requires at least Basic (level 1) to function. @@ -114,7 +113,7 @@ You can set Allow Telemetry through Group Policy, this setting is in the same pl ![Allow Telemetry in Group Policy](images/UC_telemetrylevel.png) #### Configuring Telemetry level using MDM -Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/en-us/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Telemetry level can additionally be configured through a [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) policy. Allow Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). ### Enabling Device Name in telemetry Beginning with Windows 10, version 1803, Device Name is no longer collected as part of normal Windows Diagnostic Data and must explicitly be allowed to be sent to Microsoft. If devices do not have this policy enabled, their device name will appear as '#' instead. @@ -123,7 +122,7 @@ Beginning with Windows 10, version 1803, Device Name is no longer collected as p Allow Device Name in Telemetry is under the same node as Commercial ID and Allow Telemetry policies in Group Policy, listed as **Allow device name to be sent in Windows diagnostic data**. #### Allow Device Name in Telemetry with MDM -Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). +Allow Device Name in Telemetry is under the [Policy Configuration Service Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) as [System/AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry). >[!NOTE] >After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 3a02fa37ca..8996c05986 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -6,7 +6,6 @@ description: You can use Update Compliance in Azure Portal to monitor the progre keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -19,7 +18,7 @@ ms.topic: article # Monitor Windows Updates with Update Compliance >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Introduction diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index be35a79469..a4b940a236 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,46 +1,47 @@ ---- -title: Update Compliance - Need Attention! report -ms.reviewer: -manager: laurawi -description: an overview of the Update Compliance Need Attention! report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Needs attention! -![Needs attention section](images/UC_workspace_needs_attention.png) - -The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. - ->[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. - -The different issues are broken down by Device Issues and Update Issues: - -## Device Issues - -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. - -## Update Issues - -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. -* **Cancelled**: This issue occurs when a user cancels the update process. -* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. -* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. - -Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. - ->[!NOTE] ->This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. - -## List of Queries - -The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. +--- +title: Update Compliance - Need Attention! report +ms.reviewer: +manager: laurawi +description: an overview of the Update Compliance Need Attention! report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) + +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. + +>[!NOTE] +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. + +The different issues are broken down by Device Issues and Update Issues: + +## Device Issues + +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. + +## Update Issues + +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. + +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. + +## List of Queries + +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-perspectives.md b/windows/deployment/update/update-compliance-perspectives.md index 4af9e5897a..b38df5c5af 100644 --- a/windows/deployment/update/update-compliance-perspectives.md +++ b/windows/deployment/update/update-compliance-perspectives.md @@ -1,65 +1,66 @@ ---- -title: Update Compliance - Perspectives -ms.reviewer: -manager: laurawi -description: an overview of Update Compliance Perspectives -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Perspectives - -![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) - -Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. - -There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. - -The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. - -The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). - -## Deployment status - -The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: - -| State | Description | -| --- | --- | -| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | -| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | -| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | -| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | -| Cancelled | The update was cancelled. | -| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | -| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | -| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | -| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | - -## Detailed deployment status - -The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: - -| State | Description | -| --- | --- | -| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | -| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | -| Update offered | The device has been offered the update, but has not begun downloading it. | -| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | -| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | -| Download Started | The update has begun downloading on the device. | -| Download Succeeded | The update has successfully completed downloading. | -| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | -| Install Started | Installation of the update has begun. | -| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. -| Reboot Pending | The device has a scheduled reboot to apply the update. | -| Reboot Initiated | The scheduled reboot has been initiated. | -| Update Completed/Commit | The update has successfully installed. | - ->[!NOTE] ->Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. +--- +title: Update Compliance - Perspectives +ms.reviewer: +manager: laurawi +description: an overview of Update Compliance Perspectives +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Perspectives + +![Perspectives data view](images/uc-perspectiveupdatedeploymentstatus.png) + +Perspectives are elaborations on specific queries hand-crafted by developers which data views that provide deeper insight into your data. Perspectives are loaded whenever clicking into more detailed views from both the Security Update Status section and Feature Update Status section of Update Compliance. + +There is only one perspective framework; it is for **Update Deployment Status**. The same framework is utilized for both feature and quality updates. + +The first blade is the **Build Summary** blade. This blade summarizes the most important aspects of the given build being queried, listing the total number of devices, the total number of update failures for the build, and a breakdown of the different errors encountered. + +The second blade is the **Deferral Configurations** blade, breaking down Windows Update for Business deferral settings (if any). + +## Deployment status + +The third blade is the **Deployment Status** blade. This defines how many days it has been since the queried version has been released, and breaks down the various states in the update funnel each device has reported to be in. The possible states are as follows: + +| State | Description | +| --- | --- | +| Update Completed | When a device has finished the update process and is on the queried update, it will display here as Update completed. | +| In Progress | Devices that report they are “In Progress” are one of the various stages of installing an update; these stages are reported in the Detailed Deployment Status blade. | +| Deferred | When a device’s Windows Update for Business deferral policy dictates that the update is not yet applicable due to deferral, it will report as such in this blade. | +| Progress stalled | Devices that report as “Progress stalled” have been stuck at “In progress” for more than 7 days. | +| Cancelled | The update was cancelled. | +| Blocked | There is a hard block on the update being completed. This could be that another update must be completed before this one, or some other task is blocking the installation of the update. | +| Unknown | Devices that do not report detailed information on the status of their updates will report Unknown. This is most likely devices that do not use Windows Update for deployment. | +| Update paused | These devices have Windows Update for Business pause enabled, preventing this update from being installed. | +| Failed | A device is unable to install an update. This failure could be linked to a serious error in the update installation process or, in some cases, a [compatibility hold](update-compliance-feature-update-status.md#compatibility-holds). | + +## Detailed deployment status + +The final blade is the **Detailed Deployment Status** blade. This blade breaks down the detailed stage of deployment a device is in, beyond the generalized terms defined in Deployment Status. The following are the possible stages a device can report: + +| State | Description | +| --- | --- | +| Update deferred | When a device’s Windows Update for Business policy dictates the update is deferred. | +| Update paused | The device’s Windows Update for Business policy dictates the update is paused from being offered. | +| Update offered | The device has been offered the update, but has not begun downloading it. | +| Pre-Download tasks passed | The device has finished all necessary tasks prior to downloading the update. | +| Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) | +| Download Started | The update has begun downloading on the device. | +| Download Succeeded | The update has successfully completed downloading. | +| Pre-Install Tasks Passed | Tasks that must be completed prior to installing the update have been completed. | +| Install Started | Installation of the update has begun. | +| Reboot Required | The device has finished installing the update, and a reboot is required before the update can be completed. +| Reboot Pending | The device has a scheduled reboot to apply the update. | +| Reboot Initiated | The scheduled reboot has been initiated. | +| Update Completed/Commit | The update has successfully installed. | + +>[!NOTE] +>Interacting with any rows in the perspective view will automatically apply the given value to the query and execute it with the new parameter, narrowing the perspective to devices that satisfy that criteria. For example, clicking “Not configured (-1)” devices in Deferral Configurations will filter the query to only contain devices that do not have a deferral configuration. These filters can also be applied to queries via the filter sidebar. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index d299981e93..fa252c9db1 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -5,7 +5,6 @@ manager: laurawi description: an overview of the Security Update Status report ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 932d20458b..3f9b6fbcbb 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -6,7 +6,6 @@ description: Explains how to begin using Update Compliance. keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 74250033ff..a6c324c71c 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -1,42 +1,43 @@ ---- -title: Update Compliance - Windows Defender AV Status report -ms.reviewer: -manager: laurawi -description: an overview of the Windows Defender AV Status report -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-analytics -ms.topic: article ---- - -# Windows Defender AV Status - -![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) - -The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. - ->[!NOTE] ->Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). - -# Windows Defender AV Status sections -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. - -The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. - -Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with a signature older than 14 days. -* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. -* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. -* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. - -## Windows Defender data latency -Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. - -## Related topics - -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) +--- +title: Update Compliance - Windows Defender AV Status report +ms.reviewer: +manager: laurawi +description: an overview of the Windows Defender AV Status report +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.collection: M365-analytics +ms.topic: article +--- + +# Windows Defender AV Status + +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) + +The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. + +>[!NOTE] +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx). + +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. + +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. + +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. +* **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. + +## Related topics + +- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index 6e8a4ba345..aee88e8e01 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -3,11 +3,9 @@ title: Configure BranchCache for Windows 10 updates (Windows 10) description: Use BranchCache to optimize network bandwidth during update deployment. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 +ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index c6b56e8162..81adf9756d 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -5,7 +5,7 @@ manager: laurawi description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index fec88b2720..e7d8d21550 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -6,11 +6,11 @@ description: Reference of all Delivery Optimization settings and descriptions of keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.collection: M365-modern-desktop ms.topic: article --- @@ -132,7 +132,8 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection - 1 = AD Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) -- 4 = DNS Suffix +- 4 = DNS Suffix +- 5 = Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5. When set, the Group ID is assigned automatically from the selected source. If you set this policy, the GroupID policy will be ignored. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-4, the policy is ignored. diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index 0d016a2ce4..61a6af8b7c 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -6,7 +6,7 @@ description: Delivery Optimization is a new peer-to-peer distribution method in keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 2152d896f3..6d7bf33b2a 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -6,7 +6,7 @@ description: Delivery Optimization is a peer-to-peer distribution method in Wind keywords: oms, operations management suite, wdav, updates, downloads, log analytics ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md index 30023d81bb..d5eab1b3c4 100644 --- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md +++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md @@ -3,7 +3,6 @@ title: Build deployment rings for Windows 10 updates (Windows 10) description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index 1bc196ce0e..d28b788ca7 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -3,10 +3,9 @@ title: Integrate Windows Update for Business with management solutions (Windows description: Use Windows Update for Business deployments with management tools such as Windows Server Update Services (WSUS) and System Center Configuration Manager. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin +ms.author: jaimeo ms.date: 07/27/2017 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/waas-manage-updates-configuration-manager.md b/windows/deployment/update/waas-manage-updates-configuration-manager.md index 5ab254f79d..7563d572b3 100644 --- a/windows/deployment/update/waas-manage-updates-configuration-manager.md +++ b/windows/deployment/update/waas-manage-updates-configuration-manager.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 updates using System Center Configuration Manager (Wind description: System Center Configuration Manager provides maximum control over quality and feature updates for Windows 10. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index cda79baf8e..e24cc6ff0b 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 updates using Windows Server Update Services (Windows 1 description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index b80b9132c8..479877ca3a 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -5,7 +5,6 @@ manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo @@ -47,14 +46,14 @@ Windows Update for Business provides management policies for several types of up ## Offering -You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period of time. +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. ### Manage which updates are offered Windows Update for Business offers you the ability to turn on or off both driver and Microsoft product updates. - Drivers (on/off): When "on," this policy will not include drivers with Windows Update. -- Microsoft product updates (on/off): When "on" this policy will install udpates for other Microsoft products. +- Microsoft product updates (on/off): When "on" this policy will install updates for other Microsoft products. ### Manage when updates are offered @@ -91,11 +90,19 @@ The branch readiness level enables administrators to specify which channel of fe Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. ## Monitor Windows Updates by using Update Compliance -Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. +Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without extra infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. ![Update Compliance Dashboard](images/waas-wufb-update-compliance.png) diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index 73652f10a9..e425484498 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -3,7 +3,6 @@ title: Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile description: tbd ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md index bf740f50c0..cbfbcdff46 100644 --- a/windows/deployment/update/waas-morenews.md +++ b/windows/deployment/update/waas-morenews.md @@ -1,51 +1,58 @@ ---- -title: Windows as a service -ms.prod: w10 -ms.topic: article -ms.manager: elizapo -audience: itpro author: greg-lindsay -ms.author: greglin -ms.date: 12/19/2018 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- -# Windows as a service - More news - -Here's more news about [Windows as a service](windows-as-a-service.md): - - +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 993d1f887d..71135004a4 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -3,7 +3,6 @@ title: Optimize update delivery for Windows 10 updates (Windows 10) description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 02b95b42a5..23a3c73b90 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -4,7 +4,6 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index b7e23d8a0a..b2f7bf1b6a 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -4,7 +4,6 @@ description: In Windows 10, Microsoft has streamlined servicing to make operatin keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index 0ea4468377..e1866cfcc0 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -3,7 +3,7 @@ title: Manage device restarts after updates (Windows 10) description: tbd ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 2375cfd6b8..2f891c98c0 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -3,7 +3,7 @@ title: Assign devices to servicing channels for Windows 10 updates (Windows 10) description: tbd ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + author: jaimeo ms.localizationpriority: medium ms.author: jaimeo @@ -57,14 +57,14 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi 1. Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options**. 2. Select **Defer feature updates**. -**To assign devicess to the Semi-Annual Channel by using Group Policy** +**To assign devices to the Semi-Annual Channel by using Group Policy** - In Windows 10, version 1607 and later releases: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel -**To assign devicess to to the Semi-Annual Channel by using MDM** +**To assign devices to to the Semi-Annual Channel by using MDM** - In Windows 10, version 1607 and later releases: @@ -82,8 +82,8 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/en-us/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/en-us/for-business-organization-admin/) and control settings centrally.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/). +2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. 3. Make sure the **Allow Telemetry** setting is set to **2** or higher. 4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery: diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 1b5f466c3f..6a9df9bd4f 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -6,12 +6,11 @@ description: Learn the differences between servicing Windows 10 and servicing ol keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.topic: article ms.collection: M365-modern-desktop --- diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 32e06ed8f5..66702a34a3 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -3,7 +3,6 @@ title: Prepare servicing strategy for Windows 10 updates (Windows 10) description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 2b84969903..3967a511a8 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -3,7 +3,7 @@ title: Manage additional Windows Update settings (Windows 10) description: Additional settings to control the behavior of Windows Update (WU) in Windows 10 ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library + audience: itpro author: jaimeo ms.localizationpriority: medium diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index d45100b41b..d3aee0caf9 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -3,7 +3,6 @@ title: Walkthrough use Group Policy to configure Windows Update for Business - W description: Configure Windows Update for Business settings using Group Policy. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index 7736d4e6c7..71296b4265 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -3,12 +3,11 @@ title: Walkthrough use Intune to configure Windows Update for Business (Windows description: Configure Windows Update for Business settings using Microsoft Intune. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.date: 07/27/2017 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index e0f66504b8..5898646433 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -6,7 +6,6 @@ description: Frequently asked questions about Windows Analytics and steps to tak keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -20,7 +19,7 @@ ms.topic: article # Frequently asked questions and troubleshooting Windows Analytics >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). >[!IMPORTANT] >**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 6be69ef90e..5b1310a627 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -6,7 +6,6 @@ description: Use the Azure Portal to add and configure Windows Analytics solutio keywords: Device Health, oms, Azure, portal, operations management suite, add, manage, configure, Upgrade Readiness, Update Compliance ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -20,7 +19,7 @@ ms.topic: article # Windows Analytics in the Azure Portal >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Windows Analytics uses Azure Log Analytics workspaces (formerly known as Operations Management Suite or OMS), a collection of cloud-based services for monitoring and automating your on-premises and cloud environments. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index c64965c11f..18a4d35cd9 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -6,7 +6,6 @@ description: Enroll devices to enable use of Update Compliance, Upgrade Readines keywords: windows analytics, oms, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, azure portal ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -18,7 +17,7 @@ ms.topic: article # Enrolling devices in Windows Analytics >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). If you have not already done so, consult the topics for any of the three Windows Analytics solutions (Update Compliance, Upgrade Readiness, and Device Health) you intend to use and follow the steps there to add the solutions to Azure Portal. @@ -102,8 +101,8 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| | Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up to date with cumulative updates. | -| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. | -| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. | +| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. | +| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](https://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. | ### Connected User Experiences and Telemetry service diff --git a/windows/deployment/update/windows-analytics-overview.md b/windows/deployment/update/windows-analytics-overview.md index c84fb0d8a4..5d63af3e36 100644 --- a/windows/deployment/update/windows-analytics-overview.md +++ b/windows/deployment/update/windows-analytics-overview.md @@ -6,7 +6,6 @@ description: Introduction and overview of Windows Analytics keywords: Device Health, Upgrade Readiness, Update Compliance, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -22,7 +21,7 @@ ms.topic: article Windows Analytics is a set of solutions for Azure Portal that provide you with extensive data about the state of devices in your deployment. There are currently three solutions which you can use singly or in any combination: >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). ## Device Health diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index a3b134e6d9..fcfe1d41f9 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -6,7 +6,6 @@ description: How Windows Analytics uses data keywords: windows analytics, oms, privacy, data, diagnostic, operations management suite, prerequisites, requirements, updates, upgrades, log analytics, health, FAQ, problems, troubleshooting, error ms.prod: w10 ms.mktglfcycl: deploy -ms.sitesec: library ms.pagetype: deploy audience: itpro author: jaimeo @@ -20,7 +19,7 @@ ms.topic: article # Windows Analytics and privacy >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Windows Analytics is fully committed to privacy, centering on these tenets: diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index d7d45d741a..3acd3f759a 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -1,131 +1,136 @@ ---- -title: Windows as a service -ms.prod: windows-10 -layout: LandingPage -ms.topic: landing-page -ms.manager: elizapo -audience: itpro author: greg-lindsay -ms.audience: itpro author: greg-lindsay -ms.date: 01/24/2019 -ms.reviewer: -manager: laurawi -ms.localizationpriority: high -ms.collection: M365-modern-desktop ---- -# Windows as a service - -Find the tools and resources you need to help deploy and support Windows as a service in your organization. - -## Latest news, videos, & podcasts - -Find the latest and greatest news on Windows 10 deployment and servicing. - -**Discovering the Windows 10 Update history pages** -> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] - -Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. - -The latest news: - - -[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). - -## IT pro champs corner -Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. - - - -**NEW** Tactical considerations for creating Windows deployment rings - -**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization - -Deployment rings: The hidden [strategic] gem of Windows as a service - -Classifying Windows updates in common deployment tools - -Express updates for Windows Server 2016 re-enabled for November 2018 update - - -2019 SHA-2 Code Signing Support requirement for Windows and WSUS - -Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices - -## Discover - -Learn more about Windows as a service and its value to your organization. - - - -Overview of Windows as a service - -Quick guide to Windows as a service - -Windows Analytics overview - -What's new in Windows 10 deployment - -How Microsoft IT deploys Windows 10 - -## Plan - -Prepare to implement Windows as a service effectively using the right tools, products, and strategies. - - - -Simplified updates - -Windows 10 end user readiness - -Ready for Windows - -Manage Windows upgrades with Upgrade Readiness - -Preparing your organization for a seamless Windows 10 deployment - -## Deploy - -Secure your organization's deployment investment. - - - -Update Windows 10 in the enterprise - -Deploying as an in-place upgrade - -Configure Windows Update for Business - -Express update delivery - -Windows 10 deployment considerations - - -## Microsoft Ignite 2018 - - -Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. - -[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) - -[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) - -[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) - -[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) - -[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) - -[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) - -[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) - -[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) - -[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.localizationpriority: high +ms.collection: M365-modern-desktop +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Discovering the Windows 10 Update history pages** +> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY] + +Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the Windows release health dashboard for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + +**NEW** Tactical considerations for creating Windows deployment rings + +**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization + +Deployment rings: The hidden [strategic] gem of Windows as a service + +Classifying Windows updates in common deployment tools + +Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index 52969656a5..044398b870 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -1,365 +1,367 @@ ---- -title: Windows Update error code list by component -description: Reference information for Windows Update error codes -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update error codes by component - ->Applies to: Windows 10 - - -This section lists the error codes for Microsoft Windows Update. - -## Automatic Update Errors - -| Error code | Message | Description | -|------------|-------------------------------|--------------------------------------------------------------------------------------------------------| -| 0x80243FFF | WU_E_AUCLIENT_UNEXPECTED | There was a user interface error not covered by another WU_E_AUCLIENT_\* error code. | -| 0x8024A000 | WU_E_AU_NOSERVICE | Automatic Updates was unable to service incoming requests.  | -| 0x8024A002 | WU_E_AU_NONLEGACYSERVER | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | -| 0x8024A003 | WU_E_AU_LEGACYCLIENTDISABLED |  The old version of the Automatic Updates client was disabled. | -| 0x8024A004 | WU_E_AU_PAUSED | Automatic Updates was unable to process incoming requests because it was paused. | -| 0x8024A005 | WU_E_AU_NO_REGISTERED_SERVICE |  No unmanaged service is registered with AU. | -| 0x8024AFFF | WU_E_AU_UNEXPECTED |  An Automatic Updates error not covered by another WU_E_AU \* code. | - -## Windows Update UI errors - -| Error code | Message | Description | -|------------|-------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| -| 0x80243001 | WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION | The results of download and installation could not be read from the registry due to an unrecognized data format version. | -| 0x80243002 | WU_E_INSTALLATION_RESULTS_INVALID_DATA | The results of download and installation could not be read from the registry due to an invalid data format. | -| 0x80243003 | WU_E_INSTALLATION_RESULTS_NOT_FOUND | The results of download and installation are not available; the operation may have failed to start. | -| 0x80243004 |  WU_E_TRAYICON_FAILURE |  A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD |  WU_E_NON_UI_MODE |  Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | -| 0x80243FFE |  WU_E_WUCLTUI_UNSUPPORTED_VERSION |  Unsupported version of WU client UI exported functions.  | -| 0x80243FFF |  WU_E_AUCLIENT_UNEXPECTED |  There was a user interface error not covered by another WU_E_AUCLIENT_\* error code.  | - -## Inventory errors - -| Error code | Message | Description | -|------------|-------------------------------------------|-------------------------------------------------------------------------------| -| 0x80249001 |  WU_E_INVENTORY_PARSEFAILED |  Parsing of the rule file failed.  | -| 0x80249002 |  WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED |  Failed to get the requested inventory type from the server.  | -| 0x80249003 |  WU_E_INVENTORY_RESULT_UPLOAD_FAILED |  Failed to upload inventory result to the server.  | -| 0x80249004 |  WU_E_INVENTORY_UNEXPECTED |  There was an inventory error not covered by another error code. | -| 0x80249005 |  WU_E_INVENTORY_WMI_ERROR |  A WMI error occurred when enumerating the instances for a particular class.  | - -## Expression evaluator errors - -| Error code | Message | Description | -|-------------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| 0x8024E001 |  WU_E_EE_UNKNOWN_EXPRESSION |  An expression evaluator operation could not be completed because an expression was unrecognized. | -| 0x8024E002 |  WU_E_EE_INVALID_EXPRESSION |  An expression evaluator operation could not be completed because an expression was invalid.  | -| 0x8024E003 |  WU_E_EE_MISSING_METADATA |  An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes.  | -| 0x8024E004 |  WU_E_EE_INVALID_VERSION |  An expression evaluator operation could not be completed because the version of the serialized expression data is invalid.  | -|  0x8024E005 |  WU_E_EE_NOT_INITIALIZED |  The expression evaluator could not be initialized. | -|  0x8024E006 |  WU_E_EE_INVALID_ATTRIBUTEDATA |  An expression evaluator operation could not be completed because there was an invalid attribute. | -|  0x8024E007 |  WU_E_EE_CLUSTER_ERROR |  An expression evaluator operation could not be completed because the cluster state of the computer could not be determined.  | -|  0x8024EFFF |  WU_E_EE_UNEXPECTED |  There was an expression evaluator error not covered by another WU_E_EE_\* error code.  | - -## Reporter errors - -| Error code | Message | Description | -|-------------|------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| -|  0x80247001 |  WU_E_OL_INVALID_SCANFILE |  An operation could not be completed because the scan package was invalid. | -| 0x80247002 |  WU_E_OL_NEWCLIENT_REQUIRED |  An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | -|  0x80247FFF |  WU_E_OL_UNEXPECTED |  Search using the scan package failed.  | -|  0x8024F001 |  WU_E_REPORTER_EVENTCACHECORRUPT |  The event cache file was defective.  | -|  0x8024F002 |  WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F003 |  WU_E_INVALID_EVENT |  The XML in the event namespace descriptor could not be parsed. | -|  0x8024F004 |  WU_E_SERVER_BUSY |  The server rejected an event because the server was too busy. | -|  0x8024FFFF |  WU_E_REPORTER_UNEXPECTED |  There was a reporter error not covered by another error code.  | - -## Redirector errors -The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. - -|Error code|Message|Description | -|-|-|-| -| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | -| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | -| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | -| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | - -## Protocol Talker errors -The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. - - -| Error code | Message | Description | -|-------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| -|  0x80244000 |  WU_E_PT_SOAPCLIENT_BASE |  WU_E_PT_SOAPCLIENT_\* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library. | -| 0x80244001 |  WU_E_PT_SOAPCLIENT_INITIALIZE |  Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | -|  0x80244002 |  WU_E_PT_SOAPCLIENT_OUTOFMEMORY |  Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory.  | -|  0x80244003 |  WU_E_PT_SOAPCLIENT_GENERATE |  Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request. | -|  0x80244004 |  WU_E_PT_SOAPCLIENT_CONNECT |  Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server.  | -|  0x80244005 |  WU_E_PT_SOAPCLIENT_SEND |  Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_\* error codes. | -|  0x80244006 |  WU_E_PT_SOAPCLIENT_SERVER |  Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error.  | -|  0x80244007 |  WU_E_PT_SOAPCLIENT_SOAPFAULT |  Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | -|  0x80244008 |  WU_E_PT_SOAPCLIENT_PARSEFAULT |  Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault. | -|  0x80244009 |  WU_E_PT_SOAPCLIENT_READ |  Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server. | -|  0x8024400A |  WU_E_PT_SOAPCLIENT_PARSE |  Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server.  | - -## Other Protocol Talker errors -The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. - - -| Error code | Message | Description | -|-------------|---------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x8024400B |  WU_E_PT_SOAP_VERSION |  Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope. | -|  0x8024400C |  WU_E_PT_SOAP_MUST_UNDERSTAND |  Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | -|  0x8024400D |  WU_E_PT_SOAP_CLIENT |  Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending.  | -|  0x8024400E |  WU_E_PT_SOAP_SERVER |  Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later.  | -|  0x8024400F |  WU_E_PT_WMI_ERROR |  There was an unspecified Windows Management Instrumentation (WMI) error. | -|  0x80244010 |  WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS |  The number of round trips to the server exceeded the maximum limit.  | -|  0x80244011 |  WU_E_PT_SUS_SERVER_NOT_SET |  WUServer policy value is missing in the registry.  | -|  0x80244012 |  WU_E_PT_DOUBLE_INITIALIZATION |  Initialization failed because the object was already initialized.  | -|  0x80244013 |  WU_E_PT_INVALID_COMPUTER_NAME |  The computer name could not be determined.  | -|  0x80244015 |  WU_E_PT_REFRESH_CACHE_REQUIRED |  The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | -|  0x80244016 |  WU_E_PT_HTTP_STATUS_BAD_REQUEST |  Same as HTTP status 400 - the server could not process the request due to invalid syntax.  | -|  0x80244017 |  WU_E_PT_HTTP_STATUS_DENIED |  Same as HTTP status 401 - the requested resource requires user authentication.  | -|  0x80244018 |  WU_E_PT_HTTP_STATUS_FORBIDDEN |  Same as HTTP status 403 - server understood the request but declined to fulfill it. | -|  0x80244019 |  WU_E_PT_HTTP_STATUS_NOT_FOUND |  Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier).  | -|  0x8024401A |  WU_E_PT_HTTP_STATUS_BAD_METHOD |  Same as HTTP status 405 - the HTTP method is not allowed.  | -|  0x8024401B |  WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ |  Same as HTTP status 407 - proxy authentication is required.  | -|  0x8024401C |  WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT |  Same as HTTP status 408 - the server timed out waiting for the request.  | -|  0x8024401D |  WU_E_PT_HTTP_STATUS_CONFLICT |  Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource.  | -|  0x8024401E |  WU_E_PT_HTTP_STATUS_GONE |  Same as HTTP status 410 - requested resource is no longer available at the server. | -|  0x8024401F |  WU_E_PT_HTTP_STATUS_SERVER_ERROR |  Same as HTTP status 500 - an error internal to the server prevented fulfilling the request.  | -|  0x80244020 |  WU_E_PT_HTTP_STATUS_NOT_SUPPORTED |  Same as HTTP status 500 - server does not support the functionality required to fulfill the request.  | -|  0x80244021 |  WU_E_PT_HTTP_STATUS_BAD_GATEWAY | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request. | -|  0x80244022 |  WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL |  Same as HTTP status 503 - the service is temporarily overloaded.  | -|  0x80244023 |  WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT |  Same as HTTP status 503 - the request was timed out waiting for a gateway.  | -|  0x80244024 |  WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP |  Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request.  | -|  0x80244025 |  WU_E_PT_FILE_LOCATIONS_CHANGED |  Operation failed due to a changed file location; refresh internal state and resend. | -|  0x80244026 |  WU_E_PT_REGISTRATION_NOT_SUPPORTED |  Operation failed because Windows Update Agent does not support registration with a non-WSUS server.  | -|  0x80244027 |  WU_E_PT_NO_AUTH_PLUGINS_REQUESTED |  The server returned an empty authentication information list.  | -|  0x80244028 |  WU_E_PT_NO_AUTH_COOKIES_CREATED |  Windows Update Agent was unable to create any valid authentication cookies.  | -|  0x80244029 |  WU_E_PT_INVALID_CONFIG_PROP |  A configuration property value was wrong.  | -|  0x8024402A |  WU_E_PT_CONFIG_PROP_MISSING |  A configuration property value was missing.  | -|  0x8024402B |  WU_E_PT_HTTP_STATUS_NOT_MAPPED |  The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_\* error codes.  | -|  0x8024402C |  WU_E_PT_WINHTTP_NAME_NOT_RESOLVED |  Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved.  | -|  0x8024402F |  WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |  External cab file processing completed with some errors. | -|  0x80244030 |  WU_E_PT_ECP_INIT_FAILED |  The external cab processor initialization did not complete.  | -|  0x80244031 |  WU_E_PT_ECP_INVALID_FILE_FORMAT |  The format of a metadata file was invalid.  | -|  0x80244032 |  WU_E_PT_ECP_INVALID_METADATA |  External cab processor found invalid metadata.  | -|  0x80244033 |  WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST |  The file digest could not be extracted from an external cab file.  | -|  0x80244034 |  WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE |  An external cab file could not be decompressed.  | -|  0x80244035 |  WU_E_PT_ECP_FILE_LOCATION_ERROR |  External cab processor was unable to get file locations.  | -|  0x80244FFF |  WU_E_PT_UNEXPECTED |  A communication error not covered by another WU_E_PT_\* error code.  | -|  0x8024502D |  WU_E_PT_SAME_REDIR_ID |  Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery.  | -|  0x8024502E |  WU_E_PT_NO_MANAGED_RECOVER |  A redirector recovery action did not complete because the server is managed.  | - -## Download Manager errors - -| Error code | Message | Description | -|-------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80246001 |  WU_E_DM_URLNOTAVAILABLE |  A download manager operation could not be completed because the requested file does not have a URL.  | -|  0x80246002 |  WU_E_DM_INCORRECTFILEHASH |  A download manager operation could not be completed because the file digest was not recognized.  | -|  0x80246003 |  WU_E_DM_UNKNOWNALGORITHM |  A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm.  | -|  0x80246004 |  WU_E_DM_NEEDDOWNLOADREQUEST |  An operation could not be completed because a download request is required from the download handler.  | -|  0x80246005 |  WU_E_DM_NONETWORK |  A download manager operation could not be completed because the network connection was unavailable.  | -|  0x80246006 |  WU_E_DM_WRONGBITSVERSION |  A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | -|  0x80246007 |  WU_E_DM_NOTDOWNLOADED |  The update has not been downloaded.  | -|  0x80246008 |  WU_E_DM_FAILTOCONNECTTOBITS |  A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | -|  0x80246009 | WU_E_DM_BITSTRANSFERERROR |  A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | -|  0x8024600A |  WU_E_DM_DOWNLOADLOCATIONCHANGED |  A download must be restarted because the location of the source of the download has changed. | -|  0x8024600B |  WU_E_DM_CONTENTCHANGED |  A download must be restarted because the update content changed in a new revision.  | -|  0x80246FFF |  WU_E_DM_UNEXPECTED |  There was a download manager error not covered by another WU_E_DM_\* error code.  | - -## Update Handler errors - -| Error code | Message | Description | -|-------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80242000 |  WU_E_UH_REMOTEUNAVAILABLE | 9 A request for a remote update handler could not be completed because no remote process is available.  | -|  0x80242001 |  WU_E_UH_LOCALONLY |  A request for a remote update handler could not be completed because the handler is local only.  | -|  0x80242002 |  WU_E_UH_UNKNOWNHANDLER |  A request for an update handler could not be completed because the handler could not be recognized.  | -|  0x80242003 |  WU_E_UH_REMOTEALREADYACTIVE |  A remote update handler could not be created because one already exists.  | -|  0x80242004 |  WU_E_UH_DOESNOTSUPPORTACTION |  A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | -|  0x80242005 |  WU_E_UH_WRONGHANDLER |  An operation did not complete because the wrong handler was specified.  | -|  0x80242006 |  WU_E_UH_INVALIDMETADATA |  A handler operation could not be completed because the update contains invalid metadata.  | -|  0x80242007 |  WU_E_UH_INSTALLERHUNG |  An operation could not be completed because the installer exceeded the time limit.  | -|  0x80242008 |  WU_E_UH_OPERATIONCANCELLED |  An operation being done by the update handler was cancelled.  | -|  0x80242009 |  WU_E_UH_BADHANDLERXML |  An operation could not be completed because the handler-specific metadata is invalid.  | -| 0x8024200A |  WU_E_UH_CANREQUIREINPUT |  A request to the handler to install an update could not be completed because the update requires user input.  | -|  0x8024200B |  WU_E_UH_INSTALLERFAILURE |  The installer failed to install (uninstall) one or more updates.  | -|  0x8024200C |  WU_E_UH_FALLBACKTOSELFCONTAINED |  The update handler should download self-contained content rather than delta-compressed content for the update.  | -|  0x8024200D |  WU_E_UH_NEEDANOTHERDOWNLOAD |  The update handler did not install the update because it needs to be downloaded again.  | -|  0x8024200E |  WU_E_UH_NOTIFYFAILURE |  The update handler failed to send notification of the status of the install (uninstall) operation.  | -|  0x8024200F | WU_E_UH_INCONSISTENT_FILE_NAMES |  The file names contained in the update metadata and in the update package are inconsistent.  | -|  0x80242010 |  WU_E_UH_FALLBACKERROR |  The update handler failed to fall back to the self-contained content.  | -|  0x80242011 |  WU_E_UH_TOOMANYDOWNLOADREQUESTS |  The update handler has exceeded the maximum number of download requests.  | -|  0x80242012 |  WU_E_UH_UNEXPECTEDCBSRESPONSE |  The update handler has received an unexpected response from CBS.  | -|  0x80242013 |  WU_E_UH_BADCBSPACKAGEID |  The update metadata contains an invalid CBS package identifier.  | -|  0x80242014 |  WU_E_UH_POSTREBOOTSTILLPENDING |  The post-reboot operation for the update is still in progress.  | -|  0x80242015 |  WU_E_UH_POSTREBOOTRESULTUNKNOWN |  The result of the post-reboot operation for the update could not be determined.  | -|  0x80242016 |  WU_E_UH_POSTREBOOTUNEXPECTEDSTATE |  The state of the update after its post-reboot operation has completed is unexpected.  | -|  0x80242017 |  WU_E_UH_NEW_SERVICING_STACK_REQUIRED |  The OS servicing stack must be updated before this update is downloaded or installed.  | -|  0x80242FFF |  WU_E_UH_UNEXPECTED |  An update handler error not covered by another WU_E_UH_\* code.  | - -## Data Store errors - -| Error code | Message | Description | -|-------------|-------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|  0x80248000 |  WU_E_DS_SHUTDOWN |  An operation failed because Windows Update Agent is shutting down.  | -|  0x80248001 |  WU_E_DS_INUSE |  An operation failed because the data store was in use. | -|  0x80248002 |  WU_E_DS_INVALID |  The current and expected states of the data store do not match. | -|  0x80248003 |  WU_E_DS_TABLEMISSING |  The data store is missing a table.  | -|  0x80248004 |  WU_E_DS_TABLEINCORRECT |  The data store contains a table with unexpected columns.  | -|  0x80248005 |  WU_E_DS_INVALIDTABLENAME |  A table could not be opened because the table is not in the data store.  | -|  0x80248006 |  WU_E_DS_BADVERSION |  The current and expected versions of the data store do not match.  | -|  0x80248007 |  WU_E_DS_NODATA |  The information requested is not in the data store.  | -|  0x80248008 |  WU_E_DS_MISSINGDATA |  The data store is missing required information or has a NULL in a table column that requires a non-null value.  | -|  0x80248009 |  WU_E_DS_MISSINGREF |  The data store is missing required information or has a reference to missing license terms file localized property or linked row. | -|  0x8024800A |  WU_E_DS_UNKNOWNHANDLER |  The update was not processed because its update handler could not be recognized.  | -|  0x8024800B |  WU_E_DS_CANTDELETE |  The update was not deleted because it is still referenced by one or more services.  | -|  0x8024800C |  WU_E_DS_LOCKTIMEOUTEXPIRED |  The data store section could not be locked within the allotted time.  | -|  0x8024800D |  WU_E_DS_NOCATEGORIES |  The category was not added because it contains no parent categories and is not a top-level category itself.  | -|  0x8024800E |  WU_E_DS_ROWEXISTS |  The row was not added because an existing row has the same primary key.  | -|  0x8024800F |  WU_E_DS_STOREFILELOCKED |  The data store could not be initialized because it was locked by another process.  | -|  0x80248010 |  WU_E_DS_CANNOTREGISTER |  The data store is not allowed to be registered with COM in the current process.  | -|  0x80248011 | WU_E_DS_UNABLETOSTART |  Could not create a data store object in another process.  | -|  0x80248013 |  WU_E_DS_DUPLICATEUPDATEID | The server sent the same update to the client with two different revision IDs.  | -|  0x80248014 | WU_E_DS_UNKNOWNSERVICE |  An operation did not complete because the service is not in the data store.  | -| 0x80248015 | WU_E_DS_SERVICEEXPIRED | An operation did not complete because the registration of the service has expired.  | -| 0x80248016 |  WU_E_DS_DECLINENOTALLOWED |  A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  | -| 0x80248017 |  WU_E_DS_TABLESESSIONMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248018 |  WU_E_DS_SESSIONLOCKMISMATCH |  A table was not closed because it is not associated with the session.  | -| 0x80248019 |  WU_E_DS_NEEDWINDOWSSERVICE |  A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  | -| 0x8024801A |  WU_E_DS_INVALIDOPERATION |  A request was declined because the operation is not allowed.  | -| 0x8024801B |  WU_E_DS_SCHEMAMISMATCH |  The schema of the current data store and the schema of a table in a backup XML document do not match.  | -| 0x8024801C |  WU_E_DS_RESETREQUIRED |  The data store requires a session reset; release the session and retry with a new session.  | -| 0x8024801D |  WU_E_DS_IMPERSONATED |  A data store operation did not complete because it was requested with an impersonated identity.  | -| 0x80248FFF |  WU_E_DS_UNEXPECTED |  A data store error not covered by another WU_E_DS_\* code.  | - -## Driver Util errors -The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. - -|Error code|Message|Description -|-|-|-| -| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  -| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  -| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  -| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  -| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  -| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  -| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  -| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  - -## Windows Update error codes - -|Error code|Message|Description -|-|-|-| -| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  -| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  -| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  -| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  -| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  -| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  -| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  -| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  -| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  -| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  -| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  -| 0x8024000C | WU_E_NOOP| No operation was required.  -| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  -| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  -| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  -| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  -| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  -| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  -| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  -| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  -| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  -| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  -| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  -| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  -| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  -| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  -| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  -| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  -| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  -| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  -| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  -| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  -| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  -| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  -| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  -| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  -| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  -| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  -| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  -| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  -| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  -| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  -| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  -| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  -| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  -| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  -| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  -| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  -| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  -| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  -| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  -| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  -| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  -| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  -| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  -| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  -| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  -| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  -| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  - -## Windows Update success codes - -|Error code|Message|Description -|-|-|-| -| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  -| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  -| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  -| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  -| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  -| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  -| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  -| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  - -## Windows Installer minor errors -The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. - -|Error code|Message|Description -|-|-|-| -| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  -| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  -| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  -| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  -| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  - -## Windows Update Agent update and setup errors - -|Error code|Message|Description -|-|-|-| -| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  -| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  -| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  -| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  -| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  -| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  -| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  -| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  -| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  -| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  -| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  -| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  -| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  -| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  -| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  -| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update error codes by component + +> Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +| Error code | Message | Description | +|------------|---------------------------------|--------------------------------------------------------------------------------------------------------| +| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | +| 0x8024A000 | `WU_E_AU_NOSERVICE` | Automatic Updates was unable to service incoming requests. | +| 0x8024A002 | `WU_E_AU_NONLEGACYSERVER` | The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded. | +| 0x8024A003 | `WU_E_AU_LEGACYCLIENTDISABLED` | The old version of the Automatic Updates client was disabled. | +| 0x8024A004 | `WU_E_AU_PAUSED` | Automatic Updates was unable to process incoming requests because it was paused. | +| 0x8024A005 | `WU_E_AU_NO_REGISTERED_SERVICE` | No unmanaged service is registered with `AU`. | +| 0x8024AFFF | `WU_E_AU_UNEXPECTED` | An Automatic Updates error not covered by another `WU_E_AU*` code. | + +## Windows Update UI errors + +| Error code | Message | Description | +|------------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------| +| 0x80243001 | `WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION` | The results of download and installation could not be read from the registry due to an unrecognized data format version. | +| 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. | +| 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. | +| 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. | +| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | +| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. | +| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | + +## Inventory errors + +| Error code | Message | Description | +|------------|--------------------------------------------|-------------------------------------------------------------------------------| +| 0x80249001 | `WU_E_INVENTORY_PARSEFAILED` | Parsing of the rule file failed. | +| 0x80249002 | `WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED` | Failed to get the requested inventory type from the server. | +| 0x80249003 | `WU_E_INVENTORY_RESULT_UPLOAD_FAILED` | Failed to upload inventory result to the server. | +| 0x80249004 | `WU_E_INVENTORY_UNEXPECTED` | There was an inventory error not covered by another error code. | +| 0x80249005 | `WU_E_INVENTORY_WMI_ERROR` | A WMI error occurred when enumerating the instances for a particular class. | + +## Expression evaluator errors + +| Error code | Message | Description | +|------------|---------------------------------|--------------------------------------------------------------------------------------------------------------------------------| +| 0x8024E001 | `WU_E_EE_UNKNOWN_EXPRESSION` | An expression evaluator operation could not be completed because an expression was unrecognized. | +| 0x8024E002 | `WU_E_EE_INVALID_EXPRESSION` | An expression evaluator operation could not be completed because an expression was invalid. | +| 0x8024E003 | `WU_E_EE_MISSING_METADATA` | An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | +| 0x8024E004 | `WU_E_EE_INVALID_VERSION` | An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | +| 0x8024E005 | `WU_E_EE_NOT_INITIALIZED` | The expression evaluator could not be initialized. | +| 0x8024E006 | `WU_E_EE_INVALID_ATTRIBUTEDATA` | An expression evaluator operation could not be completed because there was an invalid attribute. | +| 0x8024E007 | `WU_E_EE_CLUSTER_ERROR` | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | +| 0x8024EFFF | `WU_E_EE_UNEXPECTED` | There was an expression evaluator error not covered by another `WU_E_EE_*` error code. | + +## Reporter errors + +| Error code | Message | Description | +|------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------| +| 0x80247001 | `WU_E_OL_INVALID_SCANFILE` | An operation could not be completed because the scan package was invalid. | +| 0x80247002 | `WU_E_OL_NEWCLIENT_REQUIRED` | An operation could not be completed because the scan package requires a greater version of the Windows Update Agent. | +| 0x80247FFF | `WU_E_OL_UNEXPECTED` | Search using the scan package failed. | +| 0x8024F001 | `WU_E_REPORTER_EVENTCACHECORRUPT` | The event cache file was defective. | +| 0x8024F002 | `WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED` | The XML in the event namespace descriptor could not be parsed. | +| 0x8024F003 | `WU_E_INVALID_EVENT` | The XML in the event namespace descriptor could not be parsed. | +| 0x8024F004 | `WU_E_SERVER_BUSY` | The server rejected an event because the server was too busy. | +| 0x8024FFFF | `WU_E_REPORTER_UNEXPECTED` | There was a reporter error not covered by another error code. | + +## Redirector errors +The components that download the `Wuredir.cab` file and then parse the `Wuredir.cab` file generate the following errors. + +| Error code | Message | Description | +|----------- |------------------------------|------------------------------------------------------------------------------------------| +| 0x80245001 | `WU_E_REDIRECTOR_LOAD_XML` | The redirector XML document could not be loaded into the DOM class. | +| 0x80245002 | `WU_E_REDIRECTOR_S_FALSE` | The redirector XML document is missing some required information. | +| 0x80245003 | `WU_E_REDIRECTOR_ID_SMALLER` | The redirectorId in the downloaded redirector cab is less than in the cached cab. | +| 0x80245FFF | `WU_E_REDIRECTOR_UNEXPECTED` | The redirector failed for reasons not covered by another `WU_E_REDIRECTOR_*` error code. | + +## Protocol Talker errors +The following errors map to `SOAPCLIENT_ERROR`s through the `Atlsoap.h` file. These errors are obtained when the `CClientWebService` object calls the `GetClientError()` method. + + +| Error code | Message | Description | +|------------|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------| +| 0x80244000 | `WU_E_PT_SOAPCLIENT_BASE` | `WU_E_PT_SOAPCLIENT_*` error codes map to the `SOAPCLIENT_ERROR` enum of the ATL Server Library. | +| 0x80244001 | `WU_E_PT_SOAPCLIENT_INITIALIZE` | Same as `SOAPCLIENT_INITIALIZE_ERROR` - initialization of the `SOAP` client failed possibly because of an MSXML installation failure. | +| 0x80244002 | `WU_E_PT_SOAPCLIENT_OUTOFMEMORY` | Same as `SOAPCLIENT_OUTOFMEMORY` - `SOAP` client failed because it ran out of memory. | +| 0x80244003 | `WU_E_PT_SOAPCLIENT_GENERATE` | Same as `SOAPCLIENT_GENERATE_ERROR` - `SOAP` client failed to generate the request. | +| 0x80244004 | `WU_E_PT_SOAPCLIENT_CONNECT` | Same as `SOAPCLIENT_CONNECT_ERROR` - `SOAP` client failed to connect to the server. | +| 0x80244005 | `WU_E_PT_SOAPCLIENT_SEND` | Same as `SOAPCLIENT_SEND_ERROR` - `SOAP` client failed to send a message for reasons of `WU_E_WINHTTP_*` error codes. | +| 0x80244006 | `WU_E_PT_SOAPCLIENT_SERVER` | Same as `SOAPCLIENT_SERVER_ERROR` - `SOAP` client failed because there was a server error. | +| 0x80244007 | `WU_E_PT_SOAPCLIENT_SOAPFAULT` | Same as `SOAPCLIENT_SOAPFAULT` - `SOAP` client failed because there was a SOAP fault for reasons of `WU_E_PT_SOAP_*` error codes. | +| 0x80244008 | `WU_E_PT_SOAPCLIENT_PARSEFAULT` | Same as `SOAPCLIENT_PARSEFAULT_ERROR` - `SOAP` client failed to parse a `SOAP` fault. | +| 0x80244009 | `WU_E_PT_SOAPCLIENT_READ` | Same as `SOAPCLIENT_READ_ERROR` - `SOAP` client failed while reading the response from the server. | +| 0x8024400A | `WU_E_PT_SOAPCLIENT_PARSE` | Same as `SOAPCLIENT_PARSE_ERROR` - `SOAP` client failed to parse the response from the server. | + +## Other Protocol Talker errors +The following errors map to `SOAP_ERROR_CODE`s from the `Atlsoap.h` file. These errors are obtained from the `m_fault.m_soapErrCode` member of the `CClientWebService` object when `GetClientError()` returns `SOAPCLIENT_SOAPFAULT`. + + +| Error code | Message | Description | +|------------|----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024400B | `WU_E_PT_SOAP_VERSION` | Same as `SOAP_E_VERSION_MISMATCH` - `SOAP` client found an unrecognizable namespace for the `SOAP` envelope. | +| 0x8024400C | `WU_E_PT_SOAP_MUST_UNDERSTAND` | Same as `SOAP_E_MUST_UNDERSTAND` - `SOAP` client was unable to understand a header. | +| 0x8024400D | `WU_E_PT_SOAP_CLIENT` | Same as `SOAP_E_CLIENT` - `SOAP` client found the message was malformed; fix before resending. | +| 0x8024400E | `WU_E_PT_SOAP_SERVER` | Same as `SOAP_E_SERVER` - The `SOAP` message could not be processed due to a server error; resend later. | +| 0x8024400F | `WU_E_PT_WMI_ERROR` | There was an unspecified Windows Management Instrumentation (WMI) error. | +| 0x80244010 | `WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS` | The number of round trips to the server exceeded the maximum limit. | +| 0x80244011 | `WU_E_PT_SUS_SERVER_NOT_SET` | WUServer policy value is missing in the registry. | +| 0x80244012 | `WU_E_PT_DOUBLE_INITIALIZATION` | Initialization failed because the object was already initialized. | +| 0x80244013 | `WU_E_PT_INVALID_COMPUTER_NAME` | The computer name could not be determined. | +| 0x80244015 | `WU_E_PT_REFRESH_CACHE_REQUIRED` | The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry. | +| 0x80244016 | `WU_E_PT_HTTP_STATUS_BAD_REQUEST` | Same as HTTP status 400 - the server could not process the request due to invalid syntax. | +| 0x80244017 | `WU_E_PT_HTTP_STATUS_DENIED` | Same as HTTP status 401 - the requested resource requires user authentication. | +| 0x80244018 | `WU_E_PT_HTTP_STATUS_FORBIDDEN` | Same as HTTP status 403 - server understood the request but declined to fulfill it. | +| 0x80244019 | `WU_E_PT_HTTP_STATUS_NOT_FOUND` | Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | +| 0x8024401A | `WU_E_PT_HTTP_STATUS_BAD_METHOD` | Same as HTTP status 405 - the HTTP method is not allowed. | +| 0x8024401B | `WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ` | Same as HTTP status 407 - proxy authentication is required. | +| 0x8024401C | `WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT` | Same as HTTP status 408 - the server timed out waiting for the request. | +| 0x8024401D | `WU_E_PT_HTTP_STATUS_CONFLICT` | Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | +| 0x8024401E | `WU_E_PT_HTTP_STATUS_GONE` | Same as HTTP status 410 - requested resource is no longer available at the server. | +| 0x8024401F | `WU_E_PT_HTTP_STATUS_SERVER_ERROR` | Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | +| 0x80244020 | `WU_E_PT_HTTP_STATUS_NOT_SUPPORTED` | Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | +| 0x80244021 | `WU_E_PT_HTTP_STATUS_BAD_GATEWAY` | Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfill the request. | +| 0x80244022 | `WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL` | Same as HTTP status 503 - the service is temporarily overloaded. | +| 0x80244023 | `WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT` | Same as HTTP status 503 - the request was timed out waiting for a gateway. | +| 0x80244024 | `WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP` | Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | +| 0x80244025 | `WU_E_PT_FILE_LOCATIONS_CHANGED` | Operation failed due to a changed file location; refresh internal state and resend. | +| 0x80244026 | `WU_E_PT_REGISTRATION_NOT_SUPPORTED` | Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | +| 0x80244027 | `WU_E_PT_NO_AUTH_PLUGINS_REQUESTED` | The server returned an empty authentication information list. | +| 0x80244028 | `WU_E_PT_NO_AUTH_COOKIES_CREATED` | Windows Update Agent was unable to create any valid authentication cookies. | +| 0x80244029 | `WU_E_PT_INVALID_CONFIG_PROP` | A configuration property value was wrong. | +| 0x8024402A | `WU_E_PT_CONFIG_PROP_MISSING` | A configuration property value was missing. | +| 0x8024402B | `WU_E_PT_HTTP_STATUS_NOT_MAPPED` | The HTTP request could not be completed and the reason did not correspond to any of the `WU_E_PT_HTTP_*` error codes. | +| 0x8024402C | `WU_E_PT_WINHTTP_NAME_NOT_RESOLVED` | Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | +| 0x8024402F | `WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS` | External cab file processing completed with some errors. | +| 0x80244030 | `WU_E_PT_ECP_INIT_FAILED` | The external cab processor initialization did not complete. | +| 0x80244031 | `WU_E_PT_ECP_INVALID_FILE_FORMAT` | The format of a metadata file was invalid. | +| 0x80244032 | `WU_E_PT_ECP_INVALID_METADATA` | External cab processor found invalid metadata. | +| 0x80244033 | `WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST` | The file digest could not be extracted from an external cab file. | +| 0x80244034 | `WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE` | An external cab file could not be decompressed. | +| 0x80244035 | `WU_E_PT_ECP_FILE_LOCATION_ERROR` | External cab processor was unable to get file locations. | +| 0x80244FFF | `WU_E_PT_UNEXPECTED` | A communication error not covered by another `WU_E_PT_*` error code. | +| 0x8024502D | `WU_E_PT_SAME_REDIR_ID` | Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | +| 0x8024502E | `WU_E_PT_NO_MANAGED_RECOVER` | A redirector recovery action did not complete because the server is managed. | + +## Download Manager errors + +| Error code | Message | Description | +|------------|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80246001 | `WU_E_DM_URLNOTAVAILABLE` | A download manager operation could not be completed because the requested file does not have a URL. | +| 0x80246002 | `WU_E_DM_INCORRECTFILEHASH` | A download manager operation could not be completed because the file digest was not recognized. | +| 0x80246003 | `WU_E_DM_UNKNOWNALGORITHM` | A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | +| 0x80246004 | `WU_E_DM_NEEDDOWNLOADREQUEST` | An operation could not be completed because a download request is required from the download handler. | +| 0x80246005 | `WU_E_DM_NONETWORK` | A download manager operation could not be completed because the network connection was unavailable. | +| 0x80246006 | `WU_E_DM_WRONGBITSVERSION` | A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible. | +| 0x80246007 | `WU_E_DM_NOTDOWNLOADED` | The update has not been downloaded. | +| 0x80246008 | `WU_E_DM_FAILTOCONNECTTOBITS` | A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS). | +| 0x80246009 | `WU_E_DM_BITSTRANSFERERROR` | A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. | +| 0x8024600A | `WU_E_DM_DOWNLOADLOCATIONCHANGED` | A download must be restarted because the location of the source of the download has changed. | +| 0x8024600B | `WU_E_DM_CONTENTCHANGED` | A download must be restarted because the update content changed in a new revision. | +| 0x80246FFF | `WU_E_DM_UNEXPECTED` | There was a download manager error not covered by another `WU_E_DM_*` error code. | + +## Update Handler errors + +| Error code | Message | Description | +|------------|----------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80242000 | `WU_E_UH_REMOTEUNAVAILABLE` | A request for a remote update handler could not be completed because no remote process is available. | +| 0x80242001 | `WU_E_UH_LOCALONLY` | A request for a remote update handler could not be completed because the handler is local only. | +| 0x80242002 | `WU_E_UH_UNKNOWNHANDLER` | A request for an update handler could not be completed because the handler could not be recognized. | +| 0x80242003 | `WU_E_UH_REMOTEALREADYACTIVE` | A remote update handler could not be created because one already exists. | +| 0x80242004 | `WU_E_UH_DOESNOTSUPPORTACTION` | A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall). | +| 0x80242005 | `WU_E_UH_WRONGHANDLER` | An operation did not complete because the wrong handler was specified. | +| 0x80242006 | `WU_E_UH_INVALIDMETADATA` | A handler operation could not be completed because the update contains invalid metadata. | +| 0x80242007 | `WU_E_UH_INSTALLERHUNG` | An operation could not be completed because the installer exceeded the time limit. | +| 0x80242008 | `WU_E_UH_OPERATIONCANCELLED` | An operation being done by the update handler was canceled. | +| 0x80242009 | `WU_E_UH_BADHANDLERXML` | An operation could not be completed because the handler-specific metadata is invalid. | +| 0x8024200A | `WU_E_UH_CANREQUIREINPUT` | A request to the handler to install an update could not be completed because the update requires user input. | +| 0x8024200B | `WU_E_UH_INSTALLERFAILURE` | The installer failed to install (uninstall) one or more updates. | +| 0x8024200C | `WU_E_UH_FALLBACKTOSELFCONTAINED` | The update handler should download self-contained content rather than delta-compressed content for the update. | +| 0x8024200D | `WU_E_UH_NEEDANOTHERDOWNLOAD` | The update handler did not install the update because it needs to be downloaded again. | +| 0x8024200E | `WU_E_UH_NOTIFYFAILURE` | The update handler failed to send notification of the status of the install (uninstall) operation. | +| 0x8024200F | `WU_E_UH_INCONSISTENT_FILE_NAMES` | The file names contained in the update metadata and in the update package are inconsistent. | +| 0x80242010 | `WU_E_UH_FALLBACKERROR` | The update handler failed to fall back to the self-contained content. | +| 0x80242011 | `WU_E_UH_TOOMANYDOWNLOADREQUESTS` | The update handler has exceeded the maximum number of download requests. | +| 0x80242012 | `WU_E_UH_UNEXPECTEDCBSRESPONSE` | The update handler has received an unexpected response from CBS. | +| 0x80242013 | `WU_E_UH_BADCBSPACKAGEID` | The update metadata contains an invalid CBS package identifier. | +| 0x80242014 | `WU_E_UH_POSTREBOOTSTILLPENDING` | The post-reboot operation for the update is still in progress. | +| 0x80242015 | `WU_E_UH_POSTREBOOTRESULTUNKNOWN` | The result of the post-reboot operation for the update could not be determined. | +| 0x80242016 | `WU_E_UH_POSTREBOOTUNEXPECTEDSTATE` | The state of the update after its post-reboot operation has completed is unexpected. | +| 0x80242017 | `WU_E_UH_NEW_SERVICING_STACK_REQUIRED` | The OS servicing stack must be updated before this update is downloaded or installed. | +| 0x80242FFF | `WU_E_UH_UNEXPECTED` | An update handler error not covered by another `WU_E_UH_*` code. | + +## Data Store errors + +| Error code | Message | Description | +|------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x80248000 | `WU_E_DS_SHUTDOWN` | An operation failed because Windows Update Agent is shutting down. | +| 0x80248001 | `WU_E_DS_INUSE` | An operation failed because the data store was in use. | +| 0x80248002 | `WU_E_DS_INVALID` | The current and expected states of the data store do not match. | +| 0x80248003 | `WU_E_DS_TABLEMISSING` | The data store is missing a table. | +| 0x80248004 | `WU_E_DS_TABLEINCORRECT` | The data store contains a table with unexpected columns. | +| 0x80248005 | `WU_E_DS_INVALIDTABLENAME` | A table could not be opened because the table is not in the data store. | +| 0x80248006 | `WU_E_DS_BADVERSION` | The current and expected versions of the data store do not match. | +| 0x80248007 | `WU_E_DS_NODATA` | The information requested is not in the data store. | +| 0x80248008 | `WU_E_DS_MISSINGDATA` | The data store is missing required information or has a NULL in a table column that requires a non-null value. | +| 0x80248009 | `WU_E_DS_MISSINGREF` | The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +| 0x8024800A | `WU_E_DS_UNKNOWNHANDLER` | The update was not processed because its update handler could not be recognized. | +| 0x8024800B | `WU_E_DS_CANTDELETE` | The update was not deleted because it is still referenced by one or more services. | +| 0x8024800C | `WU_E_DS_LOCKTIMEOUTEXPIRED` | The data store section could not be locked within the allotted time. | +| 0x8024800D | `WU_E_DS_NOCATEGORIES` | The category was not added because it contains no parent categories and is not a top-level category itself. | +| 0x8024800E | `WU_E_DS_ROWEXISTS` | The row was not added because an existing row has the same primary key. | +| 0x8024800F | `WU_E_DS_STOREFILELOCKED` | The data store could not be initialized because it was locked by another process. | +| 0x80248010 | `WU_E_DS_CANNOTREGISTER` | The data store is not allowed to be registered with COM in the current process. | +| 0x80248011 | `WU_E_DS_UNABLETOSTART` | Could not create a data store object in another process. | +| 0x80248013 | `WU_E_DS_DUPLICATEUPDATEID` | The server sent the same update to the client with two different revision IDs. | +| 0x80248014 | `WU_E_DS_UNKNOWNSERVICE` | An operation did not complete because the service is not in the data store. | +| 0x80248015 | `WU_E_DS_SERVICEEXPIRED` | An operation did not complete because the registration of the service has expired. | +| 0x80248016 | `WU_E_DS_DECLINENOTALLOWED` | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline. | +| 0x80248017 | `WU_E_DS_TABLESESSIONMISMATCH` | A table was not closed because it is not associated with the session. | +| 0x80248018 | `WU_E_DS_SESSIONLOCKMISMATCH` | A table was not closed because it is not associated with the session. | +| 0x80248019 | `WU_E_DS_NEEDWINDOWSSERVICE` | A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service. | +| 0x8024801A | `WU_E_DS_INVALIDOPERATION` | A request was declined because the operation is not allowed. | +| 0x8024801B | `WU_E_DS_SCHEMAMISMATCH` | The schema of the current data store and the schema of a table in a backup XML document do not match. | +| 0x8024801C | `WU_E_DS_RESETREQUIRED` | The data store requires a session reset; release the session and retry with a new session. | +| 0x8024801D | `WU_E_DS_IMPERSONATED` | A data store operation did not complete because it was requested with an impersonated identity. | +| 0x80248FFF | `WU_E_DS_UNEXPECTED` | A data store error not covered by another `WU_E_DS_*` code. | + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +| Error code | Message | Description | +|------------|-------------------------------|------------------------------------------------------------------------------------------------| +| 0x8024C001 | `WU_E_DRV_PRUNED` | A driver was skipped. | +| 0x8024C002 | `WU_E_DRV_NOPROP_OR_LEGACY` | A property for the driver could not be found. It may not conform with required specifications. | +| 0x8024C003 | `WU_E_DRV_REG_MISMATCH` | The registry type read for the driver does not match the expected type. | +| 0x8024C004 | `WU_E_DRV_NO_METADATA` | The driver update is missing metadata. | +| 0x8024C005 | `WU_E_DRV_MISSING_ATTRIBUTE` | The driver update is missing a required attribute. | +| 0x8024C006 | `WU_E_DRV_SYNC_FAILED` | Driver synchronization failed. | +| 0x8024C007 | `WU_E_DRV_NO_PRINTER_CONTENT` | Information required for the synchronization of applicable printers is missing. | +| 0x8024CFFF | `WU_E_DRV_UNEXPECTED` | A driver error not covered by another `WU_E_DRV_*` code. | + +## Windows Update error codes + +| Error code | Message | Description | +|------------|-----------------------------------|--------------------------------------------------------------| +| 0x80240001 | `WU_E_NO_SERVICE` | Windows Update Agent was unable to provide the service. +| 0x80240002 | `WU_E_MAX_CAPACITY_REACHED` | The maximum capacity of the service was exceeded. +| 0x80240003 | `WU_E_UNKNOWN_ID` | An ID cannot be found. +| 0x80240004 | `WU_E_NOT_INITIALIZED` | The object could not be initialized. +| 0x80240005 | `WU_E_RANGEOVERLAP` | The update handler requested a byte range overlapping a previously requested range. +| 0x80240006 | `WU_E_TOOMANYRANGES` | The requested number of byte ranges exceeds the maximum number (2^31 - 1). +| 0x80240007 | `WU_E_INVALIDINDEX` | The index to a collection was invalid. +| 0x80240008 | `WU_E_ITEMNOTFOUND` | The key for the item queried could not be found. +| 0x80240009 | `WU_E_OPERATIONINPROGRESS` | Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously. +| 0x8024000A | `WU_E_COULDNOTCANCEL` | Cancellation of the operation was not allowed. +| 0x8024000B | `WU_E_CALL_CANCELLED` | Operation was canceled. +| 0x8024000C | `WU_E_NOOP` | No operation was required. +| 0x8024000D | `WU_E_XML_MISSINGDATA` | Windows Update Agent could not find required information in the update's XML data. +| 0x8024000E | `WU_E_XML_INVALID` | Windows Update Agent found invalid information in the update's XML data. +| 0x8024000F | `WU_E_CYCLE_DETECTED` | Circular update relationships were detected in the metadata. +| 0x80240010 | `WU_E_TOO_DEEP_RELATION` | Update relationships too deep to evaluate were evaluated. +| 0x80240011 | `WU_E_INVALID_RELATIONSHIP` | An invalid update relationship was detected. +| 0x80240012 | `WU_E_REG_VALUE_INVALID` | An invalid registry value was read. +| 0x80240013 | `WU_E_DUPLICATE_ITEM` | Operation tried to add a duplicate item to a list. +| 0x80240016 | `WU_E_INSTALL_NOT_ALLOWED` | Operation tried to install while another installation was in progress or the system was pending a mandatory restart. +| 0x80240017 | `WU_E_NOT_APPLICABLE` | Operation was not performed because there are no applicable updates. +| 0x80240018 | `WU_E_NO_USERTOKEN` | Operation failed because a required user token is missing. +| 0x80240019 | `WU_E_EXCLUSIVE_INSTALL_CONFLICT` | An exclusive update cannot be installed with other updates at the same time. +| 0x8024001A | `WU_E_POLICY_NOT_SET` | A policy value was not set. +| 0x8024001B | `WU_E_SELFUPDATE_IN_PROGRESS` | The operation could not be performed because the Windows Update Agent is self-updating. +| 0x8024001D | `WU_E_INVALID_UPDATE` | An update contains invalid metadata. +| 0x8024001E | `WU_E_SERVICE_STOP` | Operation did not complete because the service or system was being shut down. +| 0x8024001F | `WU_E_NO_CONNECTION` | Operation did not complete because the network connection was unavailable. +| 0x80240020 | `WU_E_NO_INTERACTIVE_USER` | Operation did not complete because there is no logged-on interactive user. +| 0x80240021 | `WU_E_TIME_OUT` | Operation did not complete because it timed out. +| 0x80240022 | `WU_E_ALL_UPDATES_FAILED` | Operation failed for all the updates. +| 0x80240023 | `WU_E_EULAS_DECLINED` | The license terms for all updates were declined. +| 0x80240024 | `WU_E_NO_UPDATE` | There are no updates. +| 0x80240025 | `WU_E_USER_ACCESS_DISABLED` | Group Policy settings prevented access to Windows Update. +| 0x80240026 | `WU_E_INVALID_UPDATE_TYPE` | The type of update is invalid. +| 0x80240027 | `WU_E_URL_TOO_LONG` | The URL exceeded the maximum length. +| 0x80240028 | `WU_E_UNINSTALL_NOT_ALLOWED` | The update could not be uninstalled because the request did not originate from a WSUS server. +| 0x80240029 | `WU_E_INVALID_PRODUCT_LICENSE` | Search may have missed some updates before there is an unlicensed application on the system. +| 0x8024002A | `WU_E_MISSING_HANDLER` | A component required to detect applicable updates was missing. +| 0x8024002B | `WU_E_LEGACYSERVER` | An operation did not complete because it requires a newer version of server. +| 0x8024002C | `WU_E_BIN_SOURCE_ABSENT` | A delta-compressed update could not be installed because it required the source. +| 0x8024002D | `WU_E_SOURCE_ABSENT` | A full-file update could not be installed because it required the source. +| 0x8024002E | `WU_E_WU_DISABLED` | Access to an unmanaged server is not allowed. +| 0x8024002F | `WU_E_CALL_CANCELLED_BY_POLICY` | Operation did not complete because the DisableWindowsUpdateAccess policy was set. +| 0x80240030 | `WU_E_INVALID_PROXY_SERVER` | The format of the proxy list was invalid. +| 0x80240031 | `WU_E_INVALID_FILE` | The file is in the wrong format. +| 0x80240032 | `WU_E_INVALID_CRITERIA` | The search criteria string was invalid. +| 0x80240033 | `WU_E_EULA_UNAVAILABLE` | License terms could not be downloaded. +| 0x80240034 | `WU_E_DOWNLOAD_FAILED` | Update failed to download. +| 0x80240035 | `WU_E_UPDATE_NOT_PROCESSED` | The update was not processed. +| 0x80240036 | `WU_E_INVALID_OPERATION` | The object's current state did not allow the operation. +| 0x80240037 | `WU_E_NOT_SUPPORTED` | The functionality for the operation is not supported. +| 0x80240038 | `WU_E_WINHTTP_INVALID_FILE` | The downloaded file has an unexpected content type. +| 0x80240039 | `WU_E_TOO_MANY_RESYNC` | Agent is asked by server to resync too many times. +| 0x80240040 | `WU_E_NO_SERVER_CORE_SUPPORT` | `WUA API` method does not run on Server Core installation. +| 0x80240041 | `WU_E_SYSPREP_IN_PROGRESS` | Service is not available while sysprep is running. +| 0x80240042 | `WU_E_UNKNOWN_SERVICE` | The update service is no longer registered with `AU`. +| 0x80240043 | `WU_E_NO_UI_SUPPORT` | There is no support for `WUA UI`. +| 0x80240FFF | `WU_E_UNEXPECTED` | An operation failed due to reasons not covered by another error code. + +## Windows Update success codes + +| Error code | Message | Description | +|------------|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| 0x00240001 | `WU_S_SERVICE_STOP` | Windows Update Agent was stopped successfully. | +| 0x00240002 | `WU_S_SELFUPDATE` | Windows Update Agent updated itself. | +| 0x00240003 | `WU_S_UPDATE_ERROR` | Operation completed successfully but there were errors applying the updates. | +| 0x00240004 | `WU_S_MARKED_FOR_DISCONNECT` | A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing. | +| 0x00240005 | `WU_S_REBOOT_REQUIRED` | The system must be restarted to complete installation of the update. | +| 0x00240006 | `WU_S_ALREADY_INSTALLED` | The update to be installed is already installed on the system. | +| 0x00240007 | `WU_S_ALREADY_UNINSTALLED` | The update to be removed is not installed on the system. | +| 0x00240008 | `WU_S_ALREADY_DOWNLOADED` | The update to be downloaded has already been downloaded. | + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +| Error code | Message | Description | +|------------|------------------------------|---------------------------------------------------------------------------------------------| +| 0x80241001 | `WU_E_MSI_WRONG_VERSION` | Search may have missed some updates because the Windows Installer is less than version 3.1. | +| 0x80241002 | `WU_E_MSI_NOT_CONFIGURED` | Search may have missed some updates because the Windows Installer is not configured. | +| 0x80241003 | `WU_E_MSP_DISABLED` | Search may have missed some updates because policy has disabled Windows Installer patching. | +| 0x80241004 | `WU_E_MSI_WRONG_APP_CONTEXT` | An update could not be applied because the application is installed per-user. | +| 0x80241FFF | `WU_E_MSP_UNEXPECTED` | Search may have missed some updates because there was a failure of the Windows Installer. | + +## Windows Update Agent update and setup errors + +| Error code | Message | Description | +|------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------| +| 0x8024D001 | `WU_E_SETUP_INVALID_INFDATA` | Windows Update Agent could not be updated because an INF file contains invalid information. | +| 0x8024D002 | `WU_E_SETUP_INVALID_IDENTDATA` | Windows Update Agent could not be updated because the `wuident.cab` file contains invalid information. | +| 0x8024D003 | `WU_E_SETUP_ALREADY_INITIALIZED` | Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice. | +| 0x8024D004 | `WU_E_SETUP_NOT_INITIALIZED` | Windows Update Agent could not be updated because setup initialization never completed successfully. | +| 0x8024D005 | `WU_E_SETUP_SOURCE_VERSION_MISMATCH` | Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions. | +| 0x8024D006 | `WU_E_SETUP_TARGET_VERSION_GREATER` | Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file. | +| 0x8024D007 | `WU_E_SETUP_REGISTRATION_FAILED` | Windows Update Agent could not be updated because `regsvr32.exe` returned an error. | +| 0x8024D009 | `WU_E_SETUP_SKIP_UPDATE` | An update to the Windows Update Agent was skipped due to a directive in the `wuident.cab` file. | +| 0x8024D00A | `WU_E_SETUP_UNSUPPORTED_CONFIGURATION` | Windows Update Agent could not be updated because the current system configuration is not supported. | +| 0x8024D00B | `WU_E_SETUP_BLOCKED_CONFIGURATION` | Windows Update Agent could not be updated because the system is configured to block the update. | +| 0x8024D00C | `WU_E_SETUP_REBOOT_TO_FIX` | Windows Update Agent could not be updated because a restart of the system is required. | +| 0x8024D00D | `WU_E_SETUP_ALREADYRUNNING` | Windows Update Agent setup is already running. | +| 0x8024D00E | `WU_E_SETUP_REBOOTREQUIRED` | Windows Update Agent setup package requires a reboot to complete installation. | +| 0x8024D00F | `WU_E_SETUP_HANDLER_EXEC_FAILURE` | Windows Update Agent could not be updated because the setup handler failed during execution. | +| 0x8024D010 | `WU_E_SETUP_INVALID_REGISTRY_DATA` | Windows Update Agent could not be updated because the registry contains invalid information. | +| 0x8024D013 | `WU_E_SETUP_WRONG_SERVER_VERSION` | Windows Update Agent could not be updated because the server does not contain update information for this version. | +| 0x8024DFFF | `WU_E_SETUP_UNEXPECTED` | Windows Update Agent could not be updated because of an error not covered by another `WU_E_SETUP_*` error code. | diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index 049bedc236..cdb6ea9f85 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -1,40 +1,42 @@ ---- -title: Windows Update common errors and mitigation -description: Learn about some common issues you might experience with Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update common errors and mitigation - ->Applies to: Windows 10 - -The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. - - -| Error Code | Message | Description | Mitigation | -|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
    The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | -| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
    Rename the following folders to \*.BAK:
    - %systemroot%\system32\catroot2

    To do this, type the following commands at a command prompt. Press ENTER after you type each command.
    - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
    - Ren %systemroot%\SoftwareDistribution\Download \*.bak
    Ren %systemroot%\system32\catroot2 \*.bak | -| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | -| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

    If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | -| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
    http://.update.microsoft.com
    https://    .update.microsoft.com


    Additionally , you can take a network trace and see what is timing out. \ | -| 0x80072EFD
    0x80072EFE 
    0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
    Take a network monitor trace to understand better. \ | -| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | -| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | -| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | -| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | -| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | -| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | -| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | -| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

    Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | -| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

    Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | - +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + + +| Error Code | Message | Description | Mitigation | +|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
    The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
    Rename the following folders to \*.BAK:
    - %systemroot%\system32\catroot2

    To do this, type the following commands at a command prompt. Press ENTER after you type each command.
    - Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
    - Ren %systemroot%\SoftwareDistribution\Download \*.bak
    Ren %systemroot%\system32\catroot2 \*.bak | +| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | +| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

    If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
    http://.update.microsoft.com
    https://    .update.microsoft.com


    Additionally , you can take a network trace and see what is timing out. \ | +| 0x80072EFD
    0x80072EFE 
    0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
    Take a network monitor trace to understand better. \ | +| 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | +| 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +| 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | +| 0x80242014 | WU_E_UH_POSTREBOOTSTILLPENDING | The post-reboot operation for the update is still in progress. | Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +| 0x80246017 | WU_E_DM_UNAUTHORIZED_LOCAL_USER | The download failed because the local user was denied authorization to download the content. | Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator). | +| 0x8024000B | WU_E_CALL_CANCELLED | Operation was cancelled. | This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete. | +| 0x8024000E | WU_E_XML_INVALID | Windows Update Agent found invalid information in the update's XML data. | Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE | An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file. | You may encounter this error when WSUS is not sending the Self-update to the clients.

    Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. | +| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.

    Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. | + diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md index 7eec34d793..1e9deff347 100644 --- a/windows/deployment/update/windows-update-logs.md +++ b/windows/deployment/update/windows-update-logs.md @@ -1,147 +1,149 @@ ---- -title: Windows Update log files -description: Learn about the Windows Update log files -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update log files - ->Applies to: Windows 10 - -The following table describes the log files created by Windows Update. - - -|Log file|Location|Description|When to Use | -|-|-|-|-| -|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| -|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
    When Updates are downloaded but installation is not triggered.
    When Updates are installed but reboot is not triggered. | -|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | -|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| - -## Generating WindowsUpdate.log -To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). - ->[!NOTE] ->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. - -### Windows Update log components -The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: - -- AGENT- Windows Update agent -- AU - Automatic Updates is performing this task -- AUCLNT- Interaction between AU and the logged-on user -- CDM- Device Manager -- CMPRESS- Compression agent -- COMAPI- Windows Update API -- DRIVER- Device driver information -- DTASTOR- Handles database transactions -- EEHNDLER- Expression handler that's used to evaluate update applicability -- HANDLER- Manages the update installers -- MISC- General service information -- OFFLSNC- Detects available updates without network connection -- PARSER- Parses expression information -- PT- Synchronizes updates information to the local datastore -- REPORT- Collects reporting information -- SERVICE- Startup/shutdown of the Automatic Updates service -- SETUP- Installs new versions of the Windows Update client when it is available -- SHUTDWN- Install at shutdown feature -- WUREDIR- The Windows Update redirector files -- WUWEB- The Windows Update ActiveX control -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, and so on) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping a service - ->[!NOTE] ->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. - -### Windows Update log structure -The Windows update log structure is separated into four main identities: - -- Time Stamps -- Process ID and Thread ID -- Component Name -- Update Identifiers - - Update ID and Revision Number - - Revision ID - - Local ID - - Inconsistent terminology - -The WindowsUpdate.log structure is discussed in the following sections. - -#### Time stamps -The time stamp indicates the time at which the logging occurs. -- Messages are usually in chronological order, but there may be exceptions. -- A pause during a sync can indicate a network problem, even if the scan succeeds. -- A long pause near the end of a scan can indicate a supersedence chain issue. - ![Windows Update time stamps](images/update-time-log.png) - - -#### Process ID and thread ID -The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. -- The first four hex digits are the process ID. -- The next four hex digits are the thread ID. -- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. - ![Windows Update process and thread IDs](images/update-process-id.png) - - -#### Component name -Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: - -- ProtocolTalker - Client-server sync -- DownloadManager - Creates and monitors payload downloads -- Handler, Setup - Installer handlers (CBS, etc.) -- EEHandler - Evaluating update applicability rules -- DataStore - Caching update data locally -- IdleTimer - Tracking active calls, stopping service - -![Windows Update component name](images/update-component-name.png) - - -#### Update identifiers - -##### Update ID and revision number -There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. -- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time -- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service -- Revision numbers are reused from one update to another (not a unique identifier). -- The update ID and revision number are often shown together as "{GUID}.revision." - ![Windows Update update identifiers](images/update-update-id.png) - - -##### Revision ID -- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. -- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. -- Revision IDs are unique on a given update source, but not across multiple sources. -- The same update revision may have completely different revision IDs on WU and WSUS. -- The same revision ID may represent different updates on WU and WSUS. - -##### Local ID -- Local ID is a serial number issued when an update is received from a service by a given WU client -- Usually seen in debug logs, especially involving the local cache for update info (Datastore) -- Different client PCs will assign different Local IDs to the same update -- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file - -##### Inconsistent terminology -- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. -- Recognize IDs by form and context: - - - GUIDs are update IDs - - Small integers that appear alongside an update ID are revision numbers - - Large integers are typically revision IDs - - Small integers (especially in Datastore) can be local IDs - ![Windows Update inconsisten terminology](images/update-inconsistent.png) - -## Windows Setup log files analysis using SetupDiag tool -SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
    When Updates are downloaded but installation is not triggered.
    When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + +## Windows Setup log files analysis using SetupDiag tool +SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag). diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index 3eda438f80..2590530152 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -1,57 +1,59 @@ ---- -title: Get started with Windows Update -description: Learn how Windows Update works, including architecture and troubleshooting -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Get started with Windows Update - ->Applies to: Windows 10 - -With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. - -Ues the following information to get started with Windows Update: - -- Understand the UUP architecture -- Understand [how Windows Update works](how-windows-update-works.md) -- Find [Windows Update log files](windows-update-logs.md) -- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) -- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) -- Review [other resources](windows-update-resources.md) to help you use Windows Update - -## Unified Update Platform (UUP) architecture -To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. - -![Windows Update terminology](images/update-terminology.png) - -- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. -- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. - - Update types- - - OS Feature updates - - OS Security updates - - Device drivers - - Defender definition updates - - >[!NOTE] - > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. - > - >Store apps aren't installed by USO, today they are separate. - -- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. -- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. - -Additional components include the following- - -- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. -- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 09/18/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index ead5fd7aaf..16e2488d65 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -3,12 +3,12 @@ title: Windows Update - Additional resources description: Additional resources for Windows Update ms.prod: w10 ms.mktglfcycl: -ms.sitesec: library + audience: itpro -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium ms.audience: itpro -author: greg-lindsay +author: jaimeo ms.date: 09/18/2018 ms.reviewer: manager: laurawi diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 9d93ebbe55..39568ae5ae 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -1,219 +1,235 @@ ---- -title: Windows Update troubleshooting -description: Learn how to troubleshoot Windows Update -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -audience: itpro -author: jaimeo -ms.localizationpriority: medium -ms.audience: itpro -author: jaimeo -ms.date: 09/18/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Windows Update troubleshooting - ->Applies to: Windows 10 - -If you run into problems when using Windows Update, start with the following steps: - -1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. -2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. -3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) - - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) - - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) - - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) - - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) - -Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. - -You might encounter the following scenarios when using Windows Update. - -## Why am I offered an older update/upgrade? -The update that is offered to a device depends on several factors. Some of the most common attributes include the following: - -- OS Build -- OS Branch -- OS Locale -- OS Architecture -- Device update management configuration - -If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. - -## My machine is frozen at scan. Why? -The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: -1. Close the Settings app and reopen it. -2. Launch Services.msc and check if the following services are running: - - Update State Orchestrator - - Windows Update - -## Feature updates are not being offered while other updates are -On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. - -Checking the WindowsUpdate.log reveals the following error: -``` -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken -YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] -YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 -YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 -``` - -The 0x80070426 error code translates to: -``` -ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. -``` - -Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. - -In order to solve this issue, we need to reset the MSA service to the default StartType of manual. - -## Issues related to HTTP/Proxy -Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. - -To fix this issue, configure a proxy in WinHTTP by using the following netsh command: - -``` -netsh winhttp set proxy ProxyServerName:PortNumber -``` - ->[!NOTE] -> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie - -If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. - -You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: - -*.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com -*.emdl.ws.microsoft.com - -If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). - - -## The update is not applicable to your computer -The most common reasons for this error are described in the following table: - -|Cause|Explanation|Resolution| -|-----|-----------|----------| -|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | -|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| -|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
    Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | -|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
    Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
    get-hotfix KB3173424,KB2919355,KB2919442
    If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. - -## Issues related to firewall configuration -Error that may be seen in the WU logs: -``` -DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. -``` -Or -``` -[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 -``` -Or -``` -DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A -``` - -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). - -## Issues arising from configuration of conflicting policies -Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. - -See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. - - -## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: -1. Start Windows PowerShell as an administrator -2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". -3. Run \$MUSM.Services. - -Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. - -|Output|Interpretation| -|-|-| -|- Name: Microsoft Update
    -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
    - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | -|- Name: DCat Flighting Prod
    - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
    - Indicates that the client is configured to receive feature updates from Windows Update. | -|- Name: Windows Store (DCat Prod)
    - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
    - Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: Windows Server Update Service
    - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
    - The client is configured to receive updates from WSUS. | -|- Name: Windows Update
    - OffersWindowsUpdates: True|- The source is Windows Update.
    - The client is configured to receive updates from Windows Update Online.| - -## You have a bad setup in the environment -If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: - -``` -HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] -"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. -``` - -From the WU logs: -``` -2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -2018-08-06 09:33:31:085 480 1118 Agent ********* -2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates -2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No -2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" -2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service -2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} -2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities -2018-08-06 09:33:32:554 480 1118 Agent ********* -2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] -``` - -In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. - -Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. - -``` -2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -2018-08-06 10:58:45:992 480 5d8 Agent ********* -2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No -2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" - -2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 -2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities -2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates -2018-08-06 10:58:47:383 480 5d8 Agent ********* -2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] -``` - -## High bandwidth usage on Windows 10 by Windows Update -Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. - -The following group policies can help mitigate this: - -- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) -- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") -- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) - -Other components that reach out to the internet: - -- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) -- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) -- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1903 and Windows Server, version 1903](https://support.microsoft.com/help/4498140) + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following: + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My device is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Feature updates are not being offered while other updates are +On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered. + +Checking the WindowsUpdate.log reveals the following error: +``` +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * START * Finding updates CallerId = Update;taskhostw Id = 25 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Search Scope = {Current User} +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Caller SID for Applicability: S-1-12-1-2933642503-1247987907-1399130510-4207851353 +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Got 855E8A7C-ECB4-4CA3-B045-1DFA50104289 redir Client/Server URL: https://fe3.delivery.mp.microsoft.com/ClientWebService/client.asmx"" +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc Token Requested with 0 category IDs. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc GetUserTickets: No user tickets found. Returning WU_E_NO_USERTOKEN. +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::GetDeviceTickets:570] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetDeviceTickets +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [AuthTicketHelper::AddTickets:1092] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Method failed [CUpdateEndpointProvider::GenerateSecurityTokenWithAuthTickets:1587] +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentTokenFromServer +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] GetAgentToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] EP:Call to GetEndpointToken +YYYY/MM/DD HH:mm:ss:SSS PID TID Misc *FAILED* [80070426] Failed to obtain service 855E8A7C-ECB4-4CA3-B045-1DFA50104289 plugin Client/Server auth token of type 0x00000001 +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Method failed [CAgentProtocolTalkerContext::DetermineServiceEndpoint:377] +YYYY/MM/DD HH:mm:ss:SSS PID TID ProtocolTalker *FAILED* [80070426] Initialization failed for Protocol Talker Context +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent Exit code = 0x80070426 +YYYY/MM/DD HH:mm:ss:SSS PID TID Agent * END * Finding updates CallerId = Update;taskhostw Id = 25 +``` + +The 0x80070426 error code translates to: +``` +ERROR_SERVICE_NOT_ACTIVE - # The service has not been started. +``` + +Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully. + +In order to solve this issue, we need to reset the MSA service to the default StartType of manual. + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: + +*.download.windowsupdate.com +*.dl.delivery.mp.microsoft.com +*.emdl.ws.microsoft.com + +If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
    Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
    Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
    get-hotfix KB3173424,KB2919355,KB2919442
    If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + +## Device cannot access update files +Check that your device can access these Windows Update endpoints: + +- http://windowsupdate.microsoft.com +- http://*.windowsupdate.microsoft.com +- https://*.windowsupdate.microsoft.com +- http://*.update.microsoft.com +- https://*.update.microsoft.com +- http://*.windowsupdate.com +- http://download.windowsupdate.com +- https://download.microsoft.com +- http://*.download.windowsupdate.com +- http://wustat.windows.com +- http://ntservicepack.microsoft.com + + Whitelist these endpoints for future use. + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
    -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
    - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
    - OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
    - Indicates that the client is configured to receive feature updates from Windows Update. | +|- Name: Windows Store (DCat Prod)
    - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
    - Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
    - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
    - The client is configured to receive updates from WSUS. | +|- Name: Windows Update
    - OffersWindowsUpdates: True|- The source is Windows Update.
    - The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) + +Other components that reach out to the internet: + +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index 9bdabe44ba..0d7b34374e 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -1,37 +1,39 @@ ---- -title: Setting up Automatic Update in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Set up Automatic Update in Windows Update for Business with group policies - ->Applies to: Windows 10 - -Use the Automatic Update group policies to manage the interaction between Windows Update and clients. - -Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. - -|Policy|Description | -|-|-| -|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| -|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| -|Do not connect to any Windows Update Internet locations
    Required for Dual Scan|Prevents access to Windows Update.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

    **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

    **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| -|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
    **Check for updates on the following interval (hours)**: 22| -|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | +--- +title: Setting up Automatic Update in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Set up Automatic Update in Windows Update for Business with group policies + +>Applies to: Windows 10 + +Use the Automatic Update group policies to manage the interaction between Windows Update and clients. + +Automatic Update governs the "behind the scenes" download and installation processes. It's important to keep in mind the device limitation in your environment as the download and install process can consume processing power. The below section outlines the ideal configuration for devices with the least amount of user experience degradation. + +|Policy|Description | +|-|-| +|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/sccm/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| +|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or System Center Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Do not connect to any Windows Update Internet locations
    Required for Dual Scan|Prevents access to Windows Update.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Configure Automatic Updates| GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates| **Attention**: If you are using this policy, don't set it/configure it to get the default behavior. If you have set this policy, delete the reg key. This ensures the device uses the default behavior. Note that this is not the same as the default setting within the policy.

    **Default behavior**: Download and installation happen automatically. The device will then be in a pending reboot state.

    **Pro tip**: You can configure the scan frequency to be more frequent with the policy below.| +|Automatic Update Detection Frequency|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Automatic Updates detection frequency|State: Enabled
    **Check for updates on the following interval (hours)**: 22| +|Do not connect to any Windows Update Internet locations (Required for Dual Scan) | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations |State: Disabled | diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md index e1e9419e08..11483f0c9b 100644 --- a/windows/deployment/update/wufb-basics.md +++ b/windows/deployment/update/wufb-basics.md @@ -1,29 +1,31 @@ ---- -title: Configure the Basic group policy for Windows Update for Business -description: Learn how to get started using the Basic GPO in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Configure the Basic group policy for Windows Update for Business - -For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. - -|Policy name|Description | -|-|-| -|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| -|Configure Commercial ID|This policy allows you to join the device to an entity.| - -## Suggested configuration - -|Policy|Location|Suggested configuration| -|-|-|-| -|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
    **Option**: 1-Basic| -|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| +--- +title: Configure the Basic group policy for Windows Update for Business +description: Learn how to get started using the Basic GPO in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Configure the Basic group policy for Windows Update for Business + +For Windows Update for Business configurations to work, devices need to be configured with minimum [diagnostic data](https://docs.microsoft.com/windows/privacy/configure-windows-diagnostic-data-in-your-organization) level of "Basic." Additionally, compliance reporting for configured devices is obtained using [Update Compliance in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). To view your data in Update Compliance [diagnostics data must be enabled](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#set-diagnostic-data-levels) and the devices must be configured with a commercial ID, a unique GUID created for an enterprise at the time of onboarding to the Windows Analytics solution. + +|Policy name|Description | +|-|-| +|Allow Telemetry|Enables Microsoft to run diagnostics on your device and troubleshoot.| +|Configure Commercial ID|This policy allows you to join the device to an entity.| + +## Suggested configuration + +|Policy|Location|Suggested configuration| +|-|-|-| +|Allow Telemetry |GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry |State: Enabled
    **Option**: 1-Basic| +|Configure Commercial ID|GPO: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Commercial ID |State: Enabled
    **Commercial ID**: The GUID created for you at the time of onboarding to Windows Analytics| diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 1edad940a4..df08dd3caa 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -3,7 +3,6 @@ title: Enforce compliance deadlines with policies in Windows Update for Business description: Learn how to enforce compliance deadlines using Windows Update for Business. ms.prod: w10 ms.mktglfcycl: manage -ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index a43179a6a8..0fe22b0935 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -1,68 +1,70 @@ ---- -title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business -description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/21/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- -# Managing drivers, dual-managed environments, and Delivery Optimization with group policies - ->Applies to: Windows 10 - -Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. - -## Managing drivers -Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. - -### Policy overview - -|Policy| Description | -|-|-| -|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | - -## Dual-managed environment - -You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. - -|Policy| Description | -|-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| - -### Suggested configuration - -|Policy| Location|Suggested configuration | -|-|-|-| -|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
    **Set the Intranet Update service for detecting updates**:
    **Set the Intranet statistics server**:
    **Set the alternate download server**: | - -## Download Optimization - Managing your bandwidth - -[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. - -|Policy| Description | -|-|-| -|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| -|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
    Choose a size that meets your environment's constraints.| -|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | -|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| - -### Suggested configuration - -|Policy| Location| Suggested configuration | -|-|-|-| -|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
    **Download Mode**: Group (2)| -|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
    **Minimum Peer caching content file size (in MB)**: 10 MB| -|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
    **Minimum battery level (Percentage)**: 60| -|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
    **Max Cache Age (in seconds)**: 604800 ~ 7 days| +--- +title: Managing drivers, dual-managed environments, and Delivery Optimization with group policies in Windows Update for Business +description: Learn how to manage drivers, dual managed environments, and bandwidth (Delivery Optimization) with GPOs in Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/21/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- +# Managing drivers, dual-managed environments, and Delivery Optimization with group policies + +>Applies to: Windows 10 + +Use the following group policy information to manage drivers, to manage environments using both Windows Update for Business and Windows Server Update Services, and to manage the bandwidth required for updates with Delivery Optimization. + +## Managing drivers +Windows Update for Business provides the ability to manage drivers from the Windows Update service. By default, drivers will be offered to your Windows Update-connected devices. Our guidance here is to continue to receive drivers from Windows Update. Alternatively, you can enable the following policy to stop receiving drivers from Windows Update. + +### Policy overview + +|Policy| Description | +|-|-| +|Do not include drivers with Windows Update |When enabled prevents Windows Update from offering drivers.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Do not include drivers with Windows Update |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not include drivers with Windows Updates|State: Disabled | + +## Dual-managed environment + +You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and use Windows Update to deploy feature and quality updates. We provide capabilities to deploy content from both Windows Update Service and from WSUS. In addition to the policies for managing drivers, apply the following configurations to your environment. + +|Policy| Description | +|-|-| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/System Center Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| + +### Suggested configuration + +|Policy| Location|Suggested configuration | +|-|-|-| +|Specify Intranet Microsoft Update Service Location|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify Intranet Microsoft update service location|State: Enabled
    **Set the Intranet Update service for detecting updates**:
    **Set the Intranet statistics server**:
    **Set the alternate download server**: | + +## Download Optimization - Managing your bandwidth + +[Delivery Optimization](waas-delivery-optimization.md) is Windows 10's built-in downloader and peer-caching technology that can benefit CSE for network bandwidth reduction of Windows 10 servicing updates. Windows 10 clients can source content from other devices on their local network that have already downloaded the same updates in addition to downloading these updates from Microsoft. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. To configure devices for delivery optimization, ensure the following configurations are set. + +|Policy| Description | +|-|-| +|Download Mode| 2=HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2| +|Minimum Peer Caching Content File Size (in MB)|Specifies the minimum content file size in MB enabled to use peer caching.
    Choose a size that meets your environment's constraints.| +|Allow uploads while the device is on battery while under set battery level (percentage)|Specify a battery level from 1-100, where the device will pause uploads once the battery level drops below that percentage. | +|Max Cache Age (in seconds)|Maximum number of seconds to keep data in cache.| + +### Suggested configuration + +|Policy| Location| Suggested configuration | +|-|-|-| +|Download Mode|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Download Mode|State: Enabled
    **Download Mode**: Group (2)| +|Minimum Peer Caching Content File Size (in MB)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Minimum Peer Caching Content File Size (in MB)|State: Enabled
    **Minimum Peer caching content file size (in MB)**: 10 MB| +|Allow uploads while the device is on battery while under set battery level (percentage)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Allow uploads while the device is on battery while under set battery level (percentage)|State: Enabled
    **Minimum battery level (Percentage)**: 60| +|Max Cache Age (in seconds)|GPO: Computer Configuration > Administrative Templates > Windows Components > Delivery Optimization > Max Cache Age (in seconds)|State: Enabled
    **Max Cache Age (in seconds)**: 604800 ~ 7 days| diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md index 6ba3572c05..f1513ece69 100644 --- a/windows/deployment/update/wufb-manageupdate.md +++ b/windows/deployment/update/wufb-manageupdate.md @@ -1,59 +1,61 @@ ---- -title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.date: 06/20/2018 -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Manage feature and quality updates with group policies - ->Applies to: Windows 10 - -Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). - -The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. - -## Policy overview - -|Policy name| Description | -|-|-| -|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | -|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | -|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| - -## Suggested configuration for a non-wave deployment - -If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: - -|Policy| Location|Suggested configuration | -|-|-|-| -|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
    **Defer receiving it for this many days**: 0
    **Pause Quality Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a quality update until the time passes| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: SAC
    **Defer receiving for this many days**: 0-365
    **Pause Feature Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a feature update until the time passes| -|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| - -## Suggested configuration for a wave deployment -![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) - -## Early validation and testing -Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: WIP Fast or WIP slow
    **Defer receiving for this many days**: 0
    **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| -|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
    **Defer receiving it for this many days**: 0
    **Pause Quality Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a quality update until the time passes| - -## Wave deployment for feature updates - -If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. - -|Policy|Location|Suggested configuration | -|-|-|-| -|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: SAC
    **Defer receiving for this many days**: 0, 30, 60, 90, 120
    **Pause Feature Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a feature update until the time passes +--- +title: Managing feature and quality updates with policies in Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.date: 06/20/2018 +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Manage feature and quality updates with group policies + +>Applies to: Windows 10 + +Windows Update for Business allows users to control when devices should receive a feature or quality update from Windows Update. Depending on the size of your organization you may want to do a wave deployment of updates. The first step in this process is to determine which Branch Readiness Level you want your organization on. For more information on which level is right for your organization review [Overview of Windows as a service](waas-overview.md). + +The following policies let you configure when you want a device to see a feature and or quality update from Windows Update. + +## Policy overview + +|Policy name| Description | +|-|-| +|Select when Quality Updates are received|Configures when the device should receive quality update. In this policy you can also select a date to pause receiving Quality Updates until. | +|Select when Preview Builds & feature Updates are received|Configures when the device should receive a feature update. You can also configure your branch readiness level. This policy also provides the ability to "pause" updates until a certain point. | +|Do not allow update deferral policies to cause scans against Windows Update|When enabled will not allow the deferral policies to cause scans against Windows Update.| + +## Suggested configuration for a non-wave deployment + +If you don't need a wave deployment and have a small set of devices to manage, we recommend the following configuration: + +|Policy| Location|Suggested configuration | +|-|-|-| +|Select when Quality Updates are received | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
    **Defer receiving it for this many days**: 0
    **Pause Quality Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a quality update until the time passes| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: SAC
    **Defer receiving for this many days**: 0-365
    **Pause Feature Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a feature update until the time passes| +|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled| + +## Suggested configuration for a wave deployment +![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png) + +## Early validation and testing +Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings). + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: WIP Fast or WIP slow
    **Defer receiving for this many days**: 0
    **Pause Feature Updates**: Blank *Note: use this functionality to prevent the device from receiving a feature update until the time passes.| +|Select when Quality Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Quality Updates are received|State: Enabled
    **Defer receiving it for this many days**: 0
    **Pause Quality Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a quality update until the time passes| + +## Wave deployment for feature updates + +If you want to deploy feature updates in waves we suggest using the following configuration. For the deferral days we recommend staging them out in 1-month increments. Manage your risk by placing critical devices later in the wave (deferrals > 30 or 60 days) while placing your low risk devices earlier in the wave (deferrals < 30 days). Using deferrals days is a great method to manage your wave deployment. Using this in combination with our suggested early validation will help you prepare your environment for the latest updates from Windows. + +|Policy|Location|Suggested configuration | +|-|-|-| +|Select when Preview Builds & feature Updates are received |GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received|State: Enabled
    **Select Windows Readiness Level**: SAC
    **Defer receiving for this many days**: 0, 30, 60, 90, 120
    **Pause Feature Updates**: Blank
    *Note: use this functionality to prevent the device from receiving a feature update until the time passes diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md index 98d62be2fa..058f595090 100644 --- a/windows/deployment/update/wufb-onboard.md +++ b/windows/deployment/update/wufb-onboard.md @@ -1,47 +1,49 @@ ---- -title: Onboarding to Windows Update for Business (Windows 10) -description: Learn how to get started using Windows Update for Business. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.audience: itpro author: greg-lindsay -ms.reviewer: -manager: laurawi -ms.topic: article ---- - -# Onboarding to Windows Update for Business in Windows 10 - ->Applies to: Windows 10 - -Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: - -- Interaction between the client and Windows Update service -- End user notification for pending updates -- Compliance deadlines for feature or quality updates -- Configure wave deployment for feature or quality updates bandwidth optimization - -We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: - -- Uninstall latest feature or quality update -- Pause for a duration of time - -Use the following information to set up your environment using Windows Update for Business policies: - -- [Supported SKUs](#supported-editions) -- [Windows Update for Business basics](wufb-basics.md) -- [Setting up automatic update](wufb-autoupdate.md) -- [Managing feature and quality updates](wufb-manageupdate.md) -- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) -- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) - -## Supported editions - -Windows Update for Business is supported on the following editions of Windows 10: - -- Windows 10 Education -- Windows 10 Enterprise -- Windows 10 Pro -- Windows 10 S (for Windows 10, version 1709 and earlier) +--- +title: Onboarding to Windows Update for Business (Windows 10) +description: Learn how to get started using Windows Update for Business. +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +itproauthor: jaimeo +author: jaimeo +ms.localizationprioauthor: jaimeo +ms.audience: itpro +author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Onboarding to Windows Update for Business in Windows 10 + +>Applies to: Windows 10 + +Windows Update for Business is a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service. Windows Update for Business can control the following: + +- Interaction between the client and Windows Update service +- End user notification for pending updates +- Compliance deadlines for feature or quality updates +- Configure wave deployment for feature or quality updates bandwidth optimization + +We also provide additional functionality to manage your environment when risk or issues arise such as applications being blocked: + +- Uninstall latest feature or quality update +- Pause for a duration of time + +Use the following information to set up your environment using Windows Update for Business policies: + +- [Supported SKUs](#supported-editions) +- [Windows Update for Business basics](wufb-basics.md) +- [Setting up automatic update](wufb-autoupdate.md) +- [Managing feature and quality updates](wufb-manageupdate.md) +- [Enforcing compliance deadlines](wufb-compliancedeadlines.md) +- [Managing drivers, environments with both Windows Update for Business and WSUS, and Download Optmization](wufb-managedrivers.md) + +## Supported editions + +Windows Update for Business is supported on the following editions of Windows 10: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Pro +- Windows 10 S (for Windows 10, version 1709 and earlier) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 0214e53ad8..ddb3d63a10 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -159,6 +160,93 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f 27:08, Error SP SPDoFrameworkGather: Gather operation failed. Error: 0x0000002C +
    setupapi.dev.log content: + +
    +>>>  [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
+>>>  Section start 2019/09/26 20:13:01.623
+      cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
+     ndv: INF path: C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf
+     ndv: Install flags: 0x00000000
+     ndv: {Update Device Driver - PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8}
+     ndv:      Search options: 0x00000081
+     ndv:      Searching single INF 'C:\WINDOWS\TEMP\{15B1CD41-69F5-48EA-9F45-0560A40FE2D8}\Drivers\lynxpoint\LynxPointSystem.inf'
+     dvi:      {Build Driver List} 20:13:01.643
+     dvi:           Searching for hardware ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028
+     dvi:                pci\ven_8086&dev_8c4f&cc_060100
+     dvi:                pci\ven_8086&dev_8c4f&cc_0601
+     dvi:           Searching for compatible ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&rev_04
+     dvi:                pci\ven_8086&dev_8c4f
+     dvi:                pci\ven_8086&cc_060100
+     dvi:                pci\ven_8086&cc_0601
+     dvi:                pci\ven_8086
+     dvi:                pci\cc_060100
+     dvi:                pci\cc_0601
+     sig:           {_VERIFY_FILE_SIGNATURE} 20:13:01.667
+     sig:                Key      = lynxpointsystem.inf
+     sig:                FilePath = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
+     sig:                Catalog  = c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\LynxPoint.cat
+     sig:                Success: File is signed in catalog.
+     sig:           {_VERIFY_FILE_SIGNATURE exit(0x00000000)} 20:13:01.683
+     dvi:           Created Driver Node:
+     dvi:                HardwareID   - PCI\VEN_8086&DEV_8C4F
+     dvi:                InfName      - c:\windows\temp\{15b1cd41-69f5-48ea-9f45-0560a40fe2d8}\drivers\lynxpoint\lynxpointsystem.inf
+     dvi:                DevDesc      - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                Section      - Needs_ISAPNP_DRV
+     dvi:                Rank         - 0x00ff2001
+     dvi:                Signer Score - WHQL
+     dvi:                DrvDate      - 04/04/2016
+     dvi:                Version      - 10.1.1.18
+     dvi:      {Build Driver List - exit(0x00000000)} 20:13:01.699
+     ndv:      Searching currently installed INF
+     dvi:      {Build Driver List} 20:13:01.699
+     dvi:           Searching for hardware ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028&rev_04
+     dvi:                pci\ven_8086&dev_8c4f&subsys_05be1028
+     dvi:                pci\ven_8086&dev_8c4f&cc_060100
+     dvi:                pci\ven_8086&dev_8c4f&cc_0601
+     dvi:           Searching for compatible ID(s):
+     dvi:                pci\ven_8086&dev_8c4f&rev_04
+     dvi:                pci\ven_8086&dev_8c4f
+     dvi:                pci\ven_8086&cc_060100
+     dvi:                pci\ven_8086&cc_0601
+     dvi:                pci\ven_8086
+     dvi:                pci\cc_060100
+     dvi:                pci\cc_0601
+     dvi:           Created Driver Node:
+     dvi:                HardwareID   - PCI\VEN_8086&DEV_8C4F
+     dvi:                InfName      - C:\WINDOWS\System32\DriverStore\FileRepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
+     dvi:                DevDesc      - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                Section      - Needs_ISAPNP_DRV
+     dvi:                Rank         - 0x00ff2001
+     dvi:                Signer Score - WHQL
+     dvi:                DrvDate      - 10/03/2016
+     dvi:                Version      - 10.1.1.38
+     dvi:      {Build Driver List - exit(0x00000000)} 20:13:01.731
+     dvi:      {DIF_SELECTBESTCOMPATDRV} 20:13:01.731
+     dvi:           Default installer: Enter 20:13:01.735
+     dvi:                {Select Best Driver}
+     dvi:                     Class GUID of device changed to: {4d36e97d-e325-11ce-bfc1-08002be10318}.
+     dvi:                     Selected Driver:
+     dvi:                          Description - Intel(R) QM87 LPC Controller - 8C4F
+     dvi:                          InfFile     - c:\windows\system32\driverstore\filerepository\lynxpointsystem.inf_amd64_cd1e518d883ecdfe\lynxpointsystem.inf
+     dvi:                          Section     - Needs_ISAPNP_DRV
+     dvi:                {Select Best Driver - exit(0x00000000)}
+     dvi:           Default installer: Exit
+     dvi:      {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 20:13:01.743
+     ndv:      Currently Installed Driver:
+     ndv:           Inf Name       - oem1.inf
+     ndv:           Driver Date    - 10/03/2016
+     ndv:           Driver Version - 10.1.1.38
+     ndv: {Update Device Driver - exit(00000103)}
+!    ndv: No better matching drivers found for device 'PCI\VEN_8086&DEV_8C4F&SUBSYS_05BE1028&REV_04\3&11583659&0&F8'.
+!    ndv: No devices were updated.
+<<<  Section end 2019/09/26 20:13:01.759
+<<<  [Exit status: FAILURE(0xC1900101)]
+

    This analysis indicates that the Windows upgrade error can be resolved by deleting the C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN] file. Note: In this example, the full, unshortened file name is C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\be8228fb2d3cb6c6b0ccd9ad51b320b4_a43d512c-69f2-42de-aef9-7a88fabdaa3f. diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 15c4156866..64f031f72e 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -294,7 +295,7 @@ This error has more than one possible cause. Attempt [quick fixes](quick-fixes.m 0x80073BC3 - 0x20009
    -0x8007002 - 0x20009
    +0x80070002 - 0x20009
    0x80073B92 - 0x20009 @@ -593,7 +594,7 @@ Download and run the media creation tool. See hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update. - You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following: + You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
    1. Disable the Upgrades classification.
      2. @@ -602,7 +603,7 @@ Download and run the media creation tool. See How to delete upgrades in WSUS.

      +
      For detailed information on how to run these steps check out How to delete upgrades in WSUS.

      @@ -698,12 +699,12 @@ Also see the following sequential list of modern setup (mosetup) error codes wit | 0XC1900105 | MOSETUP_E_TEST_MODE | The installation process is being used in a test environment. | | 0XC1900106 | MOSETUP_E_TERMINATE_PROCESS | The installation process was terminated. | | 0XC1900107 | MOSETUP_E_CLEANUP_PENDING | A cleanup operation from a previous installation attempt is still pending. A system reboot is required. | -| 0XC1900108 | MOSETUP_E_REPORTING | An error has occured and the result value must be consolidated for telemetry purposes. | +| 0XC1900108 | MOSETUP_E_REPORTING | An error has occurred and the result value must be consolidated for telemetry purposes. | | 0XC1900109 | MOSETUP_E_COMPAT_TERMINATE | The installation process was terminated during the actionable compatibility phase. | -| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command line argument. | +| 0XC190010a | MOSETUP_E_UNKNOWN_CMD_LINE | The installation process was launched with an unknown command-line argument. | | 0XC190010b | MOSETUP_E_INSTALL_IMAGE_NOT_FOUND | The installation image was not found. | | 0XC190010c | MOSETUP_E_AUTOMATION_INVALID | The provided automation information was invalid. | -| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command line argument. | +| 0XC190010d | MOSETUP_E_INVALID_CMD_LINE | The installation process was launched with an invalid command-line argument. | | 0XC190010e | MOSETUP_E_EULA_ACCEPT_REQUIRED | The installation process requires that the user accept the license agreement. | | 0XC1900110 | MOSETUP_E_EULA_CANCEL | The user has chosen to cancel for license agreement. | | 0XC1900111 | MOSETUP_E_ADVERTISE_CANCEL | The user has chosen to cancel for advertisement. | diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index c9509188a3..e06f80e04b 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -1,97 +1,98 @@ ---- -title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Troubleshooting upgrade errors - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 300 level topic (moderately advanced).
      ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. - -Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. - -These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. - -1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. - -2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. - - Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. - - >[!TIP] - >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). - - **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. - - If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. - - If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. - -3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. - -4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. - -If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. - -## The Windows 10 upgrade process - -The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. - -When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. - -1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. - - ![downlevel phase](../images/downlevel.png) - -2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. - - ![safeOS phase](../images/safeos.png) - -3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. - - ![first boot phase](../images/firstboot.png) - -4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. - - At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. - - ![second boot phase](../images/secondboot.png) - - ![second boot phase](../images/secondboot2.png) - - ![second boot phase](../images/secondboot3.png) - -5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. - -**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): - -![Upgrade process](../images/upgrade-process.png) - -DU = Driver/device updates.
      -OOBE = Out of box experience.
      -WIM = Windows image (Microsoft) - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
      [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Troubleshooting upgrade errors + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 300 level topic (moderately advanced).
      +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process. + +Briefly, the upgrade process consists of four phases: **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100. + +These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered. + +1. **Downlevel phase**: Because this phase runs on the source OS, upgrade errors are not typically seen. If you do encounter an error, ensure the source OS is stable. Also ensure the Windows setup source and the destination drive are accessible. + +2. **SafeOS phase**: Errors most commonly occur during this phase due to hardware issues, firmware issues, or non-microsoft disk encryption software. + + Since the computer is booted into Windows PE during the SafeOS phase, a useful troubleshooting technique is to boot into [Windows PE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/winpe-intro) using installation media. You can use the [media creation tool](https://www.microsoft.com/software-download/windows10) to create bootable media, or you can use tools such as the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), and then boot your device from this media to test for hardware and firmware compatibility issues. + + >[!TIP] + >If you attempt to use the media creation tool with a USB drive and this fails with error 0x80004005 - 0xa001a, this is because the USB drive is using GPT partition style. The tool requires that you use MBR partition style. You can use the DISKPART command to convert the USB drive from GPT to MBR. For more information, see [Change a GUID Partition Table Disk into a Master Boot Record Disk](https://go.microsoft.com/fwlink/?LinkId=207050). + + **Do not proceed with the Windows 10 installation after booting from this media**. This method can only be used to perform a clean install which will not migrate any of your apps and settings, and you will be required re-enter your Windows 10 license information. + + If the computer does not successfully boot into Windows PE using the media that you created, this is likely due to a hardware or firmware issue. Check with your hardware manufacturer and apply any recommended BIOS and firmware updates. If you are still unable to boot to installation media after applying updates, disconnect or replace legacy hardware. + + If the computer successfully boots into Windows PE, but you are not able to browse the system drive on the computer, it is possible that non-Microsoft disk encryption software is blocking your ability to perform a Windows 10 upgrade. Update or temporarily remove the disk encryption. + +3. **First boot phase**: Boot failures in this phase are relatively rare, and almost exclusively caused by device drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, then retry the upgrade. + +4. **Second boot phase**: In this phase, the system is running under the target OS with new drivers. Boot failures are most commonly due to anti-virus software or filter drivers. Disconnect all peripheral devices except for the mouse, keyboard, and display. Obtain and install updated device drivers, temporarily uninstall anti-virus software, then retry the upgrade. + +If the general troubleshooting techniques described above or the [quick fixes](quick-fixes.md) detailed below do not resolve your issue, you can attempt to analyze [log files](log-files.md) and interpret [upgrade error codes](upgrade-error-codes.md). You can also [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md) so that Microsoft can diagnose your issue. + +## The Windows 10 upgrade process + +The **Windows Setup** application is used to upgrade a computer to Windows 10, or to perform a clean installation. Windows Setup starts and restarts the computer, gathers information, copies files, and creates or adjusts configuration settings. + +When performing an operating system upgrade, Windows Setup uses phases described below. A reboot occurs between each of the phases. After the first reboot, the user interface will remain the same until the upgrade is completed. Percent progress is displayed and will advance as you move through each phase, reaching 100% at the end of the second boot phase. + +1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered. + + ![downlevel phase](../images/downlevel.png) + +2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017. + + ![safeOS phase](../images/safeos.png) + +3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D. + + ![first boot phase](../images/firstboot.png) + +4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. + + At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed. + + ![second boot phase](../images/secondboot.png) + + ![second boot phase](../images/secondboot2.png) + + ![second boot phase](../images/secondboot3.png) + +5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015. + +**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown): + +![Upgrade process](../images/upgrade-process.png) + +DU = Driver/device updates.
      +OOBE = Out of box experience.
      +WIM = Windows image (Microsoft) + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
      [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications) +
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 0dd0d042c6..7f4624ce3a 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -1,159 +1,160 @@ ---- -title: Upgrade error codes - Windows IT Pro -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Upgrade error codes - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 400 level topic (advanced).
      ->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - - -If the upgrade process is not successful, Windows Setup will return two codes: - -1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. -2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. - ->For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. - -Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. - ->[!TIP] ->If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). - -## Result codes - ->A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
      To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. - -The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: - -| Result code | Message | Description | -| --- | --- | --- | -| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | -| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | -| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | -| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | -| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | - -A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. - -Other result codes can be matched to the specific type of error encountered. To match a result code to an error: - -1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: -
      **8** = Win32 error code (ex: 0x**8**0070070) -
      **C** = NTSTATUS value (ex: 0x**C**1900107) -2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. -3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: - - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) - - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) - -Examples: -- 0x80070070 - - Based on the "8" this is a Win32 error code - - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table - - The error is: **ERROR_DISK_FULL** -- 0xC1900107 - - Based on the "C" this is an NTSTATUS error code - - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table - - The error is: **STATUS_SOME_NOT_MAPPED** - -Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. - -## Extend codes - ->**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. - -Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: - -1. Use the first digit to identify the phase (ex: 0x4000D = 4). -2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). -3. Match the phase and operation to values in the tables provided below. - -The following tables provide the corresponding phase and operation for values of an extend code: - -
      - - - -
      Extend code: phase
      HexPhase -
      0SP_EXECUTION_UNKNOWN -
      1SP_EXECUTION_DOWNLEVEL -
      2SP_EXECUTION_SAFE_OS -
      3SP_EXECUTION_FIRST_BOOT -
      4SP_EXECUTION_OOBE_BOOT -
      5SP_EXECUTION_UNINSTALL -
      - - - - - - - -
      Extend code: operation
      - -
      HexOperation -
      0SP_EXECUTION_OP_UNKNOWN -
      1SP_EXECUTION_OP_COPY_PAYLOAD -
      2SP_EXECUTION_OP_DOWNLOAD_UPDATES -
      3SP_EXECUTION_OP_INSTALL_UPDATES -
      4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT -
      5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE -
      6SP_EXECUTION_OP_REPLICATE_OC -
      7SP_EXECUTION_OP_INSTALL_DRVIERS -
      8SP_EXECUTION_OP_PREPARE_SAFE_OS -
      9SP_EXECUTION_OP_PREPARE_ROLLBACK -
      ASP_EXECUTION_OP_PREPARE_FIRST_BOOT -
      BSP_EXECUTION_OP_PREPARE_OOBE_BOOT -
      CSP_EXECUTION_OP_APPLY_IMAGE -
      DSP_EXECUTION_OP_MIGRATE_DATA -
      ESP_EXECUTION_OP_SET_PRODUCT_KEY -
      FSP_EXECUTION_OP_ADD_UNATTEND -
      -      		 - -
      HexOperation -
      10SP_EXECUTION_OP_ADD_DRIVER -
      11SP_EXECUTION_OP_ENABLE_FEATURE -
      12SP_EXECUTION_OP_DISABLE_FEATURE -
      13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS -
      14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS -
      15SP_EXECUTION_OP_CREATE_FILE -
      16SP_EXECUTION_OP_CREATE_REGISTRY -
      17SP_EXECUTION_OP_BOOT -
      18SP_EXECUTION_OP_SYSPREP -
      19SP_EXECUTION_OP_OOBE -
      1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT -
      1BSP_EXECUTION_OP_END_FIRST_BOOT -
      1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT -
      1DSP_EXECUTION_OP_END_OOBE_BOOT -
      1ESP_EXECUTION_OP_PRE_OOBE -
      1FSP_EXECUTION_OP_POST_OOBE -
      20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE -
      -
      - -For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). - -## Related topics - -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) -
      [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) -
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) -
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) +--- +title: Upgrade error codes - Windows IT Pro +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Upgrade error codes + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 400 level topic (advanced).
      +>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + + +If the upgrade process is not successful, Windows Setup will return two codes: + +1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error. +2. **An extend code**: The extend code contains information about both the *phase* in which an error occurred, and the *operation* that was being performed when the error occurred. + +>For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. + +Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. + +>[!TIP] +>If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). + +## Result codes + +>A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue.
      To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article. + +The following set of result codes are associated with [Windows Setup](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings: + +| Result code | Message | Description | +| --- | --- | --- | +| 0xC1900210 | MOSETUP_E_COMPAT_SCANONLY | Setup did not find any compat issue | +| 0xC1900208 | MOSETUP_E_COMPAT_INSTALLREQ_BLOCK | Setup found an actionable compat issue, such as an incompatible app | +| 0xC1900204 | MOSETUP_E_COMPAT_MIGCHOICE_BLOCK | The migration choice selected is not available (ex: Enterprise to Home) | +| 0xC1900200 | MOSETUP_E_COMPAT_SYSREQ_BLOCK | The computer is not eligible for Windows 10 | +| 0xC190020E | MOSETUP_E_INSTALLDISKSPACE_BLOCK | The computer does not have enough free space to install | + +A list of modern setup (mosetup) errors with descriptions in the range is available in the [Resolution procedures](resolution-procedures.md#modern-setup-errors) topic in this article. + +Other result codes can be matched to the specific type of error encountered. To match a result code to an error: + +1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit: +
      **8** = Win32 error code (ex: 0x**8**0070070) +
      **C** = NTSTATUS value (ex: 0x**C**1900107) +2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. +3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: + - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) + - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) + +Examples: +- 0x80070070 + - Based on the "8" this is a Win32 error code + - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table + - The error is: **ERROR_DISK_FULL** +- 0xC1900107 + - Based on the "C" this is an NTSTATUS error code + - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table + - The error is: **STATUS_SOME_NOT_MAPPED** + +Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. + +## Extend codes + +>**Important**: Extend codes reflect the current Windows 10 upgrade process, and might change in future releases of Windows 10. The codes discussed in this section apply to Windows 10 version 1607, also known as the Anniversary Update. + +Extend codes can be matched to the phase and operation when an error occurred. To match an extend code to the phase and operation: + +1. Use the first digit to identify the phase (ex: 0x4000D = 4). +2. Use the last two digits to identify the operation (ex: 0x4000D = 0D). +3. Match the phase and operation to values in the tables provided below. + +The following tables provide the corresponding phase and operation for values of an extend code: + +
      + + + +
      Extend code: phase
      HexPhase +
      0SP_EXECUTION_UNKNOWN +
      1SP_EXECUTION_DOWNLEVEL +
      2SP_EXECUTION_SAFE_OS +
      3SP_EXECUTION_FIRST_BOOT +
      4SP_EXECUTION_OOBE_BOOT +
      5SP_EXECUTION_UNINSTALL +
      + + + + + + + +
      Extend code: operation
      + +
      HexOperation +
      0SP_EXECUTION_OP_UNKNOWN +
      1SP_EXECUTION_OP_COPY_PAYLOAD +
      2SP_EXECUTION_OP_DOWNLOAD_UPDATES +
      3SP_EXECUTION_OP_INSTALL_UPDATES +
      4SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT +
      5SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE +
      6SP_EXECUTION_OP_REPLICATE_OC +
      7SP_EXECUTION_OP_INSTALL_DRVIERS +
      8SP_EXECUTION_OP_PREPARE_SAFE_OS +
      9SP_EXECUTION_OP_PREPARE_ROLLBACK +
      ASP_EXECUTION_OP_PREPARE_FIRST_BOOT +
      BSP_EXECUTION_OP_PREPARE_OOBE_BOOT +
      CSP_EXECUTION_OP_APPLY_IMAGE +
      DSP_EXECUTION_OP_MIGRATE_DATA +
      ESP_EXECUTION_OP_SET_PRODUCT_KEY +
      FSP_EXECUTION_OP_ADD_UNATTEND +
      +      		 + +
      HexOperation +
      10SP_EXECUTION_OP_ADD_DRIVER +
      11SP_EXECUTION_OP_ENABLE_FEATURE +
      12SP_EXECUTION_OP_DISABLE_FEATURE +
      13SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS +
      14SP_EXECUTION_OP_REGISTER_SYNC_PROCESS +
      15SP_EXECUTION_OP_CREATE_FILE +
      16SP_EXECUTION_OP_CREATE_REGISTRY +
      17SP_EXECUTION_OP_BOOT +
      18SP_EXECUTION_OP_SYSPREP +
      19SP_EXECUTION_OP_OOBE +
      1ASP_EXECUTION_OP_BEGIN_FIRST_BOOT +
      1BSP_EXECUTION_OP_END_FIRST_BOOT +
      1CSP_EXECUTION_OP_BEGIN_OOBE_BOOT +
      1DSP_EXECUTION_OP_END_OOBE_BOOT +
      1ESP_EXECUTION_OP_PRE_OOBE +
      1FSP_EXECUTION_OP_POST_OOBE +
      20SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE +
      +
      + +For example: An extend code of **0x4000D**, represents a problem during phase 4 (**0x4**) with data migration (**000D**). + +## Related topics + +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx) +
      [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications) +
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) +
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 253142dec4..43bc14033a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Additional insights >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: diff --git a/windows/deployment/upgrade/upgrade-readiness-architecture.md b/windows/deployment/upgrade/upgrade-readiness-architecture.md index d9bc229c23..73b74906d7 100644 --- a/windows/deployment/upgrade/upgrade-readiness-architecture.md +++ b/windows/deployment/upgrade/upgrade-readiness-architecture.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness architecture >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Microsoft analyzes system, application, and driver diagnostic data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 322316fb07..af934eec08 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -17,7 +17,7 @@ ms.collection: M365-analytics # Upgrade Readiness data sharing >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted. diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index eb4c1d88d8..7ae486f5d3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 3: Deploy Windows >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. The blades in the **Deploy** section are: diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index a56896ded3..47787f4477 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -17,7 +17,7 @@ ms.collection: M365-analytics # Upgrade Readiness deployment script >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index bbac04bea3..0e4b6350ae 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -19,7 +19,7 @@ ms.collection: M365-analytics # Get started with Upgrade Readiness >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This topic explains how to obtain and configure Upgrade Readiness for your organization. diff --git a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md index 61818a5efc..d726afe37b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-identify-apps.md +++ b/windows/deployment/upgrade/upgrade-readiness-identify-apps.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 1: Identify important apps >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md index 7fdb58ffe0..76c3f064ee 100644 --- a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 4: Monitor >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 5de1e052e6..b200bd292e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness requirements >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. diff --git a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md index 2c58536bd5..d657b61baa 100644 --- a/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md +++ b/windows/deployment/upgrade/upgrade-readiness-resolve-issues.md @@ -16,7 +16,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Step 2: Resolve app and driver issues >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. @@ -107,7 +107,7 @@ If you query with RollupLevel="NamePublisher", each version of the application c > > Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. -The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) +The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) | Ready for Windows Status | Query rollup level | What this means | Guidance | |-------------------|--------------------------|-----------------|----------| @@ -174,7 +174,7 @@ Planning and executing an OS upgrade project can be overwhelming. When you are t The Upgrade Readiness proposed action plan is an optimally ordered list of apps and drivers that are in need of review. By testing apps and drivers in the order suggested by the proposed action plan, you are able to increase your number of “Ready to upgrade” computers in an efficient manner. The action plan can be a very powerful tool during upgrade planning – but it’s most helpful when it’s used correctly. This topic explains the proposed action plan, describes how to use it, and calls out a few misconceptions and invalid use cases that you should avoid. -The proposed action plan represents the order thath Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. +The proposed action plan represents the order that Microsoft recommends you rationalize the upgrade-readiness of your apps and drivers. By validating apps and drivers in the order proposed, you can ensure that you are testing efficiently. Each item in the proposed action plan represents either an application or a driver that you have not yet marked “Ready to upgrade.” diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md index 78c11d1569..314fd7a5a2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md +++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Targeting a new operating system version >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: diff --git a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md index 78ad55ad25..5a4b7b9357 100644 --- a/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md +++ b/windows/deployment/upgrade/upgrade-readiness-upgrade-overview.md @@ -14,7 +14,7 @@ ms.collection: M365-analytics # Upgrade Readiness - Upgrade overview >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. diff --git a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md index 8faa48539f..f2fffff9ad 100644 --- a/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md +++ b/windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -15,7 +15,7 @@ ms.topic: article # Use Upgrade Readiness to manage Windows upgrades >[!IMPORTANT] ->The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). +>The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Get started with Update Compliance](../update/update-compliance-get-started.md) will continue to be supported. For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). >[!IMPORTANT] >>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started). diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index 77f1ae38b0..499fef06bd 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -9,7 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.topic: article --- @@ -19,7 +20,7 @@ ms.topic: article **Applies to** - Windows 10 ->[!NOTE] +> [!NOTE] > This is a 300 level topic (moderately advanced). > See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. @@ -28,8 +29,8 @@ When Windows Setup fails, the result and extend code are recorded as an informat To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt: ->[!IMPORTANT] ->}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. +> [!IMPORTANT] +> The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable. ```Powershell $events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"} diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index a1992d96b8..61edc16bf7 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -37,7 +37,7 @@ Deployment instructions are provided for the following scenarios: ### Scenario 1 - The VM is running Windows 10, version 1803 or later. -- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) (QMTH). +- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. @@ -47,7 +47,7 @@ Deployment instructions are provided for the following scenarios: [Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx) partner. +- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner. In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md new file mode 100644 index 0000000000..f36dea21ef --- /dev/null +++ b/windows/deployment/windows-10-deployment-posters.md @@ -0,0 +1,41 @@ +--- +title: Windows 10 deployment process posters +description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot. +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +ms.author: greglin +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows 10 deployment process posters + +**Applies to** +- Windows 10 + +The following posters step through various options for deploying Windows 10 with Windows Autopilot or System Center Configuration Manager. + +## Deploy Windows 10 with Autopilot + +The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. + +[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) + +## Deploy Windows 10 with System Center Configuration Manager + +The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. + +[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) + +## See also + +[Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot)
      +[Scenarios to deploy enterprise operating systems with Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md index 73b9410bf7..0de74e46b1 100644 --- a/windows/deployment/windows-autopilot/TOC.md +++ b/windows/deployment/windows-autopilot/TOC.md @@ -7,6 +7,7 @@ ## [Get started](demonstrate-deployment-on-vm.md) # Deployment scenarios +## [Deployment processes](deployment-process.md) ## [User-driven mode](user-driven.md) ## [Self-deploying mode](self-deploying.md) ## [Windows Autopilot Reset](windows-autopilot-reset.md) diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md index 2bc033a64b..096ebe1151 100644 --- a/windows/deployment/windows-autopilot/add-devices.md +++ b/windows/deployment/windows-autopilot/add-devices.md @@ -1,163 +1,162 @@ ---- -title: Adding devices -ms.reviewer: -manager: laurawi -description: How to add devices to Windows Autopilot -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Adding devices to Windows Autopilot - -**Applies to** - -- Windows 10 - -Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. - -## OEM registration - -When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers" section of the [Windows Autopilot information page](https://www.microsoft.com/microsoft-365/windows/windows-autopilot). - -Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). - -## Reseller, distributor, or partner registration - -Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/membership/cloud-solution-provider), they too can register devices on behalf of the customer. - -As with OEMs, CSP parnters must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://docs.microsoft.com/partner-center/), either directly through the web site or via available APIs that can automate the same tasks. - -Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. - -## Automatic registration of existing devices - -If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. - -For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. - -Also note that when using the [Windows Autopilot for existing devices](hhttps://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. - -## Manual registration - -To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. - -## Device identification - -To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. - -The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. - -Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. - -### Collecting the hardware ID from existing devices using System Center Configuration Manager - -Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. - -### Collecting the hardware ID from existing devices using PowerShell - -The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). - -To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: - -```powershell -md c:\\HWID -Set-Location c:\\HWID -Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Install-Script -Name Get-WindowsAutoPilotInfo -Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv -``` - -The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. - ->[!IMPORTANT] ->Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
      ->After Intune reports the profile ready to go, only then should the device be connected to the Internet. - ->[!NOTE] ->If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
      ->**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
      ->To ensure OOBE has not been restarted too many times, you can change this value to 1. - -## Registering devices - - - - -Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. - -- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment/enrollment-autopilot). This is the preferred mechanism for all customers. -- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. -- [Microsoft 365 Business & Office 365 Admin](https://docs.microsoft.com/microsoft-365/business/add-autopilot-devices-and-profile). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. -- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. - -A summary of each platform's capabilities is provided below. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Platform/Portal -Register devices? -Create/Assign profile -Acceptable DeviceID -
      OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
      Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
      IntuneYES - 500 at a time max\*YES\*4K HH
      Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
      Microsoft Business 365YES - 1000 at a time maxYES4K HH
      - ->*Microsoft recommended platform to use - -## Summary - -When deploying new devices using Windows Autopilot, the following steps are required: - -1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. -2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. -3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. - -## Other configuration settings - -- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. - +--- +title: Adding devices +ms.reviewer: +manager: laurawi +description: How to add devices to Windows Autopilot +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Adding devices to Windows Autopilot + +**Applies to** + +- Windows 10 + +Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. + +## OEM registration + +When you purchase devices directly from an OEM, that OEM can automatically register the devices with the Windows Autopilot deployment service. For the list of OEMs that currently support this, see the "Participant device manufacturers and resellers" section of the [Windows Autopilot information page](https://aka.ms/windowsautopilot). + +Before an OEM can register devices on behalf of an organization, the organization must grant the OEM permission to do so. This process is initiated by the OEM, with approval granted by an Azure AD global administrator from the organization. See the "Customer Consent" section of the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#oem-authorization). + +## Reseller, distributor, or partner registration + +Customers may purchase devices from resellers, distributors, or other partners. As long as these resellers, distributors, and partners are part of the [Cloud Solution Partners (CSP) program](https://partner.microsoft.com/en-us/cloud-solution-provider), they too can register devices on behalf of the customer. + +As with OEMs, CSP partners must be granted permission to register devices on behalf of an organization. This follows the process described on the [Customer consent page](https://docs.microsoft.com/windows/deployment/windows-autopilot/registration-auth#csp-authorization). The CSP partner initiates a request to establish a relationship with the organization, with approval granted by a global administrator from the organization. Once approved, CSP partners add devices using [Partner Center](https://partner.microsoft.com/en-us/pcv/dashboard/overview), either directly through the web site or via available APIs that can automate the same tasks. + +Windows Autopilot does not require delegated administrator permissions when establishing the relationship between the CSP partner and the organization. As part of the approval process performed by the global administrator, the global administrator can choose to uncheck the "Include delegated administration permissions" checkbox. + +## Automatic registration of existing devices + +If an existing device is already running Windows 10 version 1703 or later and enrolled in an MDM service such an Intune, that MDM service can ask the device for the hardware ID (also known as a hardware hash). Once it has that, it can automatically register the device with Windows Autopilot. + +For instructions on how to do this with Microsoft Intune, see [Create an Autopilot deployment profile](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-deployment-profile) documentation describing the "Convert all targeted devices to Autopilot" setting. + +Also note that when using the [Windows Autopilot for existing devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/existing-devices) scenario, it is not necessary to pre-register the devices with Windows Autopilot. Instead, a configuration file (AutopilotConfigurationFile.json) containing all the Windows Autopilot profile settings is used; the device can be registered with Windows Autopilot after the fact using the same "Convert all targeted devices to Autopilot" setting. + +## Manual registration + +To perform manual registration of a device, you must first capture its hardware ID (also known as a hardware hash). Once this process has completed, the resulting hardware ID can be uploaded to the Windows Autopilot service. Because this process requires booting the device into Windows 10 in order to obtain the hardware ID, this is intended primarily for testing and evaluation scenarios. + +## Device identification + +To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation. + +The hardware ID, also commonly referred to as a hardware hash, contains several details about the device, including its manufacturer, model, device serial number, hard drive serial number, and many other attributes that can be used to uniquely identify that device. + +Note that the hardware hash also contains details about when it was generated, so it will change each time it is generated. When the Windows Autopilot deployment service attempts to match a device, it considers changes like that, as well as more substantial changes such as a new hard drive, and is still able to match successfully. But substantial changes to the hardware, such as a motherboard replacement, would not match, so a new hash would need to be generated and uploaded. + +### Collecting the hardware ID from existing devices using System Center Configuration Manager + +Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details. The hash information can be extracted from Configuration Manager into a CSV file. + +### Collecting the hardware ID from existing devices using PowerShell + +The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo). + +To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt: + +```powershell +md c:\\HWID +Set-Location c:\\HWID +Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted +Install-Script -Name Get-WindowsAutoPilotInfo +Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv +``` + +The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the [Get-WindowsAutoPilotInfo](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script. + +>[!IMPORTANT] +>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**.
      +>After Intune reports the profile ready to go, only then should the device be connected to the Internet. + +>[!NOTE] +>If OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
      +>**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE**
      +>To ensure OOBE has not been restarted too many times, you can change this value to 1. + +## Registering devices + + + + +Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism. + +- [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot). This is the preferred mechanism for all customers. +- [Partner Center](https://msdn.microsoft.com/partner-center/autopilot). This is used by CSP partners to register devices on behalf of customers. +- [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa). This is typically used by small and medium businesses (SMBs) who manage their devices using Microsoft 365 Business. +- [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles). You might already be using MSfB to manage your apps and settings. + +A summary of each platform's capabilities is provided below. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Platform/Portal +Register devices? +Create/Assign profile +Acceptable DeviceID +
      OEM Direct APIYES - 1000 at a time maxNOTuple or PKID
      Partner CenterYES - 1000 at a time maxYESTuple or PKID or 4K HH
      IntuneYES - 500 at a time max*YES*4K HH
      Microsoft Store for BusinessYES - 1000 at a time maxYES4K HH
      Microsoft Business 365YES - 1000 at a time maxYES4K HH
      + +>*Microsoft recommended platform to use + +## Summary + +When deploying new devices using Windows Autopilot, the following steps are required: + +1. [Register devices](#registering-devices). Ideally, this step is performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually. +2. [Configure device profiles](profiles.md), specifying how the device should be deployed and what user experience should be presented. +3. Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience. + +## Other configuration settings + +- [Bitlocker encryption settings](bitlocker.md): You can configure the BitLocker encryption settings to be applied before automatic encryption is started. diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 294a31c04b..42b356bd61 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -653,7 +653,7 @@ Before we can pull an application into Intune to make it part of our AP profile, For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. -Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. +Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi. Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: @@ -736,7 +736,7 @@ In the **Intune > Client Apps > Apps** pane, select the app package you already Select **Add Group** to open the **Add group** pane that is related to the app. -For our purposes, select *8Required** from the **Assignment type** dropdown menu: +For our purposes, select **Required** from the **Assignment type** dropdown menu: >**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. @@ -758,7 +758,7 @@ In the app **Assignments** pane, select **Save**. At this point, you have completed steps to add a Win32 app to Intune. -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). +For more information on adding apps to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). ### Add Office 365 diff --git a/windows/deployment/windows-autopilot/deployment-process.md b/windows/deployment/windows-autopilot/deployment-process.md new file mode 100644 index 0000000000..3a8781ce86 --- /dev/null +++ b/windows/deployment/windows-autopilot/deployment-process.md @@ -0,0 +1,27 @@ +--- +title: Windows 10 deployment process posters +description: View and download Windows 10 deployment process flows for System Center Configuration Manager and Windows Autopilot. +ms.reviewer: +manager: laurawi +ms.audience: itpro +author: greg-lindsay +keywords: upgrade, in-place, configuration, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Windows Autopilot deployment process + +**Applies to** +- Windows 10 + +Windows Autopilot deployment processes are summarized in the poster below. The poster is two pages in portrait mode (11x17). Click the image below to view a PDF in your browser. + +[![Deploy Windows 10 with Autopilot](../media/windows10-autopilot-flowchart.png)](../media/Windows10AutopilotFlowchart.pdf) + +**Note**: The Windows Autopilot for existing devices process is included in the [System Center Configuration Manager deployment poster](../windows-10-deployment-posters.md#deploy-windows-10-with-system-center-configuration-manager). \ No newline at end of file diff --git a/windows/docfx.json b/windows/docfx.json index 21cba6820f..afb77d1e77 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**"], + "files": ["**/images/**", "**/*.pdf"], "exclude": ["**/obj/**"] } ], @@ -20,7 +20,17 @@ "_op_documentIdPathDepotMapping": { "./": { "depot_name": "Win.windows" - } + }, + "contributors_to_exclude": [ + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", + "Kellylorenebaker", + "jborsecnik", + "tiburd", + "garycentric" + ], } }, "externalReference": [ diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index 49eb6c151a..884e478dcb 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -30,6 +30,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "feedback_system": "None", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.keep-secure", diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 7ebad52ee8..819728ac85 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -45,7 +45,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. >[!Important] - >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). + >It's possible that your Windows device doesn't have the Microsoft Store available (for example, Windows Server). If this is the case, see [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2094264). ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index ba1428445d..b268fb53f1 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -26,7 +26,7 @@ Applies to: - Windows 10 Team Edition, version 1703 for Surface Hub - Windows Server 2019 - Windows Server 2016 -- Windows Analytics +- Desktop Analytics This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. @@ -112,28 +112,32 @@ Some examples of diagnostic data include: Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). ->[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. +> [!IMPORTANT] +> Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. ### Windows services where Microsoft is the processor under the GDPR -Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Desktop Analytics](https://aka.ms/dadocs), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). >[!NOTE] ->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)). +>Both Desktop Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)). -#### Windows Analytics +#### Desktop Analytics -[Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. +> [!IMPORTANT] +> The Upgrade Readiness and Device Health solutions of Windows Analytics are being retired on January 31, 2020. [Update Compliance](/windows/deployment/update/update-compliance-get-started) will continue to be supported. +> For more information, see [Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/en-us/help/4521815/windows-analytics-retirement). -Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. +[Desktop Analytics](https://aka.ms/dadocs) is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of Windows Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise with data aggregated from millions of devices into the Desktop Analytics service. -As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. ->[!NOTE] ->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. +Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Desktop Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. ->[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +As a result, in terms of the GDPR, the organization that has subscribed to Desktop Analytics is acting as the controller, while Microsoft is the processor for Desktop Analytics. +> [!NOTE] +> The IT organization must explicitly enable Desktop Analytics for a device after the organization subscribes. + +> [!IMPORTANT] +> Desktop Analytics does not collect Windows Diagnostic data by itself. Instead, Desktop Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. See [Enable data sharing for Desktop Analytics](https://docs.microsoft.com/sccm/desktop-analytics/enable-data-sharing) #### Windows Defender ATP @@ -141,8 +145,8 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP. ->[!NOTE] ->The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. +> [!NOTE] +> The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. #### At a glance – Windows 10 services GDPR mode of operations @@ -152,7 +156,7 @@ The following table lists in what GDPR mode – controller or processor – Wind | --- | --- | | Windows Functional data | Controller or Processor* | | Windows Diagnostic data | Controller | -| Windows Analytics | Processor | +| Desktop Analytics | Processor | | Windows Defender Advanced Threat Detection (ATP) | Processor | *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* @@ -166,7 +170,7 @@ The following table lists in what GDPR mode – controller or processor – Wind Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. -* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Desktop Analytics](#desktop-analytics). >[!NOTE] >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -174,17 +178,16 @@ Windows diagnostic data collection level for Windows 10 can be set by a user in * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. >[!NOTE] ->For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. +>For Windows 7, Microsoft recommends [using Commercial Data Opt-in setting](/previous-versions/windows/it-pro/windows-7/ee126127(v=ws.10)) to facilitate upgrade planning to Windows 10. -### Additional information for Windows Analytics +### Additional information for Desktop Analytics -Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. +The basic functionality of Desktop Analytics works at the “Basic” diagnostic data level. Other functionality of Desktop Analytics, such as usage or health data for updated devices, require “Enhanced”. -Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. +Those organizations who wish to share the smallest set of events for Desktop Analytics and have set the Windows diagnostic level to “Enhanced” can use the [“Limit Enhanced diagnostic data to the minimum required by Desktop Analytics”](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#limit-enhanced-diagnostic-data-to-the-minimum-required-by-desktop-analytics) setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Desktop Analytics. ->[!NOTE] ->Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy -). +> [!NOTE] +> Additional information can be found at [Desktop Analytics and privacy](/sccm/desktop-analytics/privacy). ## Controlling Windows 10 data collection and notification about it @@ -258,8 +261,8 @@ Backups, including live backups and backups that are stored locally within an or Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. ->[!NOTE] ->Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. +> [!NOTE] +> Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). @@ -269,8 +272,8 @@ An IT administrator can configure privacy- related settings, such as setting the Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). ->[!NOTE] ->Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). +> [!NOTE] +> Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). ### Windows Security Baselines diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index ca7e93d18b..d096e3ff63 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -398,7 +398,7 @@ The following endpoint is used to retrieve Skype configuration values. To turn o ## Windows Defender The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. -If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Windows Defender Antivirus cloud service connections, see [Allow connections to the Windows Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud-service). | Source process | Protocol | Destination | |----------------|----------|------------| diff --git a/windows/release-information/index.md b/windows/release-information/index.md index 5f7b5e22f9..c6eba252f9 100644 --- a/windows/release-information/index.md +++ b/windows/release-information/index.md @@ -3,7 +3,7 @@ title: Windows 10 - release information description: Learn release information for Windows 10 releases keywords: ["Windows 10", "Windows 10 October 2018 Update"] ms.prod: w10 -layout: LandingPage +layout: LandingPage ms.topic: landing-page ms.mktglfcycl: deploy ms.sitesec: library @@ -11,6 +11,7 @@ author: lizap ms.author: elizapo ms.localizationpriority: high --- + # Windows 10 release information Feature updates for Windows 10 are released twice a year, around March and September, via the Semi-Annual Channel. They will be serviced with monthly quality updates for 18 or 30 months from the date of the release, depending on the lifecycle policy. @@ -19,14 +20,11 @@ We recommend that you begin deployment of each Semi-Annual Channel release immed For information about servicing timelines, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). ->[!NOTE] ->Beginning with Windows 10, version 1903, this page will no longer list Semi-Annual Channel (Targeted) information for version 1903 and future feature updates. Instead, you will find a single entry for each Semi-Annual Channel release. For more information, see [this blog post](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523). - +> [!NOTE] +> Beginning with Windows 10, version 1903, you will find a [single entry for each SAC release](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523).
      - - diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 44e89ad24d..f95b379a56 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -51,7 +51,6 @@ sections:
      Unable to access some gov.uk websites
      gov.uk websites that don’t support “HSTS” may not be accessible

      See details >OS Build 14393.2969

      May 14, 2019
      KB4494440Resolved
      KB4505052May 19, 2019
      02:00 PM PT
      Layout and cell size of Excel sheets may change when using MS UI Gothic
      When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

      See details >OS Build 14393.2941

      April 25, 2019
      KB4493473Resolved
      KB4494440May 14, 2019
      10:00 AM PT
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

      See details >OS Build 14393.2941

      April 25, 2019
      KB4493473Resolved
      KB4494440May 14, 2019
      10:00 AM PT -
      Custom URI schemes may not start corresponding application
      Custom URI schemes for application protocol handlers may not start the corresponding application.

      See details >OS Build 14393.2848

      March 12, 2019
      KB4489882Resolved
      KB4493473April 25, 2019
      02:00 PM PT " @@ -134,7 +133,6 @@ sections: text: " -
      DetailsOriginating updateStatusHistory
      Issue using PXE to start a device from WDS
      After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
      Resolution: This issue was resolved in KB4503267.

      Back to top      		OS Build 14393.2848

      March 12, 2019
      KB4489882      		Resolved
      KB4503267      		Resolved:
      June 11, 2019
      10:00 AM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      Custom URI schemes may not start corresponding application
      After installing KB4489882, Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

      Affected platforms: 
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue is resolved in KB4493473

      Back to top      		OS Build 14393.2848

      March 12, 2019
      KB4489882      		Resolved
      KB4493473      		Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      " diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml index b66de78474..5d1e5cf2ba 100644 --- a/windows/release-information/resolved-issues-windows-10-1703.yml +++ b/windows/release-information/resolved-issues-windows-10-1703.yml @@ -43,7 +43,6 @@ sections:
      Opening Internet Explorer 11 may fail
      Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

      See details >OS Build 15063.1839

      May 28, 2019
      KB4499162Resolved
      KB4503279June 11, 2019
      10:00 AM PT
      Unable to access some gov.uk websites
      gov.uk websites that don’t support “HSTS” may not be accessible

      See details >OS Build 15063.1805

      May 14, 2019
      KB4499181Resolved
      KB4505055May 19, 2019
      02:00 PM PT
      Layout and cell size of Excel sheets may change when using MS UI Gothic
      When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

      See details >OS Build 15063.1784

      April 25, 2019
      KB4493436Resolved
      KB4499181May 14, 2019
      10:00 AM PT -
      Custom URI schemes may not start corresponding application
      Custom URI schemes for application protocol handlers may not start the corresponding application.

      See details >OS Build 15063.1689

      March 12, 2019
      KB4489871Resolved
      KB4493436April 25, 2019
      02:00 PM PT " @@ -105,12 +104,3 @@ sections:
      Layout and cell size of Excel sheets may change when using MS UI Gothic
      When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
      Resolution: This issue has been resolved.

      Back to topOS Build 15063.1784

      April 25, 2019
      KB4493436Resolved
      KB4499181Resolved:
      May 14, 2019
      10:00 AM PT

      Opened:
      May 10, 2019
      10:35 AM PT " - -- title: March 2019 -- items: - - type: markdown - text: " - - -
      DetailsOriginating updateStatusHistory
      Custom URI schemes may not start corresponding application
      After installing KB4489871, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue is resolved in KB4493436

      Back to top      		OS Build 15063.1689

      March 12, 2019
      KB4489871      		Resolved
      KB4493436      		Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      - " diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index 8a16e56715..9ec5a0c287 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -44,7 +44,6 @@ sections:
      Unable to access some gov.uk websites
      gov.uk websites that don’t support “HSTS” may not be accessible

      See details >OS Build 16299.1143

      May 14, 2019
      KB4498946Resolved
      KB4505062May 19, 2019
      02:00 PM PT
      Layout and cell size of Excel sheets may change when using MS UI Gothic
      When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

      See details >OS Build 16299.1127

      April 25, 2019
      KB4493440Resolved
      KB4499179May 14, 2019
      10:00 AM PT
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

      See details >OS Build 16299.1127

      April 25, 2019
      KB4493440Resolved
      KB4499179May 14, 2019
      10:00 AM PT -
      Custom URI schemes may not start corresponding application
      Custom URI schemes for application protocol handlers may not start the corresponding application.

      See details >OS Build 16299.1029

      March 12, 2019
      KB4489886Resolved
      KB4493440April 25, 2019
      02:00 PM PT " @@ -115,12 +114,3 @@ sections:
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493440
       
      Affected platforms:  
      • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
      • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
      Resolution: This issue was resolved in KB4499179.

      Back to topOS Build 16299.1127

      April 25, 2019
      KB4493440Resolved
      KB4499179Resolved:
      May 14, 2019
      10:00 AM PT

      Opened:
      April 25, 2019
      02:00 PM PT " - -- title: March 2019 -- items: - - type: markdown - text: " - - -
      DetailsOriginating updateStatusHistory
      Custom URI schemes may not start corresponding application
      After installing KB4489886, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue is resolved in KB4493440

      Back to top      		OS Build 16299.1029

      March 12, 2019
      KB4489886      		Resolved
      KB4493440      		Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      - " diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index aeeb0b6087..9a7946487e 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -47,7 +47,6 @@ sections:
      Unable to access some gov.uk websites
      gov.uk websites that don’t support “HSTS” may not be accessible

      See details >OS Build 17134.765

      May 14, 2019
      KB4499167Resolved
      KB4505064May 19, 2019
      02:00 PM PT
      Layout and cell size of Excel sheets may change when using MS UI Gothic
      When using MS UI Gothic or MS PGothic in Excel, the text, layout, or cell size may become narrower or wider.

      See details >OS Build 17134.753

      April 25, 2019
      KB4493437Resolved
      KB4499167May 14, 2019
      10:00 AM PT
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

      See details >OS Build 17134.753

      April 25, 2019
      KB4493437Resolved
      KB4499167May 14, 2019
      10:00 AM PT -
      Custom URI schemes may not start corresponding application
      Custom URI schemes for application protocol handlers may not start the corresponding application.

      See details >OS Build 17134.648

      March 12, 2019
      KB4489868Resolved
      KB4493437April 25, 2019
      02:00 PM PT " @@ -121,12 +120,3 @@ sections:
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing KB4493437
       
      Affected platforms:  
      • Client: Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016 
      • Server: Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016 
      Resolution: This issue was resolved in KB4499167.

      Back to topOS Build 17134.753

      April 25, 2019
      KB4493437Resolved
      KB4499167Resolved:
      May 14, 2019
      10:00 AM PT

      Opened:
      April 25, 2019
      02:00 PM PT " - -- title: March 2019 -- items: - - type: markdown - text: " - - -
      DetailsOriginating updateStatusHistory
      Custom URI schemes may not start corresponding application
      After installing KB4489868, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer. 

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue is resolved in KB4493437

      Back to top      		OS Build 17134.648

      March 12, 2019
      KB4489868      		Resolved
      KB4493437      		Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      - " diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index d8ce5f8d4a..fb8c792d7a 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -54,7 +54,6 @@ sections:
      Zone transfers over TCP may fail
      Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail.

      See details >OS Build 17763.475

      May 03, 2019
      KB4495667Resolved
      KB4494441May 14, 2019
      10:00 AM PT
      Latest cumulative update (KB 4495667) installs automatically
      Reports that the optional cumulative update (KB 4495667) installs automatically.

      See details >OS Build 17763.475

      May 03, 2019
      KB4495667Resolved
      May 08, 2019
      03:37 PM PT
      System may be unresponsive after restart if ArcaBit antivirus software installed
      After further investigation ArcaBit has confirmed this issue is not applicable to Windows 10, version 1809

      See details >OS Build 17763.437

      April 09, 2019
      KB4493509Resolved
      May 08, 2019
      03:30 PM PT -
      Custom URI schemes may not start corresponding application
      Custom URI schemes for application protocol handlers may not start the corresponding application.

      See details >OS Build 17763.379

      March 12, 2019
      KB4489899Resolved
      KB4495667May 03, 2019
      10:00 AM PT " @@ -140,7 +139,6 @@ sections: text: " -
      DetailsOriginating updateStatusHistory
      Issue using PXE to start a device from WDS
      After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
      Resolution: This issue was resolved in KB4503327.

      Back to top      		OS Build 17763.379

      March 12, 2019
      KB4489899      		Resolved
      KB4503327      		Resolved:
      June 11, 2019
      10:00 AM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      Custom URI schemes may not start corresponding application
      After installing KB4489899, custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites security zones on Internet Explorer.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
      • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Workaround: Right-click the URL link to open it in a new window or tab, or enable Protected Mode in Internet Explorer for local intranet and trusted sites
      1. Go to Tools > Internet options > Security.
      2. Within Select a zone to view of change security settings, select Local intranet and then select Enable Protected Mode.
      3. Select Trusted Sites and then select Enable Protected Mode
      4. Select OK.
      You must restart the browser after making these changes.

      Resolution: This issue is resolved in KB4495667.

      Back to top      		OS Build 17763.379

      March 12, 2019
      KB4489899      		Resolved
      KB4495667      		Resolved:
      May 03, 2019
      10:00 AM PT

      Opened:
      March 12, 2019
      10:00 AM PT
      " diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index e0d9f8160e..9de5f0a7b9 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,9 @@ sections: - type: markdown text: " + + + @@ -66,11 +69,21 @@ sections:
      " +- title: October 2019 +- items: + - type: markdown + text: " +
      SummaryOriginating updateStatusDate resolved
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Resolved
      KB4501375      		June 27, 2019
      10:00 AM PT
      Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
      Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

      See details >      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      KB4517389      		October 08, 2019
      10:00 AM PT
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

      See details >      		N/A

      		Resolved
      KB4522355      		October 24, 2019
      10:00 AM PT
      dGPU occasionally disappear from device manager on Surface Book 2
      Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

      See details >      		OS Build 18362.145

      May 29, 2019
      KB4497935      		Resolved
      		October 18, 2019
      04:33 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 18362.357

      September 23, 2019
      KB4522016      		Resolved
      KB4517389      		October 08, 2019
      10:00 AM PT
      Audio in games is quiet or different than expected
      Microsoft has received reports that audio in certain games is quieter or different than expected.

      See details >      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Resolved
      KB4517211      		September 26, 2019
      02:00 PM PT
      + +
      DetailsOriginating updateStatusHistory
      Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
      Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

      Affected platforms:
      • Client: Windows 10, version 1903
      • Server: Windows Server, version 1903
      Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

      Back to top      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      KB4517389      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      October 25, 2019
      04:21 PM PT
      + " + - title: September 2019 - items: - type: markdown text: " + @@ -119,6 +132,7 @@ sections: - type: markdown text: "
      DetailsOriginating updateStatusHistory
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

      To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.

      Back to top      		N/A

      		Resolved
      KB4522355      		Resolved:
      October 24, 2019
      10:00 AM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      Intermittent issues when printing
      Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
      • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
      • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue was resolved in KB4517389.

      Back to top      		OS Build 18362.357

      September 23, 2019
      KB4522016      		Resolved
      KB4517389      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      September 30, 2019
      06:26 PM PT
      Audio in games is quiet or different than expected
      Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4517211.

      Back to top      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Resolved
      KB4517211      		Resolved:
      September 26, 2019
      02:00 PM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      IME may become unresponsive or have High CPU usage
      Some Input Method Editor (IME) may become unresponsive or may have high CPU usage. Affected IMEs include Chinese Simplified (ChsIME.EXE) and Chinese Traditional (ChtIME.EXE) with Changjie/Quick keyboard.


      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016

      Resolution: Due to security related changes in KB4515384, this issue may occur when Touch Keyboard and Handwriting Panel Service is not configured to its default startup type of Manual. To resolve the issue, perform the following steps:
      1. Select the Start button and type Services.
      2. Locate Touch Keyboard and Handwriting Panel Service and double click on it or long press and select Properties.
      3. Locate Startup type: and change it to Manual
      4. Select Ok
      5. The TabletInputService service is now in the default configuration and IME should work as expected.

      Back to top      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Resolved
      		Resolved:
      September 19, 2019
      04:08 PM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      + diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 018a7f2bc2..8b2b541e7e 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -46,7 +46,6 @@ sections: -
      DetailsOriginating updateStatusHistory
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
              \"Close other apps, error code: 0XA00F4243.”

      To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Resolved
      KB4501375      		Resolved:
      June 27, 2019
      10:00 AM PT

      Opened:
      May 21, 2019
      07:20 AM PT
      Windows Sandbox may fail to start with error code “0x80070002”
      Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4512941.

      Back to top      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      KB4512941      		Resolved:
      August 30, 2019
      10:00 AM PT

      Opened:
      May 24, 2019
      04:20 PM PT
      Display brightness may not respond to adjustments
      Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

      To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Resolved
      KB4505903      		Resolved:
      July 26, 2019
      02:00 PM PT

      Opened:
      May 21, 2019
      07:56 AM PT
      Loss of functionality in Dynabook Smartphone Link app
      Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

      To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

      Back to top      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      		Resolved:
      July 11, 2019
      01:54 PM PT

      Opened:
      May 24, 2019
      03:10 PM PT
      System unresponsive after restart if Sophos Endpoint Protection installed
      Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

      See details >      		April 09, 2019
      KB4493472      		Resolved
      		May 14, 2019
      01:22 PM PT
      System may be unresponsive after restart if Avira antivirus software installed
      Devices with Avira antivirus software installed may become unresponsive upon restart.

      See details >      		April 09, 2019
      KB4493472      		Resolved
      		May 14, 2019
      01:21 PM PT
      Authentication may fail for services after the Kerberos ticket expires
      Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.

      See details >      		March 12, 2019
      KB4489878      		Resolved
      KB4499164      		May 14, 2019
      10:00 AM PT
      Devices may not respond at login or Welcome screen if running certain Avast software
      Devices running Avast for Business, Avast CloudCare, and AVG Business Edition may become unresponsive after restart.

      See details >      		April 09, 2019
      KB4493472      		Resolved
      		April 25, 2019
      02:00 PM PT
      " @@ -115,7 +114,6 @@ sections:
      System may be unresponsive after restart if ArcaBit antivirus software installed
      Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

      Affected platforms:
      • Client: Windows 8.1; Windows 7 SP1
      • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

      Back to topApril 09, 2019
      KB4493472Resolved
      Resolved:
      May 14, 2019
      01:23 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT
      System unresponsive after restart if Sophos Endpoint Protection installed
      Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1
      • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

      Back to topApril 09, 2019
      KB4493472Resolved
      Resolved:
      May 14, 2019
      01:22 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT
      System may be unresponsive after restart if Avira antivirus software installed
      Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1 
      • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

      Back to topApril 09, 2019
      KB4493472Resolved
      Resolved:
      May 14, 2019
      01:21 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT -
      Devices may not respond at login or Welcome screen if running certain Avast software
      Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493472 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1 
      • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
      Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

      Back to topApril 09, 2019
      KB4493472Resolved
      Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT " diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index 773e34d6fa..dd4aae95a7 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -46,7 +46,6 @@ sections:
      System may be unresponsive after restart if ArcaBit antivirus software installed
      Devices with ArcaBit antivirus software installed may become unresponsive upon restart.

      See details >April 09, 2019
      KB4493446Resolved
      May 14, 2019
      01:22 PM PT
      System unresponsive after restart if Sophos Endpoint Protection installed
      Devices with Sophos Endpoint Protection, managed by Sophos Central or Sophos Enterprise Console, may be unresponsive.

      See details >April 09, 2019
      KB4493446Resolved
      May 14, 2019
      01:22 PM PT
      System may be unresponsive after restart if Avira antivirus software installed
      Devices with Avira antivirus software installed may become unresponsive upon restart.

      See details >April 09, 2019
      KB4493446Resolved
      May 14, 2019
      01:21 PM PT -
      Devices may not respond at login or Welcome screen if running certain Avast software
      Devices running Avast for Business, Avast CloudCare, and AVG Business Edition may become unresponsive after restart.

      See details >April 09, 2019
      KB4493446Resolved
      April 25, 2019
      02:00 PM PT " @@ -115,7 +114,6 @@ sections:
      System may be unresponsive after restart if ArcaBit antivirus software installed
      Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

      Affected platforms:
      • Client: Windows 8.1; Windows 7 SP1
      • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

      Back to topApril 09, 2019
      KB4493446Resolved
      Resolved:
      May 14, 2019
      01:22 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT
      System unresponsive after restart if Sophos Endpoint Protection installed
      Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1
      • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

      Back to topApril 09, 2019
      KB4493446Resolved
      Resolved:
      May 14, 2019
      01:22 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT
      System may be unresponsive after restart if Avira antivirus software installed
      Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1 
      • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
      Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

      Back to topApril 09, 2019
      KB4493446Resolved
      Resolved:
      May 14, 2019
      01:21 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT -
      Devices may not respond at login or Welcome screen if running certain Avast software
      Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install KB4493446 and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.

      Affected platforms: 
      • Client: Windows 8.1; Windows 7 SP1 
      • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1 
      Resolution: Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

      Back to topApril 09, 2019
      KB4493446Resolved
      Resolved:
      April 25, 2019
      02:00 PM PT

      Opened:
      April 09, 2019
      10:00 AM PT " diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index be4512cee7..0e940b2321 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 10240.18368

      October 08, 2019
      KB4520011      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 10240.18334

      September 23, 2019
      KB4522009      		Resolved
      KB4520011      		October 08, 2019
      10:00 AM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		OS Build 10240.18094

      January 08, 2019
      KB4480962      		Mitigated
      		April 25, 2019
      02:00 PM PT
      @@ -72,6 +73,15 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 10240.18368

      October 08, 2019
      KB4520011      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index c75ec5b5a9..d3cf6d65f2 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + @@ -74,6 +75,15 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 14393.3274

      October 08, 2019
      KB4519998      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 14393.3206

      September 23, 2019
      KB4522010      		Resolved
      KB4519998      		October 08, 2019
      10:00 AM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		OS Build 14393.2724

      January 08, 2019
      KB4480961      		Mitigated
      		April 25, 2019
      02:00 PM PT
      Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
      Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

      See details >      		OS Build 14393.2608

      November 13, 2018
      KB4467691      		Mitigated
      		February 19, 2019
      10:00 AM PT
      + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 14393.3274

      October 08, 2019
      KB4519998      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 9b774ca109..5ad1df7093 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -21,7 +21,7 @@ sections: Find information on known issues for Windows 10, version 1703. Looking for a specific issue? Press CTRL + F (or Command + F if you are using a Mac) and enter your search term(s). -
      Windows 10, version 1703 has reached end of service
      Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
      +
      Windows 10, version 1703 has reached end of service
      Consumer and commercial editions of Windows 10, version 1703 have reached end of service. Devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats. We recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.

      Note This page will be retired on Tuesday, November 12, 2019.
      " diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 217b281dbc..01a0e958ec 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,6 +60,8 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 16299.1451

      October 08, 2019
      KB4520004      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Unable to create local users in Chinese, Japanese and Korean during device setup
      You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

      See details >      		OS Build 16299.1387

      September 10, 2019
      KB4516066      		Mitigated
      		October 29, 2019
      05:15 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 16299.1392

      September 23, 2019
      KB4522012      		Resolved
      KB4520004      		October 08, 2019
      10:00 AM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		OS Build 16299.904

      January 08, 2019
      KB4480978      		Mitigated
      		April 25, 2019
      02:00 PM PT
      @@ -72,6 +74,24 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 16299.1451

      October 08, 2019
      KB4520004      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + +- title: October 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      Unable to create local users in Chinese, Japanese and Korean during device setup
      When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

      Note This issue does not affect using a Microsoft Account during OOBE.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
      Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

      Next steps: We are working on a resolution and estimate a solution will be available in late November.

      Back to top      		OS Build 16299.1387

      September 10, 2019
      KB4516066      		Mitigated
      		Last updated:
      October 29, 2019
      05:15 PM PT

      Opened:
      October 29, 2019
      05:15 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 9480e53e4d..4fa63b7381 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -64,6 +64,8 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + + @@ -78,6 +80,24 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 17134.1069

      October 08, 2019
      KB4520008      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Unable to create local users in Chinese, Japanese and Korean during device setup
      You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

      See details >      		OS Build 17134.1006

      September 10, 2019
      KB4516058      		Mitigated
      		October 29, 2019
      05:15 PM PT
      Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
      You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

      See details >      		OS Build 17134.950

      August 13, 2019
      KB4512501      		Resolved
      KB4519978      		October 15, 2019
      10:00 AM PT
      Startup to a black screen after installing updates
      Your device may startup to a black screen during the first logon after installing updates.

      See details >      		OS Build 17134.829

      June 11, 2019
      KB4503286      		Resolved
      KB4519978      		October 15, 2019
      10:00 AM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 17134.1009

      September 23, 2019
      KB4522014      		Resolved
      KB4520008      		October 08, 2019
      10:00 AM PT
      + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 17134.1069

      October 08, 2019
      KB4520008      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + +- title: October 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      Unable to create local users in Chinese, Japanese and Korean during device setup
      When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

      Note This issue does not affect using a Microsoft Account during OOBE.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
      Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

      Next steps: We are working on a resolution and estimate a solution will be available in late November.

      Back to top      		OS Build 17134.1006

      September 10, 2019
      KB4516058      		Mitigated
      		Last updated:
      October 29, 2019
      05:15 PM PT

      Opened:
      October 29, 2019
      05:15 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 364659d2b9..fcc5aa3645 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,11 +64,12 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + + -
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 17763.805

      October 08, 2019
      KB4519338      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Unable to create local users in Chinese, Japanese and Korean during device setup
      You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

      See details >      		OS Build 17763.737

      September 10, 2019
      KB4512578      		Mitigated
      		October 29, 2019
      05:15 PM PT
      Microsoft Defender Advanced Threat Protection might stop running
      The Microsoft Defender ATP service might stop running and might fail to send reporting data.

      See details >      		OS Build 17763.832

      October 15, 2019
      KB4520062      		Investigating
      		October 18, 2019
      04:23 PM PT
      Windows Mixed Reality Portal users may intermittently receive a 15-5 error code
      You may receive a 15-5 error code in Windows Mixed Reality Portal and your headset may not wake up from sleep.

      See details >      		OS Build 17763.678

      August 13, 2019
      KB4511553      		Resolved
      KB4520062      		October 15, 2019
      10:00 AM PT
      Startup to a black screen after installing updates
      Your device may startup to a black screen during the first logon after installing updates.

      See details >      		OS Build 17763.557

      June 11, 2019
      KB4503327      		Resolved
      KB4520062      		October 15, 2019
      10:00 AM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 17763.740

      September 23, 2019
      KB4522015      		Resolved
      KB4519338      		October 08, 2019
      10:00 AM PT
      Apps and scripts using the NetQueryDisplayInformation API may fail with error
      Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.

      See details >      		OS Build 17763.55

      October 09, 2018
      KB4464330      		Resolved
      KB4516077      		September 24, 2019
      10:00 AM PT
      Devices with some Asian language packs installed may receive an error
      Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

      See details >      		OS Build 17763.437

      April 09, 2019
      KB4493509      		Mitigated
      		May 03, 2019
      10:59 AM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		OS Build 17763.253

      January 08, 2019
      KB4480116      		Mitigated
      		April 09, 2019
      10:00 AM PT
      @@ -81,11 +82,21 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 17763.805

      October 08, 2019
      KB4519338      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: October 2019 - items: - type: markdown text: " +
      DetailsOriginating updateStatusHistory
      Unable to create local users in Chinese, Japanese and Korean during device setup
      When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

      Note This issue does not affect using a Microsoft Account during OOBE.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
      Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

      Next steps: We are working on a resolution and estimate a solution will be available in late November.

      Back to top      		OS Build 17763.737

      September 10, 2019
      KB4512578      		Mitigated
      		Last updated:
      October 29, 2019
      05:15 PM PT

      Opened:
      October 29, 2019
      05:15 PM PT
      Microsoft Defender Advanced Threat Protection might stop running
      After installing the optional non-security update (KB4520062), the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer on MsSense.exe.

      Note Microsoft Windows Defender Antivirus is not affected by this issue.

      Affected platforms:
      • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
      • Server: Windows Server, version 1809; Windows Server 2019
      Next steps: At this time, we suggest that devices in an affected environment do not install the optional non-security update, KB4520062. We are working on a resolution and estimate a solution will be available in mid-November.

      Back to top      		OS Build 17763.832

      October 15, 2019
      KB4520062      		Investigating
      		Last updated:
      October 18, 2019
      04:23 PM PT

      Opened:
      October 17, 2019
      05:14 PM PT
      " @@ -100,15 +111,6 @@ sections: " -- title: August 2019 -- items: - - type: markdown - text: " - - -
      DetailsOriginating updateStatusHistory
      Apps and scripts using the NetQueryDisplayInformation API may fail with error
       Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

      Affected platforms:
      • Server: Windows Server 2019; Windows Server 2016
      Resolution: This issue was resolved in KB4516077.

      Back to top      		OS Build 17763.55

      October 09, 2018
      KB4464330      		Resolved
      KB4516077      		Resolved:
      September 24, 2019
      10:00 AM PT

      Opened:
      August 01, 2019
      05:00 PM PT
      - " - - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index f1e8b5126b..d0dd443d7e 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,16 +64,18 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + + + + + + - - - - + -
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		OS Build 18362.418

      October 08, 2019
      KB4517389      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Unable to create local users in Chinese, Japanese and Korean during device setup
      You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

      See details >      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Mitigated
      		October 29, 2019
      05:15 PM PT
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Resolved
      KB4501375      		June 27, 2019
      10:00 AM PT
      Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
      Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

      See details >      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      KB4517389      		October 08, 2019
      10:00 AM PT
      Unable to discover or connect to Bluetooth devices using some Realtek adapters
      Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		October 25, 2019
      04:21 PM PT
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

      See details >      		N/A

      		Resolved
      KB4522355      		October 24, 2019
      10:00 AM PT
      dGPU occasionally disappear from device manager on Surface Book 2
      Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

      See details >      		OS Build 18362.145

      May 29, 2019
      KB4497935      		Resolved
      		October 18, 2019
      04:33 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		OS Build 18362.357

      September 23, 2019
      KB4522016      		Resolved
      KB4517389      		October 08, 2019
      10:00 AM PT
      Audio in games is quiet or different than expected
      Microsoft has received reports that audio in certain games is quieter or different than expected.

      See details >      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Resolved
      KB4517211      		September 26, 2019
      02:00 PM PT
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

      See details >      		N/A

      		Mitigated
      		September 13, 2019
      05:25 PM PT
      Updates may fail to install and you may receive Error 0x80073701
      Installation of updates may fail and you may receive error code 0x80073701.

      See details >      		OS Build 18362.145

      May 29, 2019
      KB4497935      		Investigating
      		August 16, 2019
      04:28 PM PT
      Intermittent loss of Wi-Fi connectivity
      Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated External
      		August 01, 2019
      08:44 PM PT
      Gamma ramps, color profiles, and night light settings do not apply in some cases
      Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		August 01, 2019
      06:27 PM PT
      Unable to discover or connect to Bluetooth devices
      Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		May 21, 2019
      04:48 PM PT
      Gamma ramps, color profiles, and night light settings do not apply in some cases
      Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      KB4505903      		August 01, 2019
      06:27 PM PT
      Intel Audio displays an intcdaud.sys notification
      Devices with a range of Intel Display Audio device drivers may experience battery drain.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		May 21, 2019
      04:47 PM PT
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

      See details >      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		May 21, 2019
      04:47 PM PT
      " @@ -84,14 +86,32 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		OS Build 18362.418

      October 08, 2019
      KB4517389      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + +- title: October 2019 +- items: + - type: markdown + text: " + + + +
      DetailsOriginating updateStatusHistory
      Unable to create local users in Chinese, Japanese and Korean during device setup
      When setting up a new Windows device using the Out of Box Experience (OOBE), you might be unable to create a local user when using Input Method Editor (IME). This issue might affect you if you are using the IME for Chinese, Japanese, or Korean languages.

      Note This issue does not affect using a Microsoft Account during OOBE.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
      Workaround: To mitigate this issue, set the keyboard language to English during user creation or use a Microsoft Account to complete OOBE. You can set the keyboard language back to your preferred language after user creation. Once the OOBE is done and you are at the desktop, you can rename the current user using these instructions. If you prefer to create a new local user, see KB4026923.

      Next steps: We are working on a resolution and estimate a solution will be available in late November.

      Back to top      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Mitigated
      		Last updated:
      October 29, 2019
      05:15 PM PT

      Opened:
      October 29, 2019
      05:15 PM PT
      Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
      Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

      Affected platforms:
      • Client: Windows 10, version 1903
      • Server: Windows Server, version 1903
      Resolution: This issue was resolved in KB4517389 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903 or Windows Server, version 1903.

      Back to top      		OS Build 18362.116

      May 20, 2019
      KB4505057      		Resolved
      KB4517389      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      October 25, 2019
      04:21 PM PT
      + " + - title: September 2019 - items: - type: markdown text: " + - -
      DetailsOriginating updateStatusHistory
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

      To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4522355. The safeguard hold is estimated to be removed in mid-November.

      Back to top      		N/A

      		Resolved
      KB4522355      		Resolved:
      October 24, 2019
      10:00 AM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      Intermittent issues when printing
      Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
      • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
      • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue was resolved in KB4517389.

      Back to top      		OS Build 18362.357

      September 23, 2019
      KB4522016      		Resolved
      KB4517389      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      September 30, 2019
      06:26 PM PT
      Audio in games is quiet or different than expected
      Microsoft has received reports that audio in certain games is quieter or different than expected. At the request of some of our audio partners, we implemented a compatibility change that enabled certain games to query support and render multi-channel audio. Due to customer feedback, we are reverting this change as some games and some devices are not rendering multi-channel audio as expected. This may result in games sounding different than customers are used to and may have missing channels.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4517211.

      Back to top      		OS Build 18362.356

      September 10, 2019
      KB4515384      		Resolved
      KB4517211      		Resolved:
      September 26, 2019
      02:00 PM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
      Microsoft and NEC have found incompatibility issues with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards when running Windows 10, version 1903 on specific models of NEC devices. If these devices are updated to Windows 10, version 1903, they will no longer be able to use any Wi-Fi connections. The Wi-Fi driver may have a yellow exclamation point in device manager. The task tray icon for networking may show the icon for no internet and Network & Internet settings may not show any Wi-Fi networks.

      To safeguard your update experience, we have applied a compatibility hold on the affected devices from being offered Windows 10, version 1903.

      Affected platforms:
      • Client: Windows 10, version 1903
      Workaround: If you are using an affected device and you have already installed Windows 10, version 1903, you can mitigate the issue disabling then re-enabling the Wi-Fi adapter in Device Manager. You should now be able to use Wi-Fi until your next reboot.

      Next steps: Microsoft and NEC are working on a resolution and will provide an update in an upcoming release.

      Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

      Back to top      		N/A

      		Mitigated
      		Last updated:
      September 13, 2019
      05:25 PM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      " @@ -118,10 +138,10 @@ sections: - type: markdown text: " + + - - + -
      DetailsOriginating updateStatusHistory
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
              \"Close other apps, error code: 0XA00F4243.”

      To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

      Affected platforms:
      • Client: Windows 10, version 1903
      Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Resolved
      KB4501375      		Resolved:
      June 27, 2019
      10:00 AM PT

      Opened:
      May 21, 2019
      07:20 AM PT
      Unable to discover or connect to Bluetooth devices using some Realtek adapters
      Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

      Affected platforms:
      • Client: Windows 10, version 1903
      • Server: Windows Server, version 1903
      Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You will need to install a Realtek driver version greater than 1.5.1011.0.

      Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

      Next steps: Microsoft is working with Realtek to release new drivers for all affected system via Windows Update.

      October 25, 2019 note This issue was previously grouped with the Qualcomm radio issue, which is now resolved. There is no change to this issue except to remove reference to Qualcomm.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		Last updated:
      October 25, 2019
      04:21 PM PT

      Opened:
      May 21, 2019
      07:29 AM PT
      Intermittent loss of Wi-Fi connectivity
      Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

      To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

      Affected platforms:
      • Client: Windows 10, version 1903
      Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
       
      Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated External
      		Last updated:
      August 01, 2019
      08:44 PM PT

      Opened:
      May 21, 2019
      07:13 AM PT
      Gamma ramps, color profiles, and night light settings do not apply in some cases
      Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

      Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
      • Connecting to (or disconnecting from) an external monitor, dock, or projector
      • Rotating the screen
      • Updating display drivers or making other display mode changes
      • Closing full screen applications
      • Applying custom color profiles
      • Running applications that rely on custom gamma ramps
      Affected platforms:
      • Client: Windows 10, version 1903
      Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

      Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

      Next steps: We are working on a resolution and will provide an update in an upcoming release.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		Last updated:
      August 01, 2019
      06:27 PM PT

      Opened:
      May 21, 2019
      07:28 AM PT
      Unable to discover or connect to Bluetooth devices
      Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

      Affected platforms:
      • Client: Windows 10, version 1903
      • Server: Windows Server, version 1903
      Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.

      • For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
      • For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
      Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

      Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.  


      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		Last updated:
      May 21, 2019
      04:48 PM PT

      Opened:
      May 21, 2019
      07:29 AM PT
      Gamma ramps, color profiles, and night light settings do not apply in some cases
      Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

      Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
      • Connecting to (or disconnecting from) an external monitor, dock, or projector
      • Rotating the screen
      • Updating display drivers or making other display mode changes
      • Closing full screen applications
      • Applying custom color profiles
      • Running applications that rely on custom gamma ramps
      Affected platforms:
      • Client: Windows 10, version 1903
      Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

      Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

      Next steps: We are working on a resolution and will provide an update in an upcoming release.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      KB4505903      		Last updated:
      August 01, 2019
      06:27 PM PT

      Opened:
      May 21, 2019
      07:28 AM PT
      Intel Audio displays an intcdaud.sys notification
      Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
        
      To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809
      Workaround:
      On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

      For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

      Note We recommend you do not attempt to update your devices until newer device drivers are installed.

      Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		Last updated:
      May 21, 2019
      04:47 PM PT

      Opened:
      May 21, 2019
      07:22 AM PT
      Cannot launch Camera app
      Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

      \"Close other apps, error code: 0XA00F4243.”


      To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

      Affected platforms:
      • Client: Windows 10, version 1903
      Workaround: To temporarily resolve this issue, perform one of the following:

      • Unplug your camera and plug it back in.

      or

      • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

      or

      • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
      Note This workaround will only resolve the issue until your next system restart.

      Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

      Next steps: We are working on a resolution and will provide an update in an upcoming release.

      Back to top      		OS Build 18362.116

      May 21, 2019
      KB4505057      		Mitigated
      		Last updated:
      May 21, 2019
      04:47 PM PT

      Opened:
      May 21, 2019
      07:20 AM PT
      " diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 8102e3efa0..1f8aaa76bb 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + -
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		October 08, 2019
      KB4519976      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		September 24, 2019
      KB4516048      		Resolved
      KB4519976      		October 08, 2019
      10:00 AM PT
      You may receive an error when opening or using the Toshiba Qosmio AV Center
      Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.

      See details >      		August 13, 2019
      KB4512506      		Resolved
      KB4516048      		September 24, 2019
      10:00 AM PT
      IA64 and x64 devices may fail to start after installing updates
      After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.

      See details >      		August 13, 2019
      KB4512506      		Mitigated
      		August 17, 2019
      12:59 PM PT
      " @@ -73,13 +73,21 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		October 08, 2019
      KB4519976      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown text: " -
      DetailsOriginating updateStatusHistory
      Intermittent issues when printing
      Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
      • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
      • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
      Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue was resolved in KB4519976. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

      Back to top      		September 24, 2019
      KB4516048      		Resolved
      KB4519976      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      September 30, 2019
      06:26 PM PT
      You may receive an error when opening or using the Toshiba Qosmio AV Center
      After installing KB4512506, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in Event Log related to cryptnet.dll.

      Affected platforms:
      • Client: Windows 7 SP1
      Resolution: This issue was resolved in KB4516048.

      Back to top      		August 13, 2019
      KB4512506      		Resolved
      KB4516048      		Resolved:
      September 24, 2019
      10:00 AM PT

      Opened:
      September 10, 2019
      09:48 AM PT
      " diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 068427814b..e0f869f26a 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + -
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		October 08, 2019
      KB4520005      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		September 24, 2019
      KB4516041      		Resolved
      KB4520005      		October 08, 2019
      10:00 AM PT
      Windows RT 8.1 devices may have issues opening Internet Explorer 11
      On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.

      See details >      		September 10, 2019
      KB4516067      		Resolved
      KB4516041      		September 24, 2019
      10:00 AM PT
      Japanese IME doesn't show the new Japanese Era name as a text input option
      With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

      See details >      		April 25, 2019
      KB4493443      		Mitigated
      		May 15, 2019
      05:53 PM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		January 08, 2019
      KB4480963      		Mitigated
      		April 25, 2019
      02:00 PM PT
      @@ -74,13 +74,21 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		October 08, 2019
      KB4520005      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown text: " -
      DetailsOriginating updateStatusHistory
      Intermittent issues when printing
      Applications and printer drivers that leverage the Windows Javascript engine (jscript.dll) for processing print jobs might experience one or more of the following symptoms:
      • Applications interacting with the V4 printer driver might close or error when printing. Issues might only be encountered when printing but might also be encountered at any time the app is running, depending on when the app interacts with the print driver.
      • The printer spooler service (spoolsv.exe) might close or error in jscript.dll with exception code 0xc0000005 causing the print jobs to stop processing. Only part of the print job might print and the rest might be canceled or error.
      Note This issue also affects the Internet Explorer Cumulative Update KB4522007, release September 23, 2019.

      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
      Resolution: This issue was resolved in KB4520005. If you are using Security Only updates, see KB4519974 for resolving KB for your platform.

      Back to top      		September 24, 2019
      KB4516041      		Resolved
      KB4520005      		Resolved:
      October 08, 2019
      10:00 AM PT

      Opened:
      September 30, 2019
      06:26 PM PT
      Windows RT 8.1 devices may have issues opening Internet Explorer 11
      On Windows 8.1 RT devices, Internet Explorer 11 may not open and you may receive the error, \"C:\\Program Files\\Internet Explorer\\iexplore.exe: A certificate was explicitly revoked by its issuer.\"


      Affected platforms:
      • Client: Windows RT 8.1
      Resolution: This issue was resolved in KB4516041.

      Back to top      		September 10, 2019
      KB4516067      		Resolved
      KB4516041      		Resolved:
      September 24, 2019
      10:00 AM PT

      Opened:
      September 13, 2019
      05:25 PM PT
      " diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 0df1e85294..9e2992e255 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		October 08, 2019
      KB4520002      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Issues manually installing updates by double-clicking the .msu file
      You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.

      See details >      		September 10, 2019
      KB4474419      		Resolved
      KB4474419      		September 23, 2019
      10:00 AM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		September 24, 2019
      KB4516030      		Resolved
      KB4520002      		October 08, 2019
      10:00 AM PT
      @@ -72,6 +73,15 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " + + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		October 08, 2019
      KB4520002      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index e05f9d92b9..560b75a79f 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
      This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

      + @@ -73,6 +74,15 @@ sections:
      " +- title: November 2019 +- items: + - type: markdown + text: " +
      SummaryOriginating updateStatusLast updated
      TLS connections might fail or timeout
      Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

      See details >      		October 08, 2019
      KB4520007      		Mitigated External
      		November 05, 2019
      03:36 PM PT
      Intermittent issues when printing
      The print spooler service may intermittently have issues completing a print job and results print job failure.

      See details >      		September 24, 2019
      KB4516069      		Resolved
      KB4520007      		October 08, 2019
      10:00 AM PT
      Japanese IME doesn't show the new Japanese Era name as a text input option
      With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

      See details >      		April 25, 2019
      KB4493462      		Mitigated
      		May 15, 2019
      05:53 PM PT
      Certain operations performed on a Cluster Shared Volume may fail
      Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

      See details >      		January 08, 2019
      KB4480975      		Mitigated
      		April 25, 2019
      02:00 PM PT
      + +
      DetailsOriginating updateStatusHistory
      TLS connections might fail or timeout
      Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
      • \"The request was aborted: Could not create SSL/TLS secure Channel\"
      • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
      Affected platforms:
      • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
      • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

      Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

      Back to top      		October 08, 2019
      KB4520007      		Mitigated External
      		Last updated:
      November 05, 2019
      03:36 PM PT

      Opened:
      November 05, 2019
      03:36 PM PT
      + " + - title: September 2019 - items: - type: markdown diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index a41c2b4de0..a158f15e9b 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,7 @@ sections: text: " + diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index afaaca56b3..228b863e82 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -112,7 +112,7 @@ The following table lists the three group scopes and more information about each

      Global groups from any domain in the same forest

      Other Universal groups from any domain in the same forest

      +

      Can be converted to Global scope if the group is not a member of any other Universal groups

      MessageDate
      October 2019 Windows 10, version 1903 \"D\" optional release is available.
      The October 2019 optional monthly “D” release for Windows 10, version 1903 is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
      		October 24, 2019
      08:00 AM PT
      October 2019 Windows \"C\" optional release is available.
      The October 2019 optional monthly “C” release for all supported versions of Windows is now available. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. Follow @WindowsUpdate for the latest on the availability of this release.
      		October 15, 2019
      09:59 AM PT
      Windows 10, version 1703 has reached end of service
      Consumer and commercial editions of Windows 10, version 1703 have reached end of service. As devices running these editions are no longer receiving monthly security and quality updates containing protections from the latest security threats, we recommend that you update these devices to the latest version of Windows 10 immediately. For more information on end of service dates currently supported versions of Windows 10, see the Windows lifecycle fact sheet.
      		October 09, 2019
      12:00 PM PT
      Take Action: October 2019 security update available for all supported versions of Windows
      The October 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. We recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
       
      		October 08, 2019
      08:00 AM PT

      Can be converted to Domain Local scope

      -

      Can be converted to Global scope if the group does not contain any other Universal groups

      On any domain in the same forest or trusting forests

      Other Universal groups in the same forest

      Domain Local groups in the same forest or trusting forests

      diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index cf2079e8e5..cf63fb2c17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -107,7 +107,7 @@ Federation server proxies are computers that run AD FS software that have been c Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect -Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 1cf7fcb2cd..804d8a9ca6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -77,8 +77,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. ->[!NOTE] ->The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> [!NOTE] +> The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. ### Enrollment Agent certificate template @@ -150,10 +150,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. 1. Open an elevated command prompt. -2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +2. Run `certutil -dsTemplate WHFBAuthentication,msPKI-Private-Key-Flag,+CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +> [!NOTE] +> If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. ## Publish Templates diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index abb29a0a18..0f5cdfa98a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -27,7 +27,7 @@ ms.reviewer: You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect -Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronize the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771). > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index f00875d1a2..c1a9b60e79 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -23,19 +23,21 @@ In Windows 10, Windows Hello for Business replaces passwords with strong two-fa Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. Windows Hello addresses the following problems with passwords: -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). + +- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. +- Server breaches can expose symmetric network credentials (passwords). +- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). +- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). >[!div class="mx-tdBreakAll"] >| | | | >| :---: | :---: | :---: | >| [![Overview Icon](images/hello_filter.png)](hello-overview.md)
      [Overview](hello-overview.md) | [![Why a PIN is better than a password Icon](images/hello_lock.png)](hello-why-pin-is-better-than-password.md)
      [Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [![Manage Hello Icon](images/hello_gear.png)](hello-manage-in-organization.md)
      [Manage Windows Hello in your Organization](hello-manage-in-organization.md) | -## Prerequisites +## Prerequisites ### Cloud Only Deployment + * Windows 10, version 1511 or later * Microsoft Azure Account * Azure Active Directory @@ -44,6 +46,7 @@ Windows Hello addresses the following problems with passwords: * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ### Hybrid Deployments + The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
      Group Policy managed | Certificate trust
      Mixed managed | Key trust
      Modern managed | Certificate trust
      Modern managed | @@ -54,25 +57,26 @@ The table shows the minimum requirements for each deployment. For key trust in a | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
      and
      Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/Azure MFA Server adapter, or
      AD FS w/3rd Party MFA Adapter | +| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
      AD FS w/Azure MFA adapter, or
      AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | -### On-premises Deployments +### On-premises Deployments + The table shows the minimum requirements for each deployment. | Key trust
      Group Policy managed | Certificate trust
      Group Policy managed| -| --- | --- | +| --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | -| AD FS with Azure MFA Server, or
      AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
      AD FS with 3rd Party MFA Adapter | +| AD FS with 3rd Party MFA Adapter | AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | >[!IMPORTANT] -> For Windows Hello for Business deployment, if you have several domains, at least one Windows Server Domain Controller 2016 is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). +> For Windows Hello for Business key trust deployments, if you have several domains, at least one Windows Server Domain Controller 2016 or newer is required for each domain. For more information, see the [planning guide](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers). diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md index 3878a9b907..99d02689bd 100644 --- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -21,7 +21,7 @@ ms.reviewer: > Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. +Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. See [FIDO2 security keys features and providers](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys). The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 830bfcfcfc..702f62e6d4 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -97,14 +97,14 @@ The smart card reader device name is constructed in the form <*VendorName*> | 607 | Reader object failed to start monitor thread:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | | 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | | 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
      %1 = Windows error code
      %2 = Name of the smart card reader
      %3 = IOCTL that was sent
      %4 = First 4 bytes of the command sent to the smart card | +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This is a benign error that does not affect end use of a smart card and can be ignored.
      %1 = Windows error code
      %2 = Name of the smart card reader
      %3 = IOCTL that was sent
      %4 = First 4 bytes of the command sent to the smart card | | 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | | 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Windows error code | | 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Windows error code | | 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Windows error code
      %2 = Reader name | | 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it is removed from the computer and reinserted or until the computer is restarted.
      %1 = Smart card reader name | | 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | +| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. This error may also occur if the event is queried before the smart card service is ready. In this case the error is benign and can be ignored.
      %1 = Windows error code | | 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
      %1 = Windows error code | ## Smart card Plug and Play events diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 7968ef5030..08e059935f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -136,10 +136,7 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
      - - - -# **PowerShell** +**Powershell** [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index a426da3ed2..aca61b7f1d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -78,4 +78,4 @@ To turn on, turn off, or change configurations of BitLocker on operating system ## What is the recommended boot order for computers that are going to be BitLocker-protected? -You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such ach as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  +You should configure the startup options of your computer to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk is not first and you typically boot from hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause you to be prompted for your BitLocker recovery key. For the same reason, if you have a laptop with a docking station, ensure that the hard disk drive is first in the boot order both when docked and undocked.  diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index e17bd5c51b..c2050be90b 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -5,7 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: justinha +author: dansimp +ms.author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index f6d1a67328..bf7360d125 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -49,6 +49,9 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager](create-wip-policy-using-sccm.md). +> [!NOTE] +> This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). + ## Verify your data recovery certificate is correctly set up on a WIP client computer 1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 6edaaf0f7d..a710de4335 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -10,8 +10,8 @@ ms.mktglfcycl: ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: stephow-MSFT -ms.author: stephow +author: LauraWi +ms.author: laurawi manager: laurawi audience: ITPro ms.collection: M365-security-compliance @@ -33,7 +33,7 @@ In the **Website learning report**, you can view a summary of the devices that h ## Access the WIP Learning reports -1. Open the [Azure portal](http://portal.azure.com/). +1. Open the [Azure portal](https://portal.azure.com/). 1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index f8776c4535..65f80dda38 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -9,7 +9,7 @@ #### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) #### [Configuration score](microsoft-defender-atp/configuration-score.md) #### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md) -#### [Remediation](microsoft-defender-atp/tvm-remediation.md) +#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md) #### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) #### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) #### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) @@ -122,10 +122,13 @@ ##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md) ##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md) ##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md) +##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) +##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) +##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) +##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) #### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md) - #### [Custom detections]() ##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage custom detections rules](microsoft-defender-atp/custom-detection-rules.md) @@ -308,21 +311,23 @@ ##### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md) -### [Microsoft Defender Advanced Threat Protection for Mac](windows-defender-antivirus/microsoft-defender-atp-mac.md) -#### [What's New in Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md) -#### [Deploy Microsoft Defender Advanced Threat Protection for Mac]() -##### [Microsoft Intune-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md) -##### [JAMF-based deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md) -##### [Deployment with a different Mobile Device Management (MDM) system](windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md) -##### [Manual deployment](windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md) -#### [Update Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-updates.md) -#### [Configure Microsoft Defender ATP for Mac]() -##### [Set preferences for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md) -##### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/microsoft-defender-atp-mac-pua.md) -#### [Privacy for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md) -#### [Resources for Microsoft Defender ATP for Mac](windows-defender-antivirus/microsoft-defender-atp-mac-resources.md) - - +### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +#### [What's New](microsoft-defender-atp/mac-whatsnew.md) +#### [Deploy]() +##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) +##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md) +##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md) +##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md) +#### [Update](microsoft-defender-atp/mac-updates.md) +#### [Configure]() +##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md) +##### [Set preferences](microsoft-defender-atp/mac-preferences.md) +##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md) +#### [Troubleshoot]() +##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md) +##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md) +#### [Privacy](microsoft-defender-atp/mac-privacy.md) +#### [Resources](microsoft-defender-atp/mac-resources.md) ### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md) diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index faa3dcf853..e9761cde7b 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -196,7 +196,7 @@ Typical **Primary Group** values for user accounts: - **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here. -To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. +To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag. Here's an example: Flags value from event: 0x15 @@ -226,7 +226,7 @@ Decoding: So this UAC flags value decodes to: LOCKOUT and SCRIPT -- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. +- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](https://support.microsoft.com/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event. - **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field. For local accounts, this field is not applicable and always has “<value not set>“ value. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index a5aaae535b..cdfc758875 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -184,7 +184,7 @@ For 5156(S): The Windows Filtering Platform has permitted a connection. - If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”** -- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17. +- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17. - If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.” diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 2fa857956a..74a43afb5e 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -50,8 +50,10 @@ The following table describes the ways Microsoft Defender ATP can allow or block |----------|-------------| | [Restrict USB drives and other peripherals](#restrict-usb-drives-and-other-peripherals) | You can allow/prevent users to install only the USB drives and other peripherals included on a list of authorized/unauthorized devices or device types. | | [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | You can't install or use removable storage. | -| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. | +| [Allow installation and usage of specifically approved peripherals](#allow-installation-and-usage-of-specifically-approved-peripherals) | You can only install and use approved peripherals that report specific properties in their firmware. | | [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | You can't install or use prohibited peripherals that report specific properties in their firmware. | +| [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. | +| [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. | | [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. | | [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. | @@ -169,7 +171,7 @@ Select-Object -Property * 7. Click **Create** to save the profile. -### Only allow installation and usage of specifically approved peripherals +### Allow installation and usage of specifically approved peripherals Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. @@ -183,6 +185,18 @@ Microsoft Defender ATP blocks installation and usage of prohibited peripherals b - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). +### Allow installation and usage of specifically approved peripherals with matching device instance IDs + +Peripherals that are allowed to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +You can allow installation and usage of approved peripherals with matching device instance IDs by configuring [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceinstanceids) policy setting. + +### Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs + +Peripherals that are prohibited to be installed can be specified by their [device instance IDs](https://docs.microsoft.com/windows-hardware/drivers/install/device-instance-ids). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +You can prevent installation of the prohibited peripherals with matching device instance IDs by configuring [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceinstanceids) policy setting. + ### Limit services that use Bluetooth Using Intune, you can limit the services that can use Bluetooth through the ["Bluetooth allowed services"](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-bluetooth#servicesallowedlist-usage-guide). The default state of "Bluetooth allowed services" settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and doesn’t add the file transfer GUIDs, file transfer should be blocked. diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 5f47de9db6..32bbf69dc2 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,7091 +1,7194 @@ ---- -title: FIPS 140 Validation -description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. -ms.prod: w10 -audience: ITPro -author: dulcemontemayor -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/03/2018 -ms.reviewer: ---- - - -# FIPS 140 Validation - -On this page - -- [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) -- [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) -- [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) -- [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) -- [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) -- [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) -- [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) -- [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) - -Updated: March 2018 - - - -## Introduction - -This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. - -### Audience - -This document is primarily focused on providing information for three parties: - -[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. - -[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. - -[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. - -### Document Map - -This document is broken into seven major sections: - -[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. - -[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. - -[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. - -[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. - -[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. - -[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. - -[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. - -## FIPS 140 Overview - -### FIPS 140 Standard - -FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). - -The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. - -### Applicability of the FIPS standard - -Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. - -The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). - -### History of 140-1 - -FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. - -### FIPS 140-2 - -FIPS 140-2 is currently the active version of the standard. - -### Microsoft FIPS Support Policy - -Microsoft actively maintains FIPS 140 validation for its cryptographic modules. - -### FIPS Mode of Operation - -The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. - -## Microsoft Product Validation (Information for Procurement Officers and Auditors) - -This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. - -### Microsoft Product Relationship with CNG and CAPI libraries - -Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. - -The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: - -- Schannel Security Package -- Remote Desktop Protocol (RDP) Client -- Encrypting File System (EFS) -- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) -- BitLocker® Drive Full-volume Encryption -- IPsec Settings of Windows Firewall -- Server Message Block (SMB) 3.x - -## Information for System Integrators - -This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. - -There are two steps to ensure that Microsoft products operate in FIPS mode: - -1. Selecting/Installing FIPS 140 validated cryptographic modules -2. Setting FIPS local/group security policy flag. - -### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules - -Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. - -The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. - -### Step 2 – Setting FIPS Local/Group Security Policy Flag - -The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. - -**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. - -#### Instructions on Setting the FIPS Local/Group Security Policy Flag - -While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. - -1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. -2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. -3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. -4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. -5. In the properties window, select the 'Enabled' option and click the 'Apply' button. - -#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy - -The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. - -- Schannel Security Package -- Remote Desktop Protocol (RDP) Client -- Encrypting File System (EFS) -- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) -- BitLocker® Drive Full-volume Encryption -- IPsec Settings of Windows Firewall - -#### Effects of Setting FIPS Local/Group Security Policy Flag - -When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: - -- Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled: - -- - TLS\_RSA\_WITH\_RC4\_128\_SHA - - TLS\_RSA\_WITH\_RC4\_128\_MD5 - - SSL\_CK\_RC4\_128\_WITH\_MD5 - - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5 - - TLS\_RSA\_WITH\_NULL\_MD5 - - TLS\_RSA\_WITH\_NULL\_SHA - -- The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to: - -- - CALG\_RSA\_KEYX - RSA public key exchange algorithm - - CALG\_3DES - Triple DES encryption algorithm - - CALG\_AES\_128 - 128 bit AES - - CALG\_AES\_256 - 256 bit AES - - CALG\_SHA1 - SHA hashing algorithm - - CALG\_SHA\_256 - 256 bit SHA hashing algorithm - - CALG\_SHA\_384 - 384 bit SHA hashing algorithm - - CALG\_SHA\_512 - 512 bit SHA hashing algorithm - -- Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception. - -- Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed. - -- On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer. - -Please be aware that selection of FIPS mode can limit product functionality (See ). - -## Information for Software Developers - -This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. - -Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. - -### Using Microsoft Cryptographic Modules in a FIPS mode of operation - -No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. - -When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. - -If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. - -### Key Strengths and Validity Periods - -NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. - -## FIPS 140 FAQ - -The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. - -1. How does FIPS 140 relate to the Common Criteria? - **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. - In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. -2. How does FIPS 140 relate to Suite B? - **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. - The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. -3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? - **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. - Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. -4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? - **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. - You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). -5. What does "When operated in FIPS mode" mean on certificates? - **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). -6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? - **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. -7. Is BitLocker to Go FIPS 140-2 validated? - **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. -8. Are applications FIPS 140-2 validated? - **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. -9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? - **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) - -## Microsoft FIPS 140 Validated Cryptographic Modules - -### Modules By Operating System - -The following tables identify the Cryptographic Modules for an operating system. - -#### Windows - -##### Windows 10 Creators Update (Version 1703) - -Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

      FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      -
      -Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

      #3094

      -

      FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      -
      -Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

      Boot Manager10.0.15063#3089

      FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

      -

      Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

      Windows OS Loader10.0.15063#3090

      FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

      -

      Other algorithms: NDRNG

      Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
      BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
      Code Integrity (ci.dll)10.0.15063#3093

      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

      Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

      - - -\[1\] Applies only to Home, Pro, Enterprise, Education and S - -\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub - -\[3\] Applies only to Pro, Enterprise Education and S - -##### Windows 10 Anniversary Update (Version 1607) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      -
      -Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      -
      -Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

      Boot Manager10.0.14393#2931

      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

      -

      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

      BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: NDRNG; MD5
      BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
      Code Integrity (ci.dll)10.0.14393#2935

      FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: AES (non-compliant); MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

      Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

      FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      -
      -Other algorithms: MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

      - - -\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile - -\[3\] Applies only to Pro, Enterprise and Enterprise LTSB - -##### Windows 10 November 2015 Update (Version 1511) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      -
      -Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      -
      -Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

      Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
      -
      -Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      -
      -Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
      Code Integrity (ci.dll)10.0.10586#2604

      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      -
      -Other algorithms: AES (non-compliant); MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

      Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      -
      -Other algorithms: MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

      - - -\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[6\] Applies only to Home, Pro and Enterprise - -\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub - -\[8\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 10 (Version 1507) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      -
      -Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      -
      -Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

      Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
      -
      -Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      -
      -Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
      Code Integrity (ci.dll)10.0.10240#2604

      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      -
      -Other algorithms: AES (non-compliant); MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

      Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      -
      -Other algorithms: MD5

      -

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

      - - -\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[12\] Applies only to Pro, Enterprise and Enterprise LTSB - -\[13\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 8.1 - -Validated Editions: RT, Pro, Enterprise, Phone, Embedded - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      -
      -Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

      Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      -
      -Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

      -

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

      Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      -
      -Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      -
      -Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
      -
      -Other algorithms: N/A
      Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

      FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      -
      -Other algorithms: MD5

      -

      Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

      - - -\[14\] Applies only to Pro, Enterprise, and Embedded 8. - -##### Windows 8 - -Validated Editions: RT, Home, Pro, Enterprise, Phone - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      -
      -Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      -
      -Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
      BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      -
      -Other algorithms: N/A
      Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      -
      -Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      - - -\[15\] Applies only to Home and Pro - -**Windows 7** - -Validated Editions: Windows 7, Windows 7 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

      6.1.7600.16385

      -

      6.1.7601.17514

      		1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      -
      -Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Kernel Mode Cryptographic Primitives Library (cng.sys)

      6.1.7600.16385

      -

      6.1.7600.16915

      -

      6.1.7600.21092

      -

      6.1.7601.17514

      -

      6.1.7601.17725

      -

      6.1.7601.17919

      -

      6.1.7601.21861

      -

      6.1.7601.22076

      		1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      -
      -Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Boot Manager

      6.1.7600.16385

      -

      6.1.7601.17514

      		1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
      -
      -Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
      -
      -Other algorithms: MD5
      Winload OS Loader (winload.exe)

      6.1.7600.16385

      -

      6.1.7600.16757

      -

      6.1.7600.20897

      -

      6.1.7600.20916

      -

      6.1.7601.17514

      -

      6.1.7601.17556

      -

      6.1.7601.21655

      -

      6.1.7601.21675

      		1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
      -
      -Other algorithms: MD5
      BitLocker™ Drive Encryption

      6.1.7600.16385

      -

      6.1.7600.16429

      -

      6.1.7600.16757

      -

      6.1.7600.20536

      -

      6.1.7600.20873

      -

      6.1.7600.20897

      -

      6.1.7600.20916

      -

      6.1.7601.17514

      -

      6.1.7601.17556

      -

      6.1.7601.21634

      -

      6.1.7601.21655

      -

      6.1.7601.21675

      		1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      -
      -Other algorithms: Elephant Diffuser
      Code Integrity (CI.DLL)

      6.1.7600.16385

      -

      6.1.7600.17122

      -

      6.1.7600.21320

      -

      6.1.7601.17514

      -

      6.1.7601.17950

      -

      6.1.7601.22108

      		1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
      -
      -Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
      -(no change in SP1)      		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
      Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
      -(no change in SP1)      		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
      -
      -Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      - - -##### Windows Vista SP1 - -Validated Editions: Ultimate Edition - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
      Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
      -
      -Other algorithms: MD5
      Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
      -
      -Other algorithms: MD5
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

      FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

      -

      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

      FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

      -

      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

      Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

      FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

      -

      Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

      FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

      -

      Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

      - - -##### Windows Vista - -Validated Editions: Ultimate Edition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      -
      -Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
      -
      -Other algorithms: Elephant Diffuser
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      -
      -Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
      - - -##### Windows XP SP3 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

      FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

      -

      Other algorithms: DES; MD5; HMAC MD5

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

      FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

      -

      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

      Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

      FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

      -

      Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

      - - -##### Windows XP SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

      -

      Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

      Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

      -

      Other algorithms: DES (Cert. #156); RC2; RC4; MD5

      - - -##### Windows XP SP1 - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

      -

      Other algorithms: DES (Cert. #156); RC2; RC4; MD5

      - - -##### Windows XP - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module5.1.2600.0241

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

      -

      Other algorithms: DES (Cert. #89)

      - - -##### Windows 2000 SP3 - - ------ - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

      -

      Other algorithms: DES (Certs. #89)

      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS: 5.0.2195.3665 [SP3])

      -

      (Base: 5.0.2195.3839 [SP3])

      -

      (DSS/DH Enh: 5.0.2195.3665 [SP3])

      -

      (Enh: 5.0.2195.3839 [SP3]

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      -

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      - - -##### Windows 2000 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

      -

      Other algorithms: DES (Certs. #89)

      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS:

      -

      5.0.2195.2228 [SP2])

      -

      (Base:

      -

      5.0.2195.2228 [SP2])

      -

      (DSS/DH Enh:

      -

      5.0.2195.2228 [SP2])

      -

      (Enh:

      -

      5.0.2195.2228 [SP2])

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      -

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      - - -##### Windows 2000 SP1 - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS: 5.0.2150.1391 [SP1])

      -

      (Base: 5.0.2150.1391 [SP1])

      -

      (DSS/DH Enh: 5.0.2150.1391 [SP1])

      -

      (Enh: 5.0.2150.1391 [SP1])

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      -

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      - - -##### Windows 2000 - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

      FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

      -

      Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

      - - -##### Windows 95 and Windows 98 - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

      FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

      -

      Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

      - - -##### Windows NT 4.0 - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
      -
      -Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
      - - -#### Windows Server - -##### Windows Server 2016 - -Validated Editions: Standard, Datacenter, Storage Server - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      -
      -Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      -
      -Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager10.0.143932931

      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

      -

      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

      BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: NDRNG; MD5
      BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
      Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      -
      -Other algorithms: AES (non-compliant); MD5
      Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      -
      -Other algorithms: MD5
      - - -##### Windows Server 2012 R2 - -Validated Editions: Server, Storage Server, - -**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      -
      -Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      -
      -Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      -
      -Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      -
      -Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
      -
      -Other algorithms: N/A
      Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      -
      -Other algorithms: MD5
      - - -\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -**Windows Server 2012** - -Validated Editions: Server, Storage Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      -
      -Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      -
      -Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
      BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      -
      -Other algorithms: N/A
      Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      -
      -Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      -
      -Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      - - -##### Windows Server 2008 R2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
      -
      -Other algorithms: MD5
      Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
      -
      -Other algorithms: MD5
      Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
      -
      -Other algorithms: MD5
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      -
      --Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      -
      -Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
      Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
      -
      -Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      -
      -Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
      BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      -
      -Other algorithms: Elephant Diffuser
      - - -##### Windows Server 2008 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
      -
      -Other algorithms: N/A
      Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
      -
      -Other algorithms: MD5
      Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
      -
      -Other algorithms: MD5
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      -
      -Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      -
      -Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      -
      -Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      -
      --Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
      -
      -Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      - - -##### Windows Server 2003 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

      FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

      -

      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

      FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

      -

      Other algorithms: DES; HMAC-MD5

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

      FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

      -

      Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      - - -##### Windows Server 2003 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

      -

      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

      -

      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

      -

      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      - - -##### Windows Server 2003 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

      -

      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

      -

      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

      -

      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

      -

      [1] x86
      -[2] SP1 x86, x64, IA64

      - - -#### Other Products - -##### Windows Embedded Compact 7 and Windows Embedded Compact 8 - - ------ - - - - - - - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

      FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

      -

      Allowed algorithms: HMAC-MD5; MD5; NDRNG

      Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

      FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

      -

      Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

      - - - -##### Windows CE 6.0 and Windows Embedded Compact 7 - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

      FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

      -

      Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

      - - -##### Outlook Cryptographic Provider - - ------ - - - - - - - - - - - - - - -
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

      FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

      -

      Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

      - - - -### Cryptographic Algorithms - -The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. - -### Advanced Encryption Standard (AES) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • AES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CFB128:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CTR:
        • -
        • -
        • Counter Source: Internal
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-OFB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -

      Microsoft Surface Hub Virtual TPM Implementations #4904

      -

      Version 10.0.15063.674

        -
      • AES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CFB128:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CTR:
        • -
        • -
        • Counter Source: Internal
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-OFB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

      -

      Version 10.0.16299

        -
      • AES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CCM:
        • -
        • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • -
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • -
        • Plain Text Length: 0-32
          • -
        • AAD Length: 0-65536
          • -
        • -
      • AES-CFB128:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CMAC:
        • -
        • -
        • Generation:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • Verification:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • -
      • AES-CTR:
        • -
        • -
        • Counter Source: Internal
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-GCM:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • -
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • 96 bit IV supported
          • -
        • -
      • AES-XTS:
        • -
        • -
        • Key Size: 128:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • Key Size: 256:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • -

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

      -

      Version 10.0.15063.674

        -
      • AES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CCM:
        • -
        • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • -
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • -
        • Plain Text Length: 0-32
          • -
        • AAD Length: 0-65536
          • -
        • -
      • AES-CFB128:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CMAC:
        • -
        • -
        • Generation:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • Verification:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • -
      • AES-CTR:
        • -
        • -
        • Counter Source: Internal
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-GCM:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • -
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • 96 bit IV supported
          • -
        • -
      • AES-XTS:
        • -
        • -
        • Key Size: 128:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • Key Size: 256:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • -

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

      -

      Version 10.0.15254

        -
      • AES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CCM:
        • -
        • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • -
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • -
        • Plain Text Length: 0-32
          • -
        • AAD Length: 0-65536
          • -
        • -
      • AES-CFB128:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-CMAC:
        • -
        • -
        • Generation:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • Verification:
          • -
          • -
          • AES-128:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-192:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • AES-256:
            • -
            • -
            • Block Sizes: Full, Partial
              • -
            • Message Length: 0-65536
              • -
            • Tag Length: 16-16
              • -
            • -
          • -
        • -
      • AES-CTR:
        • -
        • -
        • Counter Source: Internal
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • -
      • AES-GCM:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • IV Generation: External
          • -
        • Key Lengths: 128, 192, 256 (bits)
          • -
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • -
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • -
        • 96 bit IV supported
          • -
        • -
      • AES-XTS:
        • -
        • -
        • Key Size: 128:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • Key Size: 256:
          • -
          • -
          • Modes: Decrypt, Encrypt
            • -
          • Block Sizes: Full
            • -
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

      -

      Version 10.0.16299

      AES-KW:

      -
        -
      • Modes: Decrypt, Encrypt
        • -
      • CIPHK transformation direction: Forward
        • -
      • Key Lengths: 128, 192, 256 (bits)
        • -
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • -
      -

      AES Val#4902

      Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

      -

      Version 10.0.15063.674

      AES-KW:

      -
        -
      • Modes: Decrypt, Encrypt
        • -
      • CIPHK transformation direction: Forward
        • -
      • Key Lengths: 128, 192, 256 (bits)
        • -
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • -
      -

      AES Val#4901

      Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

      -

      Version 10.0.15254

      AES-KW:

      -
        -
      • Modes: Decrypt, Encrypt
        • -
      • CIPHK transformation direction: Forward
        • -
      • Key Lengths: 128, 192, 256 (bits)
        • -
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • -
      -

      AES Val#4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

      -

      Version 10.0.16299

      AES-CCM:

      -
        -
      • Key Lengths: 256 (bits)
        • -
      • Tag Lengths: 128 (bits)
        • -
      • IV Lengths: 96 (bits)
        • -
      • Plain Text Length: 0-32
        • -
      • AAD Length: 0-65536
        • -
      -

      AES Val#4902

      Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

      -

      Version 10.0.15063.674

      AES-CCM:

      -
        -
      • Key Lengths: 256 (bits)
        • -
      • Tag Lengths: 128 (bits)
        • -
      • IV Lengths: 96 (bits)
        • -
      • Plain Text Length: 0-32
        • -
      • AAD Length: 0-65536
        • -
      -

      AES Val#4901

      Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

      -

      Version 10.0.15254

      AES-CCM:

      -
        -
      • Key Lengths: 256 (bits)
        • -
      • Tag Lengths: 128 (bits)
        • -
      • IV Lengths: 96 (bits)
        • -
      • Plain Text Length: 0-32
        • -
      • AAD Length: 0-65536
        • -
      -

      AES Val#4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

      -

      Version 10.0.16299

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB128 ( e/d; 128 , 192 , 256 );

      -

      OFB ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

      -

      Version 10.0.15063

      KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      -

      AES Val#4624

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

      -

      Version 10.0.15063

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#4624

      -

       

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

      -

      Version 10.0.15063

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

      CFB128 ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      -

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      -

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

      -

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

      -

      (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

      -

      IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

      -

      GMAC_Supported

      -

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

      -

      Version 10.0.15063

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

      -

      Version 7.00.2872

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

      -

      Version 8.00.6246

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

      -

      Version 7.00.2872

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

      -

      Version 8.00.6246

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB128 ( e/d; 128 , 192 , 256 );

      -

      OFB ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

      -

      Version 10.0.14393

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      -

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      -

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      -

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      -GMAC_Supported

      -

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

      -

      Version 10.0.14393

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
      -Version 10.0.14393

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

      -

      AES Val#4064

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

      -

      Version 10.0.14393

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#4064

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

      -

      Version 10.0.14393

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      -

      AES Val#3629

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

      -

      Version 10.0.10586

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#3629

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

      -

      Version 10.0.10586

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
      -Version 10.0.10586

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      -

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      -

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      -

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      -GMAC_Supported

      -

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
      -
      -

      -

      Version 10.0.10586

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      -

      AES Val#3497

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

      -

      Version 10.0.10240

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#3497

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

      -

      Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      -

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      -

      CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      -

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      -GMAC_Supported

      -

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
      -Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
      -Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

      -

      Version 6.3.9600

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#2832

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

      -

      Version 6.3.9600

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      -

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      -

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

      -

      (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

      -

      IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
      -OtherIVLen_Supported
      -GMAC_Supported

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

      -

      Version 6.3.9600

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
      -AES Val#2197

      -

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
      -AES Val#2197

      -

      GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
      -GMAC_Supported

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      -

      AES Val#2196

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

      CFB128 ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
      -AES Val#1168

      Windows Server 2008 R2 and SP1 CNG algorithms #1187

      -

      Windows 7 Ultimate and SP1 CNG algorithms #1178

      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
      -AES Val#1168      		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      -

       

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

      GCM

      -

      GMAC

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      Windows Server 2008 CNG algorithms #757

      -

      Windows Vista Ultimate SP1 CNG algorithms #756

      CBC ( e/d; 128 , 256 );

      -

      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

      Windows Vista Ultimate BitLocker Drive Encryption #715

      -

      Windows Vista Ultimate BitLocker Drive Encryption #424

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CFB8 ( e/d; 128 , 192 , 256 );

      Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

      -

      Windows Vista Symmetric Algorithm Implementation #553

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      -

      CTR ( int only; 128 , 192 , 256 )

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

      ECB ( e/d; 128 , 192 , 256 );

      -

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

      -

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

      -

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

      -

      Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

      -

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

      -

      Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

      -

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

      -

      Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

      -

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

      -

      Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

      - - -Deterministic Random Bit Generator (DRBG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • Counter:
        • -
        • -
        • Modes: AES-256
          • -
        • Derivation Function States: Derivation Function not used
          • -
        • Prediction Resistance Modes: Not Enabled
          • -
        • -
      -

      Prerequisite: AES #4904

      Microsoft Surface Hub Virtual TPM Implementations #1734

      -

      Version 10.0.15063.674

        -
      • Counter:
        • -
        • -
        • Modes: AES-256
          • -
        • Derivation Function States: Derivation Function not used
          • -
        • Prediction Resistance Modes: Not Enabled
          • -
        • -
      -

      Prerequisite: AES #4903

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

      -

      Version 10.0.16299

        -
      • Counter:
        • -
        • -
        • Modes: AES-256
          • -
        • Derivation Function States: Derivation Function used
          • -
        • Prediction Resistance Modes: Not Enabled
          • -
        • -
      -

      Prerequisite: AES #4902

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

      -

      Version 10.0.15063.674

        -
      • Counter:
        • -
        • -
        • Modes: AES-256
          • -
        • Derivation Function States: Derivation Function used
          • -
        • Prediction Resistance Modes: Not Enabled
          • -
        • -
      -

      Prerequisite: AES #4901

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

      -

      Version 10.0.15254

        -
      • Counter:
        • -
        • -
        • Modes: AES-256
          • -
        • Derivation Function States: Derivation Function used
          • -
        • Prediction Resistance Modes: Not Enabled
          • -
        • -
      -

      Prerequisite: AES #4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

      -

      Version 10.0.16299

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

      -

      Version 10.0.15063

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

      -

      Version 10.0.15063

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

      -

      Version 7.00.2872

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

      -

      Version 8.00.6246

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

      -

      Version 7.00.2872

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

      -

      Version 8.00.6246

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

      -

      Version 10.0.14393

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

      -

      Version 10.0.14393

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

      -

      Version 10.0.10586

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

      -

      Version 10.0.10240

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

      -

      Version 6.3.9600

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
      DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
      - - -#### Digital Signature Algorithm (DSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • DSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • PQGGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • PQGVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • KeyPair:
            • -
            • -
            • L = 2048, N = 256
              • -
            • L = 3072, N = 256
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

      -

      Version 10.0.15063.674

        -
      • DSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • PQGGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • PQGVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • KeyPair:
            • -
            • -
            •  
              • -
            •  
              • -
            • L = 2048, N = 256
              • -
            • L = 3072, N = 256
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

      -

      Version 10.0.15254

        -
      • DSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • PQGGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • PQGVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigGen:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • SigVer:
            • -
            • -
            • L = 2048, N = 256 SHA: SHA-256
              • -
            • L = 3072, N = 256 SHA: SHA-256
              • -
            • -
          • KeyPair:
            • -
            • -
            • L = 2048, N = 256
              • -
            • L = 3072, N = 256
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

      -

      Version 10.0.16299

      FIPS186-4:

      -

      PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      KeyPairGen:   [ (2048,256) ; (3072,256) ]

      -

      SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

      -

      SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      SHS: Val#3790

      -

      DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

      -

      Version 10.0.15063

      FIPS186-4:
      -PQG(ver)PARMS TESTED:         [ (1024,160) SHA( 1 ); ]
      -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
      -SHS: Val# 3649

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

      -

      Version 7.00.2872

      FIPS186-4:
      -PQG(ver)PARMS TESTED:         [ (1024,160) SHA( 1 ); ]
      -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
      -SHS: Val#3648

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

      -

      Version 8.00.6246

      FIPS186-4:
      -PQG(gen)      PARMS TESTED: [
      -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      -KeyPairGen:    [ (2048,256) ; (3072,256) ]
      -SIG(gen)PARMS TESTED:   [ (2048,256)
      -SHA( 256 ); (3072,256) SHA( 256 ); ]
      -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      SHS: Val# 3347
      -DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

      -

      Version 10.0.14393

      FIPS186-4:
      -PQG(gen)      PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
      -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      SHS: Val# 3047
      -DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

      -

      Version 10.0.10586

      FIPS186-4:
      -PQG(gen)      PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      -KeyPairGen:    [ (2048,256) ; (3072,256) ]
      -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      SHS: Val# 2886
      -DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

      -

      Version 10.0.10240

      FIPS186-4:
      -PQG(gen)      PARMS TESTED:   [
      -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      -PQG(ver)PARMS TESTED:   [ (2048,256)
      -SHA( 256 ); (3072,256) SHA( 256 ) ]
      -KeyPairGen:    [ (2048,256) ; (3072,256) ]
      -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      -

      SHS: Val# 2373
      -DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

      -

      Version 6.3.9600

      FIPS186-2:
      -PQG(ver) MOD(1024);
      -SIG(ver) MOD(1024);
      -SHS: #1903
      -DRBG: #258

      -

      FIPS186-4:
      -PQG(gen)PARMS TESTED      : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      -SHS: #1903
      -DRBG: #258
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
      FIPS186-2:
      -PQG(ver)       MOD(1024);
      -SIG(ver) MOD(1024);
      -SHS: #1902
      -DRBG: #258
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 1773
      -DRBG: Val# 193
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 1081
      -DRBG: Val# 23
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

      Windows Server 2008 R2 and SP1 CNG algorithms #391

      -

      Windows 7 Ultimate and SP1 CNG algorithms #386

      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 1081
      -RNG: Val# 649
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

      Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

      -

      Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 753
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

      Windows Server 2008 CNG algorithms #284

      -

      Windows Vista Ultimate SP1 CNG algorithms #283

      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 753
      -RNG: Val# 435
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

      Windows Server 2008 Enhanced DSS (DSSENH) #282

      -

      Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 618
      -RNG: Val# 321
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

      Windows Vista CNG algorithms #227

      -

      Windows Vista Enhanced DSS (DSSENH) #226

      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 784
      -RNG: Val# 448
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.      		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
      FIPS186-2:
      -SIG(ver)       MOD(1024);
      -SHS: Val# 783
      -RNG: Val# 447
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
      FIPS186-2:
      -PQG(gen)       MOD(1024);
      -PQG(ver) MOD(1024);
      -KEYGEN(Y) MOD(1024);
      -SIG(gen) MOD(1024);
      -SIG(ver) MOD(1024);
      -SHS: Val# 611
      -RNG: Val# 314      		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
      FIPS186-2:
      -PQG(gen)       MOD(1024);
      -PQG(ver) MOD(1024);
      -KEYGEN(Y) MOD(1024);
      -SIG(gen) MOD(1024);
      -SIG(ver) MOD(1024);
      -SHS: Val# 385      		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
      FIPS186-2:
      -PQG(ver)       MOD(1024);
      -KEYGEN(Y) MOD(1024);
      -SIG(gen) MOD(1024);
      -SIG(ver) MOD(1024);
      -SHS: Val# 181
      -
      -      		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
      FIPS186-2:
      -PQG(gen)       MOD(1024);
      -PQG(ver) MOD(1024);
      -KEYGEN(Y) MOD(1024);
      -SIG(gen) MOD(1024);
      -SHS: SHA-1 (BYTE)
      -SIG(ver) MOD(1024);
      -SHS: SHA-1 (BYTE)

      Windows 2000 DSSENH.DLL #29

      -

      Windows 2000 DSSBASE.DLL #28

      -

      Windows NT 4 SP6 DSSENH.DLL #26

      -

      Windows NT 4 SP6 DSSBASE.DLL #25

      FIPS186-2: PRIME;
      -FIPS186-2:

      -

      KEYGEN(Y):
      -SHS: SHA-1 (BYTE)

      -

      SIG(gen):
      -SIG(ver)       MOD(1024);
      -SHS: SHA-1 (BYTE)

      		Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
      - - -#### Elliptic Curve Digital Signature Algorithm (ECDSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #2373, DRBG #489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

      -

      Version 6.3.9600

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384
              • -
            • Generation Methods: Testing Candidates
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #1253

      -

      Version 10.0.15063.674

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384
              • -
            • Generation Methods: Testing Candidates
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

      -

      Version 10.0.16299

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

      -

      Version 10.0.15063.674

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

      -

      Version 10.0.15063.674

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

      -

      Version 10.0.15254

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

      -

      Version 10.0.15254

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

      -

      Version 10.0.16299

        -
      • ECDSA:
        • -
        • -
        • 186-4:
          • -
          • -
          • Key Pair Generation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • Generation Methods: Extra Random Bits
              • -
            • -
          • Public Key Validation:
            • -
            • -
            • Curves: P-256, P-384, P-521
              • -
            • -
          • Signature Generation:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • Signature Verification:
            • -
            • -
            • P-256 SHA: SHA-256
              • -
            • P-384 SHA: SHA-384
              • -
            • P-521 SHA: SHA-512
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

      -

      Version 10.0.16299

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 TestingCandidates )
      -SHS: Val#3790
      -DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

      -

      Version 10.0.15063

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -PKV: CURVES( P-256 P-384 P-521 )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      -SHS: Val#3790
      -DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

      -

      Version 10.0.15063

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -PKV: CURVES( P-256 P-384 P-521 )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      -SHS: Val#3790
      -DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

      -

      Version 10.0.15063

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -PKV: CURVES( P-256 P-384 P-521 )
      -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
      -SHS:Val# 3649
      -DRBG:Val# 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

      -

      Version 7.00.2872

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -PKV: CURVES( P-256 P-384 P-521 )
      -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
      -SHS:Val#3648
      -DRBG:Val# 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

      -

      Version 8.00.6246

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 TestingCandidates )
      -PKV: CURVES( P-256 P-384 )
      -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

      -

      SHS: Val# 3347
      -DRBG: Val# 1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

      -

      Version 10.0.14393

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -PKV: CURVES( P-256 P-384 P-521 )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      -

      SHS: Val# 3347
      -DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

      -

      Version 10.0.14393

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      -

      SHS: Val# 3047
      -DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

      -

      Version 10.0.10586

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      -

      SHS: Val# 2886
      -DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

      -

      Version 10.0.10240

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      -

      SHS: Val#2373
      -DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

      -

      Version 6.3.9600

      FIPS186-2:
      -PKG: CURVES      ( P-256 P-384 P-521 )
      -SHS: #1903
      -DRBG: #258
      -SIG(ver):CURVES( P-256 P-384 P-521 )
      -SHS: #1903
      -DRBG: #258

      -

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      -SHS: #1903
      -DRBG: #258
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

      FIPS186-2:
      -PKG: CURVES      ( P-256 P-384 P-521 )
      -SHS: Val#1773
      -DRBG: Val# 193
      -SIG(ver): CURVES( P-256 P-384 P-521 )
      -SHS: Val#1773
      -DRBG: Val# 193

      -

      FIPS186-4:
      -PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      -SHS: Val#1773
      -DRBG: Val# 193
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
      FIPS186-2:
      -PKG: CURVES      ( P-256 P-384 P-521 )
      -SHS: Val#1081
      -DRBG: Val# 23
      -SIG(ver): CURVES( P-256 P-384 P-521 )
      -SHS: Val#1081
      -DRBG: Val# 23
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

      Windows Server 2008 R2 and SP1 CNG algorithms #142

      -

      Windows 7 Ultimate and SP1 CNG algorithms #141

      FIPS186-2:
      -PKG: CURVES      ( P-256 P-384 P-521 )
      -SHS: Val#753
      -SIG(ver): CURVES( P-256 P-384 P-521 )
      -SHS: Val#753
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

      Windows Server 2008 CNG algorithms #83

      -

      Windows Vista Ultimate SP1 CNG algorithms #82

      FIPS186-2:
      -PKG: CURVES      ( P-256 P-384 P-521 )
      -SHS: Val#618
      -RNG: Val# 321
      -SIG(ver): CURVES( P-256 P-384 P-521 )
      -SHS: Val#618
      -RNG: Val# 321
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.      		Windows Vista CNG algorithms #60
      - - -#### Keyed-Hash Message Authentication Code (HMAC) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • HMAC-SHA-1:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-256:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-384:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      -

      Prerequisite: SHS #4011

      Microsoft Surface Hub Virtual TPM Implementations #3271

      -

      Version 10.0.15063.674

        -
      • HMAC-SHA-1:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-256:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-384:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      -

      Prerequisite: SHS #4009

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

      -

      Version 10.0.16299

        -
      • HMAC-SHA-1:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-256:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-384:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-512:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      -

      Prerequisite: SHS #4011

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

      -

      Version 10.0.15063.674

        -
      • HMAC-SHA-1:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-256:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-384:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-512:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      -

      Prerequisite: SHS #4010

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

      -

      Version 10.0.15254

        -
      • HMAC-SHA-1:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-256:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-384:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      • HMAC-SHA2-512:
        • -
        • -
        • Key Sizes &lt; Block Size
          • -
        • Key Sizes &gt; Block Size
          • -
        • Key Sizes = Block Size
          • -
        • -
      -

      Prerequisite: SHS #4009

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

      -

      Version 10.0.16299

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

      -

      Version 10.0.15063

      HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

      -

      Version 10.0.15063

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

      -

      Version 7.00.2872

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

      -

      Version 8.00.6246

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

      -

      Version 7.00.2872

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

      -

      Version 8.00.6246

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      -SHS Val# 3347

      -

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      -SHS Val# 3347

      -

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      -SHS Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

      -

      Version 10.0.14393

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

      -

      Version 10.0.14393

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      -SHS Val# 3047

      -

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      -SHS Val# 3047

      -

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      -SHS Val# 3047

      -

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      -SHS Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

      -

      Version 10.0.10586

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      -SHSVal# 2886

      -

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      -SHSVal# 2886

      -

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      - SHSVal# 2886

      -

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      -SHSVal# 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

      -

      Version 10.0.10240

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      -SHS Val#2373

      -

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      -SHS Val#2373

      -

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      -SHS Val#2373

      -

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      -SHS Val#2373

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

      -

      Version 6.3.9600

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

      -

      Version 5.2.29344

      HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

      -

      SHS#1903

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

      -

      SHS#1903

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

      -

      SHS#1903

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

      -

      SHS#1903

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      -

      Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      Windows Server 2008 R2 and SP1 CNG algorithms #686

      -

      Windows 7 and SP1 CNG algorithms #677

      -

      Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

      -

      Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

      HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

      		Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

      -

      Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      		Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

      -

      Windows XP, vendor-affirmed

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      Windows Server 2008 CNG algorithms #413

      -

      Windows Vista Ultimate SP1 CNG algorithms #412

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

      		Windows Vista Ultimate BitLocker Drive Encryption #386

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      		Windows Vista CNG algorithms #298

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

      		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      		Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

      		Windows Vista BitLocker Drive Encryption #199
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

      -

      Windows XP, vendor-affirmed

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

      -

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      -

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      -

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
      - - -#### Key Agreement Scheme (KAS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • KAS ECC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
          • -
        • Schemes:
          • -
          • -
          • Full Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • KDFs: Concatenation
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #150

      -

      Version 10.0.15063.674

        -
      • KAS ECC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
          • -
        • Schemes:
          • -
          • -
          • Full Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • KDFs: Concatenation
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

      -

      Version 10.0.16299

        -
      • KAS ECC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • -
        • Schemes:
          • -
          • -
          • Ephemeral Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • KDFs: Concatenation
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • One Pass DH:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • Static Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

      -
        -
      • KAS FFC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • -
        • Schemes:
          • -
          • -
          • dhEphem:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhOneFlow:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhStatic:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DSA #1303, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

      -

      Version 10.0.15063.674

        -
      • KAS ECC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • -
        • Schemes:
          • -
          • -
          • Ephemeral Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • KDFs: Concatenation
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • One Pass DH:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • Static Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

      -
        -
      • KAS FFC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • -
        • Schemes:
          • -
          • -
          • dhEphem:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhOneFlow:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhStatic:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DSA #1302, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

      -

      Version 10.0.15254

        -
      • KAS ECC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • -
        • Schemes:
          • -
          • -
          • Ephemeral Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • KDFs: Concatenation
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • One Pass DH:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • Static Unified:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • EC:
                • -
                • -
                • Curve: P-256
                  • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • ED:
                • -
                • -
                • Curve: P-384
                  • -
                • SHA: SHA-384
                  • -
                • MAC: HMAC
                  • -
                • -
              • EE:
                • -
                • -
                • Curve: P-521
                  • -
                • SHA: SHA-512
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

      -
        -
      • KAS FFC:
        • -
        • -
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • -
        • Schemes:
          • -
          • -
          • dhEphem:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhOneFlow:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • dhStatic:
            • -
            • -
            • Key Agreement Roles: Initiator, Responder
              • -
            • Parameter Sets:
              • -
              • -
              • FB:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • FC:
                • -
                • -
                • SHA: SHA-256
                  • -
                • MAC: HMAC
                  • -
                • -
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DSA #1301, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

      -

      Version 10.0.16299

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

      -

      SHS Val#3790
      -DSA Val#1135
      -DRBG Val#1556

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

      -

      Version 10.0.15063

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      -SHS Val#3790
      -DSA Val#1223
      -DRBG Val#1555

      -

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -
      -SHS Val#3790
      -ECDSA Val#1133
      -DRBG Val#1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

      -

      Version 10.0.15063

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      -SHS Val# 3649
      -DSA Val#1188
      -DRBG Val#1430

      -

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

      -

      Version 7.00.2872

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      -SHS Val#3648
      -DSA Val#1187
      -DRBG Val#1429

      -

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -
      -SHS Val#3648
      -ECDSA Val#1072
      -DRBG Val#1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

      -

      Version 8.00.6246

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
      -SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

      -

      SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

      -

      Version 10.0.14393

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
      -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      -

      SHS Val# 3347 DSA Val#1098 DRBG Val#1217

      -

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      -

      SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

      -

      Version 10.0.14393

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      -

      SHS Val# 3047 DSA Val#1024 DRBG Val#955

      -

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      -

      SHS Val# 3047 ECDSA Val#760 DRBG Val#955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

      -

      Version 10.0.10586

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      -

      SHS Val# 2886 DSA Val#983 DRBG Val#868

      -

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      -

      SHS Val# 2886 ECDSA Val#706 DRBG Val#868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

      -

      Version 10.0.10240

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      -( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      -

      SHS Val#2373 DSA Val#855 DRBG Val#489

      -

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      -[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      -

      SHS Val#2373 ECDSA Val#505 DRBG Val#489

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      -

      Version 6.3.9600

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
      -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
      -SHS #1903 DSA Val#687 DRBG #258

      -

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      -[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
      -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
      -
      -SHS #1903 ECDSA Val#341 DRBG #258

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

      KAS (SP 800–56A)

      -

      key agreement

      -

      key establishment methodology provides 80 to 256 bits of encryption strength

      Windows 7 and SP1, vendor-affirmed

      -

      Windows Server 2008 R2 and SP1, vendor-affirmed

      - - -SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • Counter:
        • -
        • -
        • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
          • -
        • -
      -

      MAC prerequisite: HMAC #3271

      -
      -
        -
      • Counter Location: Before Fixed Data
        • -
      • R Length: 32 (bits)
        • -
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • -
      -
      -

      K prerequisite: DRBG #1734, KAS #150

      Microsoft Surface Hub Virtual TPM Implementations #161

      -

      Version 10.0.15063.674

        -
      • Counter:
        • -
        • -
        • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
          • -
        • -
      -

      MAC prerequisite: HMAC #3270

      -
      -
        -
      • Counter Location: Before Fixed Data
        • -
      • R Length: 32 (bits)
        • -
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • -
      -
      -

      K prerequisite: DRBG #1733, KAS #149

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

      -

      Version 10.0.16299

        -
      • Counter:
        • -
        • -
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • -
        • -
      -

      MAC prerequisite: AES #4902, HMAC #3269

      -
      -
        -
      • Counter Location: Before Fixed Data
        • -
      • R Length: 32 (bits)
        • -
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • -
      • K prerequisite: KAS #148
        • -
      -

      Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

      -

      Version 10.0.15063.674

        -
      • Counter:
        • -
        • -
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • -
        • -
      -

      MAC prerequisite: AES #4901, HMAC #3268

      -
      -
        -
      • Counter Location: Before Fixed Data
        • -
      • R Length: 32 (bits)
        • -
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • -
      -
      -

      K prerequisite: KAS #147

      Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

      -

      Version 10.0.15254

        -
      • Counter:
        • -
        • -
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • -
        • -
      -

      MAC prerequisite: AES #4897, HMAC #3267

      -
      -
        -
      • Counter Location: Before Fixed Data
        • -
      • R Length: 32 (bits)
        • -
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • -
      -
      -

      K prerequisite: KAS #146

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

      -

      Version 10.0.16299

      CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
      -
      -KAS Val#128
      -DRBG Val#1556
      -MAC Val#3062

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

      -

      Version 10.0.15063

      CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
      -
      -KAS Val#127
      -AES Val#4624
      -DRBG Val#1555
      -MAC Val#3061

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

      -

      Version 10.0.15063

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      KAS Val#93 DRBG Val#1222 MAC Val#2661

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

      -

      Version 10.0.14393

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

      -

      Version 10.0.14393

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

      -

      Version 10.0.10586

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

      -

      Version 10.0.10240

      CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      DRBG Val#489 MAC Val#1773

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      -

      Version 6.3.9600

      CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      -

      DRBG #258 HMAC Val#1345

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
      - - -Random Number Generator (RNG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #

      FIPS 186-2 General Purpose

      -

      [ (x-Original); (SHA-1) ]

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
      FIPS 186-2
      -[ (x-Original); (SHA-1) ]

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

      -

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

      -

      Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

      -

      Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

      FIPS 186-2
      -[ (x-Change Notice); (SHA-1) ]

      -

      FIPS 186-2 General Purpose
      -[ (x-Change Notice); (SHA-1) ]

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

      -

      Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

      -

      Windows Vista RNG implementation #321

      FIPS 186-2 General Purpose
      -[ (x-Change Notice); (SHA-1) ]

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

      -

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

      -

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

      -

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

      -

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

      FIPS 186-2
      -[ (x-Change Notice); (SHA-1) ]

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

      -

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

      - - -#### RSA - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #2677

      -

      Version 10.0.15063.674

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 240 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

      -

      Version 10.0.16299

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub RSA32 Algorithm Implementations #2675

      -

      Version 10.0.15063.674

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

      -

      Version 10.0.16299

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

      -

      Version 10.0.15254

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Public Key Exponent: Fixed (10001)
            • -
          • Provable Primes with Conditions:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.3
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

      -

      Version 10.0.15063.674

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Probable Random Primes:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.2
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

      -

      Version 10.0.15063.674

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Probable Random Primes:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.2
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

      -

      Version 10.0.15254

      RSA:

      -
        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Public Key Exponent: Fixed (10001)
            • -
          • Provable Primes with Conditions:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.3
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

      -

      Version 10.0.15254

        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Public Key Exponent: Fixed (10001)
            • -
          • Provable Primes with Conditions:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.3
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

      -

      Version 10.0.16299

        -
      • 186-4:
        • -
        • -
        • Key Generation:
          • -
          • -
          • Probable Random Primes:
            • -
            • -
            • Mod lengths: 2048, 3072 (bits)
              • -
            • Primality Tests: C.2
              • -
            • -
          • -
        • Signature Generation PKCS1.5:
          • -
          • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Generation PSS:
          • -
          • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • Signature Verification PKCS1.5:
          • -
          • -
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • -
          • -
        • Signature Verification PSS:
          • -
          • -
          • Mod 1024:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 496 (bits)
              • -
            • -
          • Mod 2048:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • Mod 3072:
            • -
            • -
            • SHA-1: Salt Length: 160 (bits)
              • -
            • SHA-256: Salt Length: 256 (bits)
              • -
            • SHA-384: Salt Length: 384 (bits)
              • -
            • SHA-512: Salt Length: 512 (bits)
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

      -

      Version 10.0.16299

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
      -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
      -SHA Val#3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

      -

      Version 10.0.15063

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -SHA Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

      -

      Version 10.0.15063

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      -SHA Val#3790
      -DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

      -

      Version 10.0.15063

      FIPS186-4:
      -186-4KEY(gen):
      -PGM(ProbRandom:       ( 2048 , 3072 ) PPTT:( C.2 )
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      -SHA Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

      -

      Version 10.0.15063

      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

      -

      FIPS186-4:
      -ALG[ANSIX9.31]       Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
      -SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -SHA Val#3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

      -

      Version 7.00.2872

      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

      -

      FIPS186-4:
      -ALG[ANSIX9.31]       Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
      -SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -SHA Val#3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

      -

      Version 8.00.6246

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

      -

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e (10001) ;
      -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -SHA Val# 3649
      -DRBG: Val# 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

      -

      Version 7.00.2872

      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

      -

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e (10001) ;
      -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
      -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      -SHA Val#3648
      -DRBG: Val# 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

      -

      Version 8.00.6246

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
      -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

      -

      SHA Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

      -

      Version 10.0.14393

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      -

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

      -

      Version 10.0.14393

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#3346

      soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

      -

      Version 10.0.14393

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

      -

      Version 10.0.14393

      FIPS186-4:
      -[RSASSA-PSS]: Sig(Gen):       (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      -

      Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      -

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

      -

      Version 10.0.14393

      FIPS186-4:
      -186-4KEY(gen)      :  FIPS186-4_Fixed_e ( 10001 ) ;
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      -

      SHA Val# 3047 DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

      -

      Version 10.0.10586

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#3048

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

      -

      Version 10.0.10586

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

      -

      Version 10.0.10586

      FIPS186-4:
      -[RSASSA-PSS]: Sig(Gen)      : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      -

      SHA Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

      -

      Version 10.0.10586

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      -

      SHA Val# 2886 DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

      -

      Version 10.0.10240

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

      -

      Version 10.0.10240

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

      -

      Version 10.0.10240

      FIPS186-4:
      -[RSASSA-PSS]:       Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      -Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      -

      SHA Val# 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

      -

      Version 10.0.10240

      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e ;
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      -

      SHA Val#2373 DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      -

      Version 6.3.9600

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

      -

      Version 6.3.9600

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5      ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      -

      SHA Val#2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      -

      Version 6.3.9600

      FIPS186-4:
      -[RSASSA-PSS]:       Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      - Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      -

      SHA Val#2373

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      -

      Version 6.3.9600

      FIPS186-4:
      -ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
      -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
      -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      -Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
      -SHA #1903

      -

      Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
      FIPS186-4:
      -186-4KEY(gen):       FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
      -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
      -SHA #1903 DRBG: #258      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.      		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.      		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.      		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

      Windows Server 2008 R2 and SP1 CNG algorithms #567

      -

      Windows 7 and SP1 CNG algorithms #560

      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.      		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.      		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

      Windows Server 2008 CNG algorithms #358

      -

      Windows Vista SP1 CNG algorithms #357

      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

      -

      Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.      		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
      FIPS186-2:
      -ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.      		Windows Vista RSA key generation implementation #258
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.      		Windows Vista CNG algorithms #257
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.      		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.      		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.      		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
      FIPS186-2:
      -ALG[RSASSA-PKCS1_V1_5]:
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.      		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
      FIPS186-2:
      -ALG[ANSIX9.31]:
      -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
      -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      -Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.      		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

      FIPS186-2:

      -

      – PKCS#1 v1.5, signature generation and verification

      -

      – Mod sizes: 1024, 1536, 2048, 3072, 4096

      -

      – SHS: SHA–1/256/384/512

      Windows XP, vendor-affirmed

      -

      Windows 2000, vendor-affirmed

      - - -#### Secure Hash Standard (SHS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • SHA-1:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-256:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-384:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-512:
        • -
        • -
        • Supports Empty Message
          • -
        • -

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

      -

      Version 10.0.15063.674

        -
      • SHA-1:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-256:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-384:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-512:
        • -
        • -
        • Supports Empty Message
          • -
        • -

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

      -

      Version 10.0.15254

        -
      • SHA-1:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-256:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-384:
        • -
        • -
        • Supports Empty Message
          • -
        • -
      • SHA-512:
        • -
        • -
        • Supports Empty Message
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

      -

      Version 10.0.16299

      SHA-1      (BYTE-only)
      -SHA-256  (BYTE-only)
      -SHA-384  (BYTE-only)
      -SHA-512  (BYTE-only)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

      -

      Version 10.0.15063

      SHA-1      (BYTE-only)
      -SHA-256  (BYTE-only)
      -SHA-384  (BYTE-only)
      -SHA-512  (BYTE-only)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

      -

      Version 7.00.2872

      SHA-1      (BYTE-only)
      -SHA-256  (BYTE-only)
      -SHA-384  (BYTE-only)
      -SHA-512  (BYTE-only)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

      -

      Version 8.00.6246

      SHA-1      (BYTE-only)
      -SHA-256  (BYTE-only)
      -SHA-384  (BYTE-only)
      -SHA-512  (BYTE-only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

      -

      Version 7.00.2872

      SHA-1      (BYTE-only)
      -SHA-256  (BYTE-only)
      -SHA-384  (BYTE-only)
      -SHA-512  (BYTE-only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

      -

      Version 8.00.6246

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
      -Version 10.0.14393
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
      -Version 10.0.14393
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
      -Version 10.0.10586
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
      -Version 10.0.10586
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
      -Version 10.0.10240
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
      -Version 10.0.10240
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
      -Version 6.3.9600
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      -Version 6.3.9600

      SHA-1 (BYTE-only)

      -

      SHA-256 (BYTE-only)

      -

      SHA-384 (BYTE-only)

      -

      SHA-512 (BYTE-only)

      -

      Implementation does not support zero-length (null) messages.

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

      -

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

      -

      Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

      -

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

      SHA-1 (BYTE-only)

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

      -

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)

      Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

      -

      Windows Vista Symmetric Algorithm Implementation #618

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)

      Windows Vista BitLocker Drive Encryption #737

      -

      Windows Vista Beta 2 BitLocker Drive Encryption #495

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

      -

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

      SHA-1 (BYTE-only)

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

      -

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

      -

      Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

      -

      Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

      -

      Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

      -

      Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

      -

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

      SHA-1 (BYTE-only)
      -SHA-256 (BYTE-only)
      -SHA-384 (BYTE-only)
      -SHA-512 (BYTE-only)

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

      -

      Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

      -

      Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

      SHA-1 (BYTE-only)

      Windows XP Microsoft Enhanced Cryptographic Provider #83

      -

      Crypto Driver for Windows 2000 (fips.sys) #35

      -

      Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

      -

      Windows 2000 RSAENH.DLL #24

      -

      Windows 2000 RSABASE.DLL #23

      -

      Windows NT 4 SP6 RSAENH.DLL #21

      -

      Windows NT 4 SP6 RSABASE.DLL #20

      - - -#### Triple DES - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        -
      • TDES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB64:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

      -

      Version 10.0.15063.674

        -
      • TDES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB64:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

      -

      Version 10.0.15254

        -
      • TDES-CBC:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB64:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-CFB8:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -
      • TDES-ECB:
        • -
        • -
        • Modes: Decrypt, Encrypt
          • -
        • Keying Option: 1
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

      -

      Version 10.0.16299

      TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

      -

      Version 10.0.15063

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

      -

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

      -

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, ) ;

      -

      CTR ( int only )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

      -

      Version 7.00.2872

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

      -

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, ) ;

      -

      TCFB8( KO 1 e/d, ) ;

      -

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
      -
      -

      -

      Version 10.0.14393

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, ) ;

      -

      TCFB8( KO 1 e/d, ) ;

      -

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
      -
      -

      -

      Version 10.0.10586

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, ) ;

      -

      TCFB8( KO 1 e/d, ) ;

      -

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
      -
      -

      -

      Version 10.0.10240

      TECB( KO 1 e/d, ) ;

      -

      TCBC( KO 1 e/d, ) ;

      -

      TCFB8( KO 1 e/d, ) ;

      -

      TCFB64( KO 1 e/d, )

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      -

      Version 6.3.9600

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 ) ;

      -

      TCFB8( e/d; KO 1,2 ) ;

      -

      TCFB64( e/d; KO 1,2 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 ) ;

      -

      TCFB8( e/d; KO 1,2 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 ) ;

      -

      TCFB8( e/d; KO 1,2 )

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 ) ;

      -

      TCFB8( e/d; KO 1,2 )

      		Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 ) ;

      -

      TCFB8( e/d; KO 1,2 )

      		Windows Vista Symmetric Algorithm Implementation #549
      Triple DES MAC

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

      -

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

      TECB( e/d; KO 1,2 ) ;

      -

      TCBC( e/d; KO 1,2 )

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

      -

      Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

      -

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

      -

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

      -

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

      -

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

      -

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

      -

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

      -

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

      -

      Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

      -

      Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

      -

      Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

      -

      Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

      -

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

      -

      Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

      -

      Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

      -

      Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

      -

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

      -

      Windows XP Microsoft Enhanced Cryptographic Provider #81

      -

      Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

      -

      Crypto Driver for Windows 2000 (fips.sys) #16

      - - -#### SP 800-132 Password Based Key Derivation Function (PBKDF) - - - - - - - - - - - - - - -
      - Modes / States / Key Sizes - - Algorithm Implementation and Certificate # -
      - PBKDF (vendor affirmed) -

       Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
      (Software Version: 10.0.14393)

      -

      Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
      (Software Version: 10.0.14393)

      -

      Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
      (Software Version: 10.0.14393)

      -

      Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
      (Software Version: 10.0.14393)

      -
      - PBKDF (vendor affirmed) -

      Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
      (Software Version: 10.0.14393)

      -

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

      -
      - - -#### Component Validation List - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Publication / Component Validated / DescriptionImplementation and Certificate #
        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      -

      Version 6.3.9600

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Microsoft Surface Hub Virtual TPM Implementations #1519

      -

      Version 10.0.15063.674

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

      -

      Version 10.0.16299

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      -

      Version 10.0.15063.674

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

      -

      Version 10.0.15063.674

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

       Prerequisite: DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

      -

      Version 10.0.15063.674

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

      -

      Version 10.0.15063.674

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

      -

      Version 10.0.15063.674

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

      -

      Version 10.0.15063.674

        -
      • IKEv1:
        • -
        • -
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • -
        • Pre-shared Key Length: 64-2048
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, HMAC #3269

      -
        -
      • IKEv2:
        • -
        • -
        • Derived Keying Material length: 192-1792
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, HMAC #3269

      -
        -
      • TLS:
        • -
        • -
        • Supports TLS 1.0/1.1
          • -
        • Supports TLS 1.2:
          • -
          • -
          • SHA Functions: SHA-256, SHA-384
            • -
          • -
        • -
      -

      Prerequisite: SHS #4011, HMAC #3269

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

      -

      Version 10.0.15063.674

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

      -

      Version 10.0.15254

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

      -

      Version 10.0.15254

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

      -

      Version 10.0.15254

        -
      • IKEv1:
        • -
        • -
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • -
        • Pre-shared Key Length: 64-2048
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, HMAC #3268

      -
        -
      • IKEv2:
        • -
        • -
        • Derived Keying Material length: 192-1792
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, HMAC #3268

      -
        -
      • TLS:
        • -
        • -
        • Supports TLS 1.0/1.1
          • -
        • Supports TLS 1.2:
          • -
          • -
          • SHA Functions: SHA-256, SHA-384
            • -
          • -
        • -
      -

      Prerequisite: SHS #4010, HMAC #3268

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

      -

      Version 10.0.15254

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

      -

      Version 10.0.15254

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

      -

      Version 10.0.15254

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

      -

      Version 10.0.15254

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

      -

      Version 10.0.16299

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

      -

      Version 10.0.16299

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

      -

      Version 10.0.16299

        -
      • ECDSA SigGen:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      -

      Prerequisite: DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

      -

      Version 10.0.16299

        -
      • RSADP:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

      -

      Version 10.0.16299

      -

       

        -
      • RSASP1:
        • -
        • -
        • Modulus Size: 2048 (bits)
          • -
        • Padding Algorithms: PKCS 1.5
          • -
        • -

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

      -

      Version 10.0.16299

        -
      • IKEv1:
        • -
        • -
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • -
        • Pre-shared Key Length: 64-2048
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, HMAC #3267

      -
        -
      • IKEv2:
        • -
        • -
        • Derived Keying Material length: 192-1792
          • -
        • Diffie-Hellman shared secrets:
          • -
          • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 2048 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 256 (bits)
              • -
            • SHA Functions: SHA-256
              • -
            • -
          • Diffie-Hellman shared secret:
            • -
            • -
            • Length: 384 (bits)
              • -
            • SHA Functions: SHA-384
              • -
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, HMAC #3267

      -
        -
      • TLS:
        • -
        • -
        • Supports TLS 1.0/1.1
          • -
        • Supports TLS 1.2:
          • -
          • -
          • SHA Functions: SHA-256, SHA-384
            • -
          • -
        • -
      -

      Prerequisite: SHS #4009, HMAC #3267

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

      -

      Version 10.0.16299

      FIPS186-4 ECDSA

      -

      Signature Generation of hash sized messages

      -

      ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
      -Version 10.0. 15063

      -

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
      -Version 10.0. 15063

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
      -Version 10.0.14393

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
      -Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
      -Version 10.0.10586

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      -Version 6.3.9600

      FIPS186-4 RSA; PKCS#1 v2.1

      -

      RSASP1 Signature Primitive

      -

      RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
      -Version 10.0.15063

      -

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
      -Version 10.0.15063

      -

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
      -Version 10.0.15063

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
      -Version 10.0.14393

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
      -Version 10.0.14393

      -

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      -Version 10.0.10586

      -

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
      -Version  10.0.10240

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
      -Version 6.3.9600

      FIPS186-4 RSA; RSADP

      -

      RSADP Primitive

      -

      RSADP: (Mod2048)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
      -Version 10.0.15063

      -

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
      -Version 10.0.15063

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
      -Version 10.0.14393

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
      -Version 10.0.14393

      -

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
      -Version 10.0.10586

      -

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
      -Version  10.0.10240

      SP800-135

      -

      Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

      -

      Version 10.0.16299

      -

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
      -Version 10.0.15063

      -

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
      -Version 7.00.2872

      -

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
      -Version 8.00.6246

      -

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
      -Version 10.0.14393

      -

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
      -Version 10.0.10586

      -

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
      -Version  10.0.10240

      -

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
      -Version 6.3.9600

      - - -## References - -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths - -## Additional Microsoft References - -Enabling FIPS mode - - -Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) - +--- +title: FIPS 140 Validation +description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +ms.prod: w10 +audience: ITPro +author: dulcemontemayor +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/05/2019 +ms.reviewer: +--- + +# FIPS 140-2 Validation + +## FIPS 140-2 standard overview + +The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996. + +The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module. + +## Microsoft’s approach to FIPS 140-2 validation + +Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since the inception of the standard in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules. + +## Using Windows in a FIPS 140-2 approved mode of operation + +Windows 10 and Windows server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.” Achieving this mode of operation requires administrators to complete all four steps outlined below. + +### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed + +Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. This is accomplished by cross-checking the version number of the cryptographic module with the table of validated modules at the end of this topic, organized by operating system release. + +### Step 2: Ensure all security policies for all cryptographic modules are followed + +Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found by following the links in the table of validated modules at the end of this topic. Click on the module version number to view the published SPD for the module. + +### Step 3: Enable the FIPS security policy + +Windows provides the security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing). + +### Step 4: Ensure only FIPS validated cryptographic algorithms are used + +Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation, regardless of the FIPS security policy setting. To run in a FIPS approved mode, an application or service must check for the policy flag and enforce the security policies of the validated modules. If an application or service uses a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not operating in a FIPS approved mode. + +## Frequently asked questions + +### How long does it take to certify cryptographic modules? + +Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors. + +### When does Microsoft undertake a FIPS 140 validation? + +The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules. + +### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”? + +“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. + +### I need to know if a Windows service or application is FIPS 140-2 validated. + +The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services, applications, hardware peripherals, or other solutions. For a solution to be considered compliant, it must call a FIPS 140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module. + +### What does "When operated in FIPS mode" mean on a certificate? + +This caveat identifies required configuration and security rules that must be followed to use the cryptographic module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module. + +### What is the relationship between FIPS 140-2 and Common Criteria? + +These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly. + +### How does FIPS 140 relate to Suite B? + +Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard. + +## Microsoft FIPS 140-2 validated cryptographic modules + +The following tables identify the cryptographic modules used in an operating system, organized by release. + +## Modules used by Windows + +##### Windows 10 Spring 2018 Update (Version 1803) + +Validated Editions: Home, Pro, Enterprise, Education + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library10.0.17134#3197See Security Policy and Certificate page for algorithm information
      Kernel Mode Cryptographic Primitives Library10.0.17134#3196See Security Policy and Certificate page for algorithm information
      Code Integrity10.0.17134#3195See Security Policy and Certificate page for algorithm information
      Windows OS Loader10.0.17134#3480See Security Policy and Certificate page for algorithm information
      Secure Kernel Code Integrity10.0.17134#3096See Security Policy and Certificate page for algorithm information
      BitLocker Dump Filter10.0.17134#3092See Security Policy and Certificate page for algorithm information
      Boot Manager10.0.17134#3089See Security Policy and Certificate page for algorithm information
      + +##### Windows 10 Fall Creators Update (Version 1709) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library10.0.16299#3197See Security Policy and Certificate page for algorithm information
      Kernel Mode Cryptographic Primitives Library10.0.16299#3196See Security Policy and Certificate page for algorithm information
      Code Integrity10.0.16299#3195See Security Policy and Certificate page for algorithm information
      Windows OS Loader10.0.16299#3194See Security Policy and Certificate page for algorithm information
      Secure Kernel Code Integrity10.0.16299#3096See Security Policy and Certificate page for algorithm information
      BitLocker Dump Filter10.0.16299#3092See Security Policy and Certificate page for algorithm information
      Windows Resume10.0.16299#3091See Security Policy and Certificate page for algorithm information
      Boot Manager10.0.16299#3089See Security Policy and Certificate page for algorithm information
      + +##### Windows 10 Creators Update (Version 1703) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

      FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      +
      +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

      #3094

      +

      FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
      +
      +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

      Boot Manager10.0.15063#3089

      FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

      +

      Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

      Windows OS Loader10.0.15063#3090

      FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

      +

      Other algorithms: NDRNG

      Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
      BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
      Code Integrity (ci.dll)10.0.15063#3093

      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

      Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

      FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

      + + +\[1\] Applies only to Home, Pro, Enterprise, Education and S + +\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub + +\[3\] Applies only to Pro, Enterprise Education and S + +##### Windows 10 Anniversary Update (Version 1607) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      +
      +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

      FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      +
      +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

      Boot Manager10.0.14393#2931

      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

      +

      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

      BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: NDRNG; MD5
      BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
      Code Integrity (ci.dll)10.0.14393#2935

      FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: AES (non-compliant); MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

      Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

      FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      +
      +Other algorithms: MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

      + + +\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile + +\[3\] Applies only to Pro, Enterprise and Enterprise LTSB + +##### Windows 10 November 2015 Update (Version 1511) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      +
      +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

      FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
      +
      +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

      Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
      +
      +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      +
      +Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
      Code Integrity (ci.dll)10.0.10586#2604

      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      +
      +Other algorithms: AES (non-compliant); MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

      Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

      FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
      +
      +Other algorithms: MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

      + + +\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[6\] Applies only to Home, Pro and Enterprise + +\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub + +\[8\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 10 (Version 1507) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      +
      +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

      FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
      +
      +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

      Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
      +
      +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      +
      +Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
      Code Integrity (ci.dll)10.0.10240#2604

      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      +
      +Other algorithms: AES (non-compliant); MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

      Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

      FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
      +
      +Other algorithms: MD5

      +

      Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

      + + +\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[12\] Applies only to Pro, Enterprise and Enterprise LTSB + +\[13\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 8.1 + +Validated Editions: RT, Pro, Enterprise, Phone, Embedded + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      +
      +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

      Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

      FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      +
      +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

      +

      Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

      Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      +
      +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      +
      +Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
      +
      +Other algorithms: N/A
      Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

      FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      +
      +Other algorithms: MD5

      +

      Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

      + + +\[14\] Applies only to Pro, Enterprise, and Embedded 8. + +##### Windows 8 + +Validated Editions: RT, Home, Pro, Enterprise, Phone + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      +
      +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      +
      +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
      BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      +
      +Other algorithms: N/A
      Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      +
      +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      + + +\[15\] Applies only to Home and Pro + +**Windows 7** + +Validated Editions: Windows 7, Windows 7 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

      6.1.7600.16385

      +

      6.1.7601.17514

      		1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      +
      +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Kernel Mode Cryptographic Primitives Library (cng.sys)

      6.1.7600.16385

      +

      6.1.7600.16915

      +

      6.1.7600.21092

      +

      6.1.7601.17514

      +

      6.1.7601.17725

      +

      6.1.7601.17919

      +

      6.1.7601.21861

      +

      6.1.7601.22076

      		1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
      +
      +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Boot Manager

      6.1.7600.16385

      +

      6.1.7601.17514

      		1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
      +
      +Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
      +
      +Other algorithms: MD5
      Winload OS Loader (winload.exe)

      6.1.7600.16385

      +

      6.1.7600.16757

      +

      6.1.7600.20897

      +

      6.1.7600.20916

      +

      6.1.7601.17514

      +

      6.1.7601.17556

      +

      6.1.7601.21655

      +

      6.1.7601.21675

      		1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
      +
      +Other algorithms: MD5
      BitLocker™ Drive Encryption

      6.1.7600.16385

      +

      6.1.7600.16429

      +

      6.1.7600.16757

      +

      6.1.7600.20536

      +

      6.1.7600.20873

      +

      6.1.7600.20897

      +

      6.1.7600.20916

      +

      6.1.7601.17514

      +

      6.1.7601.17556

      +

      6.1.7601.21634

      +

      6.1.7601.21655

      +

      6.1.7601.21675

      		1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      +
      +Other algorithms: Elephant Diffuser
      Code Integrity (CI.DLL)

      6.1.7600.16385

      +

      6.1.7600.17122

      +

      6.1.7600.21320

      +

      6.1.7601.17514

      +

      6.1.7601.17950

      +

      6.1.7601.22108

      		1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
      +
      +Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
      +(no change in SP1)      		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
      Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
      +(no change in SP1)      		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
      +
      +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      + + +##### Windows Vista SP1 + +Validated Editions: Ultimate Edition + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
      Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
      +
      +Other algorithms: MD5
      Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
      +
      +Other algorithms: MD5
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

      FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

      +

      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

      FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

      +

      Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

      Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

      FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

      +

      Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

      FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

      +

      Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

      + + +##### Windows Vista + +Validated Editions: Ultimate Edition + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      +
      +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
      +
      +Other algorithms: Elephant Diffuser
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
      +
      +Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
      + + +##### Windows XP SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

      FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

      +

      Other algorithms: DES; MD5; HMAC MD5

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

      FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

      +

      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

      Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

      FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

      +

      Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

      + + +##### Windows XP SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

      +

      Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

      Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

      +

      Other algorithms: DES (Cert. #156); RC2; RC4; MD5

      + + +##### Windows XP SP1 + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

      FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

      +

      Other algorithms: DES (Cert. #156); RC2; RC4; MD5

      + + +##### Windows XP + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module5.1.2600.0241

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

      +

      Other algorithms: DES (Cert. #89)

      + + +##### Windows 2000 SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

      +

      Other algorithms: DES (Certs. #89)

      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS: 5.0.2195.3665 [SP3])

      +

      (Base: 5.0.2195.3839 [SP3])

      +

      (DSS/DH Enh: 5.0.2195.3665 [SP3])

      +

      (Enh: 5.0.2195.3839 [SP3]

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      +

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      + + +##### Windows 2000 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

      FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

      +

      Other algorithms: DES (Certs. #89)

      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS:

      +

      5.0.2195.2228 [SP2])

      +

      (Base:

      +

      5.0.2195.2228 [SP2])

      +

      (DSS/DH Enh:

      +

      5.0.2195.2228 [SP2])

      +

      (Enh:

      +

      5.0.2195.2228 [SP2])

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      +

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      + + +##### Windows 2000 SP1 + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

      (Base DSS: 5.0.2150.1391 [SP1])

      +

      (Base: 5.0.2150.1391 [SP1])

      +

      (DSS/DH Enh: 5.0.2150.1391 [SP1])

      +

      (Enh: 5.0.2150.1391 [SP1])

      		103

      FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

      +

      Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

      + + +##### Windows 2000 + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

      FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

      +

      Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

      + + +##### Windows 95 and Windows 98 + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

      FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

      +

      Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

      + + +##### Windows NT 4.0 + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
      +
      +Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
      + +## Modules used by Windows Server + +##### Windows Server (Version 1803) + +Validated Editions: Standard, Datacenter + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library10.0.17134#3197See Security Policy and Certificate page for algorithm information
      Kernel Mode Cryptographic Primitives Library10.0.17134#3196See Security Policy and Certificate page for algorithm information
      Code Integrity10.0.17134#3195See Security Policy and Certificate page for algorithm information
      Windows OS Loader10.0.17134#3480See Security Policy and Certificate page for algorithm information
      Secure Kernel Code Integrity10.0.17134#3096See Security Policy and Certificate page for algorithm information
      BitLocker Dump Filter10.0.17134#3092See Security Policy and Certificate page for algorithm information
      Boot Manager10.0.17134#3089See Security Policy and Certificate page for algorithm information
      + +##### Windows Server (Version 1709) + +Validated Editions: Standard, Datacenter + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library10.0.16299#3197See Security Policy and Certificate page for algorithm information
      Kernel Mode Cryptographic Primitives Library10.0.16299#3196See Security Policy and Certificate page for algorithm information
      Code Integrity10.0.16299#3195See Security Policy and Certificate page for algorithm information
      Windows OS Loader10.0.16299#3194See Security Policy and Certificate page for algorithm information
      Secure Kernel Code Integrity10.0.16299#3096See Security Policy and Certificate page for algorithm information
      BitLocker Dump Filter10.0.16299#3092See Security Policy and Certificate page for algorithm information
      Windows Resume10.0.16299#3091See Security Policy and Certificate page for algorithm information
      Boot Manager10.0.16299#3089See Security Policy and Certificate page for algorithm information
      + +##### Windows Server 2016 + +Validated Editions: Standard, Datacenter, Storage Server + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      +
      +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
      +
      +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager10.0.143932931

      FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

      +

      Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

      BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: NDRNG; MD5
      BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
      Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
      +
      +Other algorithms: AES (non-compliant); MD5
      Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
      +
      +Other algorithms: MD5
      + + +##### Windows Server 2012 R2 + +Validated Editions: Server, Storage Server, + +**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
      +
      +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
      +
      +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      +
      +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
      BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
      +
      +Other algorithms: MD5; NDRNG
      BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
      +
      +Other algorithms: N/A
      Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
      +
      +Other algorithms: MD5
      + + +\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +**Windows Server 2012** + +Validated Editions: Server, Storage Server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      +
      +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
      +
      +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
      Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
      BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
      +
      +Other algorithms: N/A
      Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
      +
      +Other algorithms: MD5
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
      +
      +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      + + +##### Windows Server 2008 R2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
      +
      +Other algorithms: MD5
      Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
      +
      +Other algorithms: MD5
      Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
      +
      +Other algorithms: MD5
      Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      +
      +-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
      Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
      +
      +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
      Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
      +
      +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
      +
      +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
      BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
      +
      +Other algorithms: Elephant Diffuser
      + + +##### Windows Server 2008 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
      +
      +Other algorithms: N/A
      Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
      +
      +Other algorithms: MD5
      Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
      +
      +Other algorithms: MD5
      Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      +
      +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
      +
      +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
      +
      +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
      +
      +-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
      Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
      +
      +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
      + + +##### Windows Server 2003 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

      FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

      +

      Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

      FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

      +

      Other algorithms: DES; HMAC-MD5

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

      FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

      +

      Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

      + + +##### Windows Server 2003 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

      +

      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

      +

      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

      +

      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      + + +##### Windows Server 2003 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

      FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

      +

      Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

      FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

      +

      Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

      FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

      +

      Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

      +

      [1] x86
      +[2] SP1 x86, x64, IA64

      + + +#### Other Products + +##### Windows Embedded Compact 7 and Windows Embedded Compact 8 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

      FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

      +

      Allowed algorithms: HMAC-MD5; MD5; NDRNG

      Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

      FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

      +

      Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

      + + + +##### Windows CE 6.0 and Windows Embedded Compact 7 + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

      FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

      +

      Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

      + + +##### Outlook Cryptographic Provider + + ++++++ + + + + + + + + + + + + + + +
      Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
      Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

      FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

      +

      Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

      + + + +### Cryptographic Algorithms + +The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. + +### Advanced Encryption Standard (AES) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • AES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CFB128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CTR:
        • +
        • +
        • Counter Source: Internal
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-OFB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +

      Microsoft Surface Hub Virtual TPM Implementations #4904

      +

      Version 10.0.15063.674

        +
      • AES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CFB128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CTR:
        • +
        • +
        • Counter Source: Internal
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-OFB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

      +

      Version 10.0.16299

        +
      • AES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CCM:
        • +
        • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • +
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • +
        • Plain Text Length: 0-32
          • +
        • AAD Length: 0-65536
          • +
        • +
      • AES-CFB128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CMAC:
        • +
        • +
        • Generation:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • Verification:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • +
      • AES-CTR:
        • +
        • +
        • Counter Source: Internal
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-GCM:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • +
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • 96 bit IV supported
          • +
        • +
      • AES-XTS:
        • +
        • +
        • Key Size: 128:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • Key Size: 256:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • +

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

      +

      Version 10.0.15063.674

        +
      • AES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CCM:
        • +
        • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • +
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • +
        • Plain Text Length: 0-32
          • +
        • AAD Length: 0-65536
          • +
        • +
      • AES-CFB128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CMAC:
        • +
        • +
        • Generation:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • Verification:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • +
      • AES-CTR:
        • +
        • +
        • Counter Source: Internal
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-GCM:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • +
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • 96 bit IV supported
          • +
        • +
      • AES-XTS:
        • +
        • +
        • Key Size: 128:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • Key Size: 256:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • +

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

      +

      Version 10.0.15254

        +
      • AES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CCM:
        • +
        • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
          • +
        • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
          • +
        • Plain Text Length: 0-32
          • +
        • AAD Length: 0-65536
          • +
        • +
      • AES-CFB128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-CMAC:
        • +
        • +
        • Generation:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • Verification:
          • +
          • +
          • AES-128:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-192:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • AES-256:
            • +
            • +
            • Block Sizes: Full, Partial
              • +
            • Message Length: 0-65536
              • +
            • Tag Length: 16-16
              • +
            • +
          • +
        • +
      • AES-CTR:
        • +
        • +
        • Counter Source: Internal
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • +
      • AES-GCM:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • IV Generation: External
          • +
        • Key Lengths: 128, 192, 256 (bits)
          • +
        • Tag Lengths: 96, 104, 112, 120, 128 (bits)
          • +
        • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • AAD Lengths: 0, 8, 1016, 1024 (bits)
          • +
        • 96 bit IV supported
          • +
        • +
      • AES-XTS:
        • +
        • +
        • Key Size: 128:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • Key Size: 256:
          • +
          • +
          • Modes: Decrypt, Encrypt
            • +
          • Block Sizes: Full
            • +
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

      +

      Version 10.0.16299

      AES-KW:

      +
        +
      • Modes: Decrypt, Encrypt
        • +
      • CIPHK transformation direction: Forward
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • +
      +

      AES Val#4902

      Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

      +

      Version 10.0.15063.674

      AES-KW:

      +
        +
      • Modes: Decrypt, Encrypt
        • +
      • CIPHK transformation direction: Forward
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • +
      +

      AES Val#4901

      Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

      +

      Version 10.0.15254

      AES-KW:

      +
        +
      • Modes: Decrypt, Encrypt
        • +
      • CIPHK transformation direction: Forward
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
        • +
      +

      AES Val#4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

      +

      Version 10.0.16299

      AES-CCM:

      +
        +
      • Key Lengths: 256 (bits)
        • +
      • Tag Lengths: 128 (bits)
        • +
      • IV Lengths: 96 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      +

      AES Val#4902

      Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

      +

      Version 10.0.15063.674

      AES-CCM:

      +
        +
      • Key Lengths: 256 (bits)
        • +
      • Tag Lengths: 128 (bits)
        • +
      • IV Lengths: 96 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      +

      AES Val#4901

      Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

      +

      Version 10.0.15254

      AES-CCM:

      +
        +
      • Key Lengths: 256 (bits)
        • +
      • Tag Lengths: 128 (bits)
        • +
      • IV Lengths: 96 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      +

      AES Val#4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

      +

      Version 10.0.16299

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB128 ( e/d; 128 , 192 , 256 );

      +

      OFB ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

      +

      Version 10.0.15063

      KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      +

      AES Val#4624

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

      +

      Version 10.0.15063

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#4624

      +

       

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

      +

      Version 10.0.15063

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

      CFB128 ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      +

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      +

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

      +

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

      +

      (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

      +

      IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

      +

      GMAC_Supported

      +

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

      +

      Version 10.0.15063

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

      +

      Version 7.00.2872

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

      +

      Version 8.00.6246

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

      +

      Version 7.00.2872

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

      +

      Version 8.00.6246

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB128 ( e/d; 128 , 192 , 256 );

      +

      OFB ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

      +

      Version 10.0.14393

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      +

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      +

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      +

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      +GMAC_Supported

      +

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

      +

      Version 10.0.14393

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
      +Version 10.0.14393

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

      +

      AES Val#4064

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

      +

      Version 10.0.14393

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#4064

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

      +

      Version 10.0.14393

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      +

      AES Val#3629

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

      +

      Version 10.0.10586

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#3629

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

      +

      Version 10.0.10586

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
      +Version 10.0.10586

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      +

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      +

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      +

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      +GMAC_Supported

      +

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
      +
      +

      +

      Version 10.0.10586

      KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

      +

      AES Val#3497

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

      +

      Version 10.0.10240

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#3497

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

      +

      Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

      +

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      +

      CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      +

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
      +GMAC_Supported

      +

      XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
      +Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
      +Version 10.0.10240

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

      +

      Version 6.3.9600

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#2832

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

      +

      Version 6.3.9600

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      +

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

      +

      GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

      +

      (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

      +

      IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
      +OtherIVLen_Supported
      +GMAC_Supported

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

      +

      Version 6.3.9600

      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
      +AES Val#2197

      +

      CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
      +AES Val#2197

      +

      GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
      +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
      +IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
      +GMAC_Supported

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

      CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

      +

      AES Val#2196

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

      CFB128 ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
      +AES Val#1168

      Windows Server 2008 R2 and SP1 CNG algorithms #1187

      +

      Windows 7 Ultimate and SP1 CNG algorithms #1178

      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
      +AES Val#1168      		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      +

       

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

      GCM

      +

      GMAC

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
      CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

      Windows Server 2008 CNG algorithms #757

      +

      Windows Vista Ultimate SP1 CNG algorithms #756

      CBC ( e/d; 128 , 256 );

      +

      CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

      Windows Vista Ultimate BitLocker Drive Encryption #715

      +

      Windows Vista Ultimate BitLocker Drive Encryption #424

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CFB8 ( e/d; 128 , 192 , 256 );

      Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

      +

      Windows Vista Symmetric Algorithm Implementation #553

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      +

      CTR ( int only; 128 , 192 , 256 )

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

      ECB ( e/d; 128 , 192 , 256 );

      +

      CBC ( e/d; 128 , 192 , 256 );

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

      +

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

      +

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

      +

      Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

      +

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

      +

      Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

      +

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

      +

      Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

      +

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

      +

      Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

      + + +Deterministic Random Bit Generator (DRBG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • Counter:
        • +
        • +
        • Modes: AES-256
          • +
        • Derivation Function States: Derivation Function not used
          • +
        • Prediction Resistance Modes: Not Enabled
          • +
        • +
      +

      Prerequisite: AES #4904

      Microsoft Surface Hub Virtual TPM Implementations #1734

      +

      Version 10.0.15063.674

        +
      • Counter:
        • +
        • +
        • Modes: AES-256
          • +
        • Derivation Function States: Derivation Function not used
          • +
        • Prediction Resistance Modes: Not Enabled
          • +
        • +
      +

      Prerequisite: AES #4903

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

      +

      Version 10.0.16299

        +
      • Counter:
        • +
        • +
        • Modes: AES-256
          • +
        • Derivation Function States: Derivation Function used
          • +
        • Prediction Resistance Modes: Not Enabled
          • +
        • +
      +

      Prerequisite: AES #4902

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

      +

      Version 10.0.15063.674

        +
      • Counter:
        • +
        • +
        • Modes: AES-256
          • +
        • Derivation Function States: Derivation Function used
          • +
        • Prediction Resistance Modes: Not Enabled
          • +
        • +
      +

      Prerequisite: AES #4901

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

      +

      Version 10.0.15254

        +
      • Counter:
        • +
        • +
        • Modes: AES-256
          • +
        • Derivation Function States: Derivation Function used
          • +
        • Prediction Resistance Modes: Not Enabled
          • +
        • +
      +

      Prerequisite: AES #4897

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

      +

      Version 10.0.16299

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

      +

      Version 10.0.15063

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

      +

      Version 10.0.15063

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

      +

      Version 7.00.2872

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

      +

      Version 8.00.6246

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

      +

      Version 7.00.2872

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

      +

      Version 8.00.6246

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

      +

      Version 10.0.14393

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

      +

      Version 10.0.14393

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

      +

      Version 10.0.10586

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

      +

      Version 10.0.10240

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

      +

      Version 6.3.9600

      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
      CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
      DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
      + + +#### Digital Signature Algorithm (DSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • DSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • PQGGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • PQGVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • KeyPair:
            • +
            • +
            • L = 2048, N = 256
              • +
            • L = 3072, N = 256
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

      +

      Version 10.0.15063.674

        +
      • DSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • PQGGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • PQGVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • KeyPair:
            • +
            • +
            •  
              • +
            •  
              • +
            • L = 2048, N = 256
              • +
            • L = 3072, N = 256
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

      +

      Version 10.0.15254

        +
      • DSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • PQGGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • PQGVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigGen:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • SigVer:
            • +
            • +
            • L = 2048, N = 256 SHA: SHA-256
              • +
            • L = 3072, N = 256 SHA: SHA-256
              • +
            • +
          • KeyPair:
            • +
            • +
            • L = 2048, N = 256
              • +
            • L = 3072, N = 256
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

      +

      Version 10.0.16299

      FIPS186-4:

      +

      PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      KeyPairGen:   [ (2048,256) ; (3072,256) ]

      +

      SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

      +

      SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      SHS: Val#3790

      +

      DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

      +

      Version 10.0.15063

      FIPS186-4:
      +PQG(ver)PARMS TESTED:         [ (1024,160) SHA( 1 ); ]
      +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
      +SHS: Val# 3649

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

      +

      Version 7.00.2872

      FIPS186-4:
      +PQG(ver)PARMS TESTED:         [ (1024,160) SHA( 1 ); ]
      +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
      +SHS: Val#3648

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

      +

      Version 8.00.6246

      FIPS186-4:
      +PQG(gen)      PARMS TESTED: [
      +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      +KeyPairGen:    [ (2048,256) ; (3072,256) ]
      +SIG(gen)PARMS TESTED:   [ (2048,256)
      +SHA( 256 ); (3072,256) SHA( 256 ); ]
      +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      SHS: Val# 3347
      +DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

      +

      Version 10.0.14393

      FIPS186-4:
      +PQG(gen)      PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
      +KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      SHS: Val# 3047
      +DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

      +

      Version 10.0.10586

      FIPS186-4:
      +PQG(gen)      PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      +KeyPairGen:    [ (2048,256) ; (3072,256) ]
      +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      SHS: Val# 2886
      +DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

      +

      Version 10.0.10240

      FIPS186-4:
      +PQG(gen)      PARMS TESTED:   [
      +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      +PQG(ver)PARMS TESTED:   [ (2048,256)
      +SHA( 256 ); (3072,256) SHA( 256 ) ]
      +KeyPairGen:    [ (2048,256) ; (3072,256) ]
      +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

      +

      SHS: Val# 2373
      +DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

      +

      Version 6.3.9600

      FIPS186-2:
      +PQG(ver) MOD(1024);
      +SIG(ver) MOD(1024);
      +SHS: #1903
      +DRBG: #258

      +

      FIPS186-4:
      +PQG(gen)PARMS TESTED      : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
      +PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      +SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
      +SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
      +SHS: #1903
      +DRBG: #258
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
      FIPS186-2:
      +PQG(ver)       MOD(1024);
      +SIG(ver) MOD(1024);
      +SHS: #1902
      +DRBG: #258
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 1773
      +DRBG: Val# 193
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 1081
      +DRBG: Val# 23
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

      Windows Server 2008 R2 and SP1 CNG algorithms #391

      +

      Windows 7 Ultimate and SP1 CNG algorithms #386

      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 1081
      +RNG: Val# 649
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

      Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

      +

      Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 753
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

      Windows Server 2008 CNG algorithms #284

      +

      Windows Vista Ultimate SP1 CNG algorithms #283

      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 753
      +RNG: Val# 435
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

      Windows Server 2008 Enhanced DSS (DSSENH) #282

      +

      Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 618
      +RNG: Val# 321
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

      Windows Vista CNG algorithms #227

      +

      Windows Vista Enhanced DSS (DSSENH) #226

      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 784
      +RNG: Val# 448
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.      		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
      FIPS186-2:
      +SIG(ver)       MOD(1024);
      +SHS: Val# 783
      +RNG: Val# 447
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
      FIPS186-2:
      +PQG(gen)       MOD(1024);
      +PQG(ver) MOD(1024);
      +KEYGEN(Y) MOD(1024);
      +SIG(gen) MOD(1024);
      +SIG(ver) MOD(1024);
      +SHS: Val# 611
      +RNG: Val# 314      		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
      FIPS186-2:
      +PQG(gen)       MOD(1024);
      +PQG(ver) MOD(1024);
      +KEYGEN(Y) MOD(1024);
      +SIG(gen) MOD(1024);
      +SIG(ver) MOD(1024);
      +SHS: Val# 385      		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
      FIPS186-2:
      +PQG(ver)       MOD(1024);
      +KEYGEN(Y) MOD(1024);
      +SIG(gen) MOD(1024);
      +SIG(ver) MOD(1024);
      +SHS: Val# 181
      +
      +      		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
      FIPS186-2:
      +PQG(gen)       MOD(1024);
      +PQG(ver) MOD(1024);
      +KEYGEN(Y) MOD(1024);
      +SIG(gen) MOD(1024);
      +SHS: SHA-1 (BYTE)
      +SIG(ver) MOD(1024);
      +SHS: SHA-1 (BYTE)

      Windows 2000 DSSENH.DLL #29

      +

      Windows 2000 DSSBASE.DLL #28

      +

      Windows NT 4 SP6 DSSENH.DLL #26

      +

      Windows NT 4 SP6 DSSBASE.DLL #25

      FIPS186-2: PRIME;
      +FIPS186-2:

      +

      KEYGEN(Y):
      +SHS: SHA-1 (BYTE)

      +

      SIG(gen):
      +SIG(ver)       MOD(1024);
      +SHS: SHA-1 (BYTE)

      		Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
      + + +#### Elliptic Curve Digital Signature Algorithm (ECDSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #2373, DRBG #489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

      +

      Version 6.3.9600

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384
              • +
            • Generation Methods: Testing Candidates
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #1253

      +

      Version 10.0.15063.674

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384
              • +
            • Generation Methods: Testing Candidates
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

      +

      Version 10.0.16299

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

      +

      Version 10.0.15063.674

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

      +

      Version 10.0.15063.674

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

      +

      Version 10.0.15254

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

      +

      Version 10.0.15254

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

      +

      Version 10.0.16299

        +
      • ECDSA:
        • +
        • +
        • 186-4:
          • +
          • +
          • Key Pair Generation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • Generation Methods: Extra Random Bits
              • +
            • +
          • Public Key Validation:
            • +
            • +
            • Curves: P-256, P-384, P-521
              • +
            • +
          • Signature Generation:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • Signature Verification:
            • +
            • +
            • P-256 SHA: SHA-256
              • +
            • P-384 SHA: SHA-384
              • +
            • P-521 SHA: SHA-512
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

      +

      Version 10.0.16299

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 TestingCandidates )
      +SHS: Val#3790
      +DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

      +

      Version 10.0.15063

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +PKV: CURVES( P-256 P-384 P-521 )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      +SHS: Val#3790
      +DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

      +

      Version 10.0.15063

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +PKV: CURVES( P-256 P-384 P-521 )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      +SHS: Val#3790
      +DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

      +

      Version 10.0.15063

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +PKV: CURVES( P-256 P-384 P-521 )
      +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
      +SHS:Val# 3649
      +DRBG:Val# 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

      +

      Version 7.00.2872

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +PKV: CURVES( P-256 P-384 P-521 )
      +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
      +SHS:Val#3648
      +DRBG:Val# 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

      +

      Version 8.00.6246

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 TestingCandidates )
      +PKV: CURVES( P-256 P-384 )
      +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

      +

      SHS: Val# 3347
      +DRBG: Val# 1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

      +

      Version 10.0.14393

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +PKV: CURVES( P-256 P-384 P-521 )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      +

      SHS: Val# 3347
      +DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

      +

      Version 10.0.14393

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      +

      SHS: Val# 3047
      +DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

      +

      Version 10.0.10586

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      +

      SHS: Val# 2886
      +DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

      +

      Version 10.0.10240

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

      +

      SHS: Val#2373
      +DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

      +

      Version 6.3.9600

      FIPS186-2:
      +PKG: CURVES      ( P-256 P-384 P-521 )
      +SHS: #1903
      +DRBG: #258
      +SIG(ver):CURVES( P-256 P-384 P-521 )
      +SHS: #1903
      +DRBG: #258

      +

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      +SHS: #1903
      +DRBG: #258
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

      FIPS186-2:
      +PKG: CURVES      ( P-256 P-384 P-521 )
      +SHS: Val#1773
      +DRBG: Val# 193
      +SIG(ver): CURVES( P-256 P-384 P-521 )
      +SHS: Val#1773
      +DRBG: Val# 193

      +

      FIPS186-4:
      +PKG: CURVES      ( P-256 P-384 P-521 ExtraRandomBits )
      +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
      +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
      +SHS: Val#1773
      +DRBG: Val# 193
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
      FIPS186-2:
      +PKG: CURVES      ( P-256 P-384 P-521 )
      +SHS: Val#1081
      +DRBG: Val# 23
      +SIG(ver): CURVES( P-256 P-384 P-521 )
      +SHS: Val#1081
      +DRBG: Val# 23
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

      Windows Server 2008 R2 and SP1 CNG algorithms #142

      +

      Windows 7 Ultimate and SP1 CNG algorithms #141

      FIPS186-2:
      +PKG: CURVES      ( P-256 P-384 P-521 )
      +SHS: Val#753
      +SIG(ver): CURVES( P-256 P-384 P-521 )
      +SHS: Val#753
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

      Windows Server 2008 CNG algorithms #83

      +

      Windows Vista Ultimate SP1 CNG algorithms #82

      FIPS186-2:
      +PKG: CURVES      ( P-256 P-384 P-521 )
      +SHS: Val#618
      +RNG: Val# 321
      +SIG(ver): CURVES( P-256 P-384 P-521 )
      +SHS: Val#618
      +RNG: Val# 321
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.      		Windows Vista CNG algorithms #60
      + + +#### Keyed-Hash Message Authentication Code (HMAC) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • HMAC-SHA-1:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-256:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-384:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      +

      Prerequisite: SHS #4011

      Microsoft Surface Hub Virtual TPM Implementations #3271

      +

      Version 10.0.15063.674

        +
      • HMAC-SHA-1:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-256:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-384:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      +

      Prerequisite: SHS #4009

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

      +

      Version 10.0.16299

        +
      • HMAC-SHA-1:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-256:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-384:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-512:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      +

      Prerequisite: SHS #4011

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

      +

      Version 10.0.15063.674

        +
      • HMAC-SHA-1:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-256:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-384:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-512:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      +

      Prerequisite: SHS #4010

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

      +

      Version 10.0.15254

        +
      • HMAC-SHA-1:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-256:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-384:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      • HMAC-SHA2-512:
        • +
        • +
        • Key Sizes &lt; Block Size
          • +
        • Key Sizes &gt; Block Size
          • +
        • Key Sizes = Block Size
          • +
        • +
      +

      Prerequisite: SHS #4009

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

      +

      Version 10.0.16299

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

      +

      Version 10.0.15063

      HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

      +

      Version 10.0.15063

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

      +

      Version 7.00.2872

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

      +

      Version 8.00.6246

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

      +

      Version 7.00.2872

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

      +

      Version 8.00.6246

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      +SHS Val# 3347

      +

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      +SHS Val# 3347

      +

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      +SHS Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

      +

      Version 10.0.14393

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

      +

      Version 10.0.14393

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      +SHS Val# 3047

      +

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      +SHS Val# 3047

      +

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      +SHS Val# 3047

      +

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      +SHS Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

      +

      Version 10.0.10586

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      +SHSVal# 2886

      +

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      +SHSVal# 2886

      +

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      + SHSVal# 2886

      +

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      +SHSVal# 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

      +

      Version 10.0.10240

      HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
      +SHS Val#2373

      +

      HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
      +SHS Val#2373

      +

      HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
      +SHS Val#2373

      +

      HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
      +SHS Val#2373

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

      +

      Version 6.3.9600

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

      Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

      +

      Version 5.2.29344

      HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

      +

      SHS#1903

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

      +

      SHS#1903

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

      +

      SHS#1903

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

      +

      SHS#1903

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      +

      Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

      		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

      		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

      Windows Server 2008 R2 and SP1 CNG algorithms #686

      +

      Windows 7 and SP1 CNG algorithms #677

      +

      Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

      +

      Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

      HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

      		Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

      +

      Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      		Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

      +

      Windows XP, vendor-affirmed

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

      Windows Server 2008 CNG algorithms #413

      +

      Windows Vista Ultimate SP1 CNG algorithms #412

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

      		Windows Vista Ultimate BitLocker Drive Encryption #386

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

      		Windows Vista CNG algorithms #298

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

      		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

      HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

      		Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

      HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

      		Windows Vista BitLocker Drive Encryption #199
      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

      +

      Windows XP, vendor-affirmed

      HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

      +

      HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      +

      HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      +

      HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

      		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
      + + +#### Key Agreement Scheme (KAS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • KAS ECC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
          • +
        • Schemes:
          • +
          • +
          • Full Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • KDFs: Concatenation
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #150

      +

      Version 10.0.15063.674

        +
      • KAS ECC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
          • +
        • Schemes:
          • +
          • +
          • Full Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • KDFs: Concatenation
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

      +

      Version 10.0.16299

        +
      • KAS ECC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • +
        • Schemes:
          • +
          • +
          • Ephemeral Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • KDFs: Concatenation
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • One Pass DH:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • Static Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

      +
        +
      • KAS FFC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • +
        • Schemes:
          • +
          • +
          • dhEphem:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhOneFlow:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhStatic:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DSA #1303, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

      +

      Version 10.0.15063.674

        +
      • KAS ECC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • +
        • Schemes:
          • +
          • +
          • Ephemeral Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • KDFs: Concatenation
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • One Pass DH:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • Static Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

      +
        +
      • KAS FFC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • +
        • Schemes:
          • +
          • +
          • dhEphem:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhOneFlow:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhStatic:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DSA #1302, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

      +

      Version 10.0.15254

        +
      • KAS ECC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
          • +
        • Schemes:
          • +
          • +
          • Ephemeral Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • KDFs: Concatenation
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • One Pass DH:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • Static Unified:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • EC:
                • +
                • +
                • Curve: P-256
                  • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • ED:
                • +
                • +
                • Curve: P-384
                  • +
                • SHA: SHA-384
                  • +
                • MAC: HMAC
                  • +
                • +
              • EE:
                • +
                • +
                • Curve: P-521
                  • +
                • SHA: SHA-512
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

      +
        +
      • KAS FFC:
        • +
        • +
        • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
          • +
        • Schemes:
          • +
          • +
          • dhEphem:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhOneFlow:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • dhStatic:
            • +
            • +
            • Key Agreement Roles: Initiator, Responder
              • +
            • Parameter Sets:
              • +
              • +
              • FB:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • FC:
                • +
                • +
                • SHA: SHA-256
                  • +
                • MAC: HMAC
                  • +
                • +
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DSA #1301, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

      +

      Version 10.0.16299

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

      +

      SHS Val#3790
      +DSA Val#1135
      +DRBG Val#1556

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

      +

      Version 10.0.15063

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      +SHS Val#3790
      +DSA Val#1223
      +DRBG Val#1555

      +

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +
      +SHS Val#3790
      +ECDSA Val#1133
      +DRBG Val#1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

      +

      Version 10.0.15063

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      +SHS Val# 3649
      +DSA Val#1188
      +DRBG Val#1430

      +

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

      +

      Version 7.00.2872

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
      +SHS Val#3648
      +DSA Val#1187
      +DRBG Val#1429

      +

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +
      +SHS Val#3648
      +ECDSA Val#1072
      +DRBG Val#1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

      +

      Version 8.00.6246

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
      +SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

      +

      SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

      +

      Version 10.0.14393

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
      +SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      +

      SHS Val# 3347 DSA Val#1098 DRBG Val#1217

      +

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      +

      SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

      +

      Version 10.0.14393

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      +

      SHS Val# 3047 DSA Val#1024 DRBG Val#955

      +

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      +

      SHS Val# 3047 ECDSA Val#760 DRBG Val#955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

      +

      Version 10.0.10586

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      +

      SHS Val# 2886 DSA Val#983 DRBG Val#868

      +

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      +

      SHS Val# 2886 ECDSA Val#706 DRBG Val#868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

      +

      Version 10.0.10240

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
      +( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

      +

      SHS Val#2373 DSA Val#855 DRBG Val#489

      +

      ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
      +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

      +

      SHS Val#2373 ECDSA Val#505 DRBG Val#489

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

      +

      Version 6.3.9600

      FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
      +( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
      +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
      +SHS #1903 DSA Val#687 DRBG #258

      +

      ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
      +[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
      +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
      +
      +SHS #1903 ECDSA Val#341 DRBG #258

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

      KAS (SP 800–56A)

      +

      key agreement

      +

      key establishment methodology provides 80 to 256 bits of encryption strength

      Windows 7 and SP1, vendor-affirmed

      +

      Windows Server 2008 R2 and SP1, vendor-affirmed

      + + +SP 800-108 Key-Based Key Derivation Functions (KBKDF) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • Counter:
        • +
        • +
        • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
          • +
        • +
      +

      MAC prerequisite: HMAC #3271

      +
      +
        +
      • Counter Location: Before Fixed Data
        • +
      • R Length: 32 (bits)
        • +
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • +
      +
      +

      K prerequisite: DRBG #1734, KAS #150

      Microsoft Surface Hub Virtual TPM Implementations #161

      +

      Version 10.0.15063.674

        +
      • Counter:
        • +
        • +
        • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
          • +
        • +
      +

      MAC prerequisite: HMAC #3270

      +
      +
        +
      • Counter Location: Before Fixed Data
        • +
      • R Length: 32 (bits)
        • +
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • +
      +
      +

      K prerequisite: DRBG #1733, KAS #149

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

      +

      Version 10.0.16299

        +
      • Counter:
        • +
        • +
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • +
        • +
      +

      MAC prerequisite: AES #4902, HMAC #3269

      +
      +
        +
      • Counter Location: Before Fixed Data
        • +
      • R Length: 32 (bits)
        • +
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • +
      • K prerequisite: KAS #148
        • +
      +

      Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

      +

      Version 10.0.15063.674

        +
      • Counter:
        • +
        • +
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • +
        • +
      +

      MAC prerequisite: AES #4901, HMAC #3268

      +
      +
        +
      • Counter Location: Before Fixed Data
        • +
      • R Length: 32 (bits)
        • +
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • +
      +
      +

      K prerequisite: KAS #147

      Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

      +

      Version 10.0.15254

        +
      • Counter:
        • +
        • +
        • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
          • +
        • +
      +

      MAC prerequisite: AES #4897, HMAC #3267

      +
      +
        +
      • Counter Location: Before Fixed Data
        • +
      • R Length: 32 (bits)
        • +
      • SPs used to generate K: SP 800-56A, SP 800-90A
        • +
      +
      +

      K prerequisite: KAS #146

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

      +

      Version 10.0.16299

      CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
      +
      +KAS Val#128
      +DRBG Val#1556
      +MAC Val#3062

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

      +

      Version 10.0.15063

      CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
      +
      +KAS Val#127
      +AES Val#4624
      +DRBG Val#1555
      +MAC Val#3061

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

      +

      Version 10.0.15063

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      KAS Val#93 DRBG Val#1222 MAC Val#2661

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

      +

      Version 10.0.14393

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

      +

      Version 10.0.14393

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

      +

      Version 10.0.10586

      CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

      +

      Version 10.0.10240

      CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      DRBG Val#489 MAC Val#1773

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

      +

      Version 6.3.9600

      CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

      +

      DRBG #258 HMAC Val#1345

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
      + + +Random Number Generator (RNG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #

      FIPS 186-2 General Purpose

      +

      [ (x-Original); (SHA-1) ]

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
      FIPS 186-2
      +[ (x-Original); (SHA-1) ]

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

      +

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

      +

      Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

      +

      Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

      FIPS 186-2
      +[ (x-Change Notice); (SHA-1) ]

      +

      FIPS 186-2 General Purpose
      +[ (x-Change Notice); (SHA-1) ]

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

      +

      Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

      +

      Windows Vista RNG implementation #321

      FIPS 186-2 General Purpose
      +[ (x-Change Notice); (SHA-1) ]

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

      +

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

      +

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

      +

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

      +

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

      FIPS 186-2
      +[ (x-Change Notice); (SHA-1) ]

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

      +

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

      + + +#### RSA + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1734

      Microsoft Surface Hub Virtual TPM Implementations #2677

      +

      Version 10.0.15063.674

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 240 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1733

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

      +

      Version 10.0.16299

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub RSA32 Algorithm Implementations #2675

      +

      Version 10.0.15063.674

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

      +

      Version 10.0.16299

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

      +

      Version 10.0.15254

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Public Key Exponent: Fixed (10001)
            • +
          • Provable Primes with Conditions:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.3
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

      +

      Version 10.0.15063.674

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Probable Random Primes:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.2
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

      +

      Version 10.0.15063.674

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Probable Random Primes:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.2
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

      +

      Version 10.0.15254

      RSA:

      +
        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Public Key Exponent: Fixed (10001)
            • +
          • Provable Primes with Conditions:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.3
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

      +

      Version 10.0.15254

        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Public Key Exponent: Fixed (10001)
            • +
          • Provable Primes with Conditions:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.3
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

      +

      Version 10.0.16299

        +
      • 186-4:
        • +
        • +
        • Key Generation:
          • +
          • +
          • Probable Random Primes:
            • +
            • +
            • Mod lengths: 2048, 3072 (bits)
              • +
            • Primality Tests: C.2
              • +
            • +
          • +
        • Signature Generation PKCS1.5:
          • +
          • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Generation PSS:
          • +
          • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • Signature Verification PKCS1.5:
          • +
          • +
          • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
            • +
          • +
        • Signature Verification PSS:
          • +
          • +
          • Mod 1024:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 496 (bits)
              • +
            • +
          • Mod 2048:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • Mod 3072:
            • +
            • +
            • SHA-1: Salt Length: 160 (bits)
              • +
            • SHA-256: Salt Length: 256 (bits)
              • +
            • SHA-384: Salt Length: 384 (bits)
              • +
            • SHA-512: Salt Length: 512 (bits)
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

      +

      Version 10.0.16299

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
      +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
      +SHA Val#3790

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

      +

      Version 10.0.15063

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +SHA Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

      +

      Version 10.0.15063

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      +SHA Val#3790
      +DRBG: Val# 1555

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

      +

      Version 10.0.15063

      FIPS186-4:
      +186-4KEY(gen):
      +PGM(ProbRandom:       ( 2048 , 3072 ) PPTT:( C.2 )
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      +SHA Val#3790

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

      +

      Version 10.0.15063

      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

      +

      FIPS186-4:
      +ALG[ANSIX9.31]       Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
      +SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +SHA Val#3652

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

      +

      Version 7.00.2872

      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

      +

      FIPS186-4:
      +ALG[ANSIX9.31]       Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
      +SIG(gen) with SHA-1 affirmed for use with protocols only.       Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +SHA Val#3651

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

      +

      Version 8.00.6246

      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

      +

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e (10001) ;
      +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +SHA Val# 3649
      +DRBG: Val# 1430

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

      +

      Version 7.00.2872

      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

      +

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e (10001) ;
      +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
      +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
      +SHA Val#3648
      +DRBG: Val# 1429

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

      +

      Version 8.00.6246

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
      +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
      +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

      +

      SHA Val# 3347

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

      +

      Version 10.0.14393

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      +

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

      +

      Version 10.0.14393

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#3346

      soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

      +

      Version 10.0.14393

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

      +

      Version 10.0.14393

      FIPS186-4:
      +[RSASSA-PSS]: Sig(Gen):       (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      +

      Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      +

      SHA Val# 3347 DRBG: Val# 1217

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

      +

      Version 10.0.14393

      FIPS186-4:
      +186-4KEY(gen)      :  FIPS186-4_Fixed_e ( 10001 ) ;
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      +

      SHA Val# 3047 DRBG: Val# 955

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

      +

      Version 10.0.10586

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#3048

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

      +

      Version 10.0.10586

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

      +

      Version 10.0.10586

      FIPS186-4:
      +[RSASSA-PSS]: Sig(Gen)      : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      +

      SHA Val# 3047

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

      +

      Version 10.0.10586

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e ( 10001 ) ;
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      +

      SHA Val# 2886 DRBG: Val# 868

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

      +

      Version 10.0.10240

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

      +

      Version 10.0.10240

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#2871

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

      +

      Version 10.0.10240

      FIPS186-4:
      +[RSASSA-PSS]:       Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      +Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      +

      SHA Val# 2886

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

      +

      Version 10.0.10240

      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e ;
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

      +

      SHA Val#2373 DRBG: Val# 489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

      +

      Version 6.3.9600

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

      +

      Version 6.3.9600

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5      ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

      +

      SHA Val#2373

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

      +

      Version 6.3.9600

      FIPS186-4:
      +[RSASSA-PSS]:       Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
      + Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

      +

      SHA Val#2373

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

      +

      Version 6.3.9600

      FIPS186-4:
      +ALG[RSASSA-PKCS1_V1_5]       SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
      +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
      +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
      +Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
      +SHA #1903

      +

      Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
      FIPS186-4:
      +186-4KEY(gen):       FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
      +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
      +SHA #1903 DRBG: #258      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
      FIPS186-2:
      +ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.      		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
      FIPS186-2:
      +ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.      		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.      		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

      Windows Server 2008 R2 and SP1 CNG algorithms #567

      +

      Windows 7 and SP1 CNG algorithms #560

      FIPS186-2:
      +ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.      		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.      		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

      Windows Server 2008 CNG algorithms #358

      +

      Windows Vista SP1 CNG algorithms #357

      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

      Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

      +

      Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

      FIPS186-2:
      +ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.      		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
      FIPS186-2:
      +ALG[ANSIX9.31]:       Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.      		Windows Vista RSA key generation implementation #258
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.      		Windows Vista CNG algorithms #257
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:       SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.      		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.      		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.      		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.      		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
      FIPS186-2:
      +ALG[RSASSA-PKCS1_V1_5]:
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.      		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
      FIPS186-2:
      +ALG[ANSIX9.31]:
      +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
      +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
      +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.      		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

      FIPS186-2:

      +

      – PKCS#1 v1.5, signature generation and verification

      +

      – Mod sizes: 1024, 1536, 2048, 3072, 4096

      +

      – SHS: SHA–1/256/384/512

      Windows XP, vendor-affirmed

      +

      Windows 2000, vendor-affirmed

      + + +#### Secure Hash Standard (SHS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • SHA-1:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-256:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-384:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-512:
        • +
        • +
        • Supports Empty Message
          • +
        • +

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

      +

      Version 10.0.15063.674

        +
      • SHA-1:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-256:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-384:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-512:
        • +
        • +
        • Supports Empty Message
          • +
        • +

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

      +

      Version 10.0.15254

        +
      • SHA-1:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-256:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-384:
        • +
        • +
        • Supports Empty Message
          • +
        • +
      • SHA-512:
        • +
        • +
        • Supports Empty Message
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

      +

      Version 10.0.16299

      SHA-1      (BYTE-only)
      +SHA-256  (BYTE-only)
      +SHA-384  (BYTE-only)
      +SHA-512  (BYTE-only)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

      +

      Version 10.0.15063

      SHA-1      (BYTE-only)
      +SHA-256  (BYTE-only)
      +SHA-384  (BYTE-only)
      +SHA-512  (BYTE-only)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

      +

      Version 7.00.2872

      SHA-1      (BYTE-only)
      +SHA-256  (BYTE-only)
      +SHA-384  (BYTE-only)
      +SHA-512  (BYTE-only)

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

      +

      Version 8.00.6246

      SHA-1      (BYTE-only)
      +SHA-256  (BYTE-only)
      +SHA-384  (BYTE-only)
      +SHA-512  (BYTE-only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

      +

      Version 7.00.2872

      SHA-1      (BYTE-only)
      +SHA-256  (BYTE-only)
      +SHA-384  (BYTE-only)
      +SHA-512  (BYTE-only)

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

      +

      Version 8.00.6246

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
      +Version 10.0.14393
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
      +Version 10.0.14393
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
      +Version 10.0.10586
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
      +Version 10.0.10586
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
      +Version 10.0.10240
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
      +Version 10.0.10240
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
      +Version 6.3.9600
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
      +Version 6.3.9600

      SHA-1 (BYTE-only)

      +

      SHA-256 (BYTE-only)

      +

      SHA-384 (BYTE-only)

      +

      SHA-512 (BYTE-only)

      +

      Implementation does not support zero-length (null) messages.

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

      +

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

      +

      Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

      +

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

      SHA-1 (BYTE-only)

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

      +

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)      		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)

      Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

      +

      Windows Vista Symmetric Algorithm Implementation #618

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)

      Windows Vista BitLocker Drive Encryption #737

      +

      Windows Vista Beta 2 BitLocker Drive Encryption #495

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

      +

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

      SHA-1 (BYTE-only)

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

      +

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

      +

      Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

      +

      Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

      +

      Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

      +

      Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

      +

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

      SHA-1 (BYTE-only)
      +SHA-256 (BYTE-only)
      +SHA-384 (BYTE-only)
      +SHA-512 (BYTE-only)

      Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

      +

      Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

      +

      Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

      SHA-1 (BYTE-only)

      Windows XP Microsoft Enhanced Cryptographic Provider #83

      +

      Crypto Driver for Windows 2000 (fips.sys) #35

      +

      Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

      +

      Windows 2000 RSAENH.DLL #24

      +

      Windows 2000 RSABASE.DLL #23

      +

      Windows NT 4 SP6 RSAENH.DLL #21

      +

      Windows NT 4 SP6 RSABASE.DLL #20

      + + +#### Triple DES + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Modes / States / Key SizesAlgorithm Implementation and Certificate #
        +
      • TDES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB64:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

      +

      Version 10.0.15063.674

        +
      • TDES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB64:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

      +

      Version 10.0.15254

        +
      • TDES-CBC:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB64:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-CFB8:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +
      • TDES-ECB:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Keying Option: 1
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

      +

      Version 10.0.16299

      TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

      +

      Version 10.0.15063

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

      +

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

      +

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, ) ;

      +

      CTR ( int only )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

      +

      Version 7.00.2872

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, )

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

      +

      Version 8.00.6246

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, ) ;

      +

      TCFB8( KO 1 e/d, ) ;

      +

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
      +
      +

      +

      Version 10.0.14393

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, ) ;

      +

      TCFB8( KO 1 e/d, ) ;

      +

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
      +
      +

      +

      Version 10.0.10586

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, ) ;

      +

      TCFB8( KO 1 e/d, ) ;

      +

      TCFB64( KO 1 e/d, )

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
      +
      +

      +

      Version 10.0.10240

      TECB( KO 1 e/d, ) ;

      +

      TCBC( KO 1 e/d, ) ;

      +

      TCFB8( KO 1 e/d, ) ;

      +

      TCFB64( KO 1 e/d, )

      Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

      +

      Version 6.3.9600

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 ) ;

      +

      TCFB8( e/d; KO 1,2 ) ;

      +

      TCFB64( e/d; KO 1,2 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 ) ;

      +

      TCFB8( e/d; KO 1,2 )

      		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 ) ;

      +

      TCFB8( e/d; KO 1,2 )

      		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 ) ;

      +

      TCFB8( e/d; KO 1,2 )

      		Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 ) ;

      +

      TCFB8( e/d; KO 1,2 )

      		Windows Vista Symmetric Algorithm Implementation #549
      Triple DES MAC

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

      +

      Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

      TECB( e/d; KO 1,2 ) ;

      +

      TCBC( e/d; KO 1,2 )

      Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

      +

      Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

      +

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

      +

      Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

      +

      Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

      +

      Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

      +

      Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

      +

      Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

      +

      Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

      +

      Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

      +

      Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

      +

      Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

      +

      Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

      +

      Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

      +

      Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

      +

      Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

      +

      Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

      +

      Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

      +

      Windows XP Microsoft Enhanced Cryptographic Provider #81

      +

      Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

      +

      Crypto Driver for Windows 2000 (fips.sys) #16

      + + +#### SP 800-132 Password Based Key Derivation Function (PBKDF) + + + + + + + + + + + + + + +
      + Modes / States / Key Sizes + + Algorithm Implementation and Certificate # +
      + PBKDF (vendor affirmed) +

       Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
      (Software Version: 10.0.14393)

      +

      Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
      (Software Version: 10.0.14393)

      +

      Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
      (Software Version: 10.0.14393)

      +

      Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
      (Software Version: 10.0.14393)

      +
      + PBKDF (vendor affirmed) +

      Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
      (Software Version: 10.0.14393)

      +

      Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

      +
      + + +#### Component Validation List + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      Publication / Component Validated / DescriptionImplementation and Certificate #
        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #489

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

      +

      Version 6.3.9600

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Microsoft Surface Hub Virtual TPM Implementations #1519

      +

      Version 10.0.15063.674

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

      +

      Version 10.0.16299

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

      +

      Version 10.0.15063.674

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

      +

      Version 10.0.15063.674

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

       Prerequisite: DRBG #1732

      Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

      +

      Version 10.0.15063.674

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #1732

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

      +

      Version 10.0.15063.674

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

      +

      Version 10.0.15063.674

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

      +

      Version 10.0.15063.674

        +
      • IKEv1:
        • +
        • +
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • +
        • Pre-shared Key Length: 64-2048
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, HMAC #3269

      +
        +
      • IKEv2:
        • +
        • +
        • Derived Keying Material length: 192-1792
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, HMAC #3269

      +
        +
      • TLS:
        • +
        • +
        • Supports TLS 1.0/1.1
          • +
        • Supports TLS 1.2:
          • +
          • +
          • SHA Functions: SHA-256, SHA-384
            • +
          • +
        • +
      +

      Prerequisite: SHS #4011, HMAC #3269

      Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

      +

      Version 10.0.15063.674

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #1731

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

      +

      Version 10.0.15254

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

      +

      Version 10.0.15254

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

      +

      Version 10.0.15254

        +
      • IKEv1:
        • +
        • +
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • +
        • Pre-shared Key Length: 64-2048
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, HMAC #3268

      +
        +
      • IKEv2:
        • +
        • +
        • Derived Keying Material length: 192-1792
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, HMAC #3268

      +
        +
      • TLS:
        • +
        • +
        • Supports TLS 1.0/1.1
          • +
        • Supports TLS 1.2:
          • +
          • +
          • SHA Functions: SHA-256, SHA-384
            • +
          • +
        • +
      +

      Prerequisite: SHS #4010, HMAC #3268

      Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

      +

      Version 10.0.15254

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #1731

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

      +

      Version 10.0.15254

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

      +

      Version 10.0.15254

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

      +

      Version 10.0.15254

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

      +

      Version 10.0.16299

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

      +

      Version 10.0.16299

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

      +

      Version 10.0.16299

        +
      • ECDSA SigGen:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      +

      Prerequisite: DRBG #1730

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

      +

      Version 10.0.16299

        +
      • RSADP:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

      +

      Version 10.0.16299

      +

       

        +
      • RSASP1:
        • +
        • +
        • Modulus Size: 2048 (bits)
          • +
        • Padding Algorithms: PKCS 1.5
          • +
        • +

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

      +

      Version 10.0.16299

        +
      • IKEv1:
        • +
        • +
        • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
          • +
        • Pre-shared Key Length: 64-2048
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, HMAC #3267

      +
        +
      • IKEv2:
        • +
        • +
        • Derived Keying Material length: 192-1792
          • +
        • Diffie-Hellman shared secrets:
          • +
          • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 2048 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 256 (bits)
              • +
            • SHA Functions: SHA-256
              • +
            • +
          • Diffie-Hellman shared secret:
            • +
            • +
            • Length: 384 (bits)
              • +
            • SHA Functions: SHA-384
              • +
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, HMAC #3267

      +
        +
      • TLS:
        • +
        • +
        • Supports TLS 1.0/1.1
          • +
        • Supports TLS 1.2:
          • +
          • +
          • SHA Functions: SHA-256, SHA-384
            • +
          • +
        • +
      +

      Prerequisite: SHS #4009, HMAC #3267

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

      +

      Version 10.0.16299

      FIPS186-4 ECDSA

      +

      Signature Generation of hash sized messages

      +

      ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
      +Version 10.0. 15063

      +

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
      +Version 10.0. 15063

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
      +Version 10.0.14393

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
      +Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
      +Version 10.0.10586

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
      +Version 6.3.9600

      FIPS186-4 RSA; PKCS#1 v2.1

      +

      RSASP1 Signature Primitive

      +

      RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

      Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
      +Version 10.0.15063

      +

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
      +Version 10.0.15063

      +

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
      +Version 10.0.15063

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
      +Version 10.0.14393

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
      +Version 10.0.14393

      +

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
      +Version 10.0.10586

      +

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
      +Version  10.0.10240

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
      +Version 6.3.9600

      FIPS186-4 RSA; RSADP

      +

      RSADP Primitive

      +

      RSADP: (Mod2048)

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
      +Version 10.0.15063

      +

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
      +Version 10.0.15063

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
      +Version 10.0.14393

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
      +Version 10.0.14393

      +

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
      +Version 10.0.10586

      +

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
      +Version  10.0.10240

      SP800-135

      +

      Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

      Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

      +

      Version 10.0.16299

      +

      Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
      +Version 10.0.15063

      +

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
      +Version 7.00.2872

      +

      Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
      +Version 8.00.6246

      +

      Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
      +Version 10.0.14393

      +

      Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
      +Version 10.0.10586

      +

      Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
      +Version  10.0.10240

      +

      Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
      +Version 6.3.9600

      + + +## References + +\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules + +\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ + +\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) + +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths \ No newline at end of file diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 663976a44a..bbba6bbb82 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,7 +1,7 @@ --- title: Threat Protection (Windows 10) description: Learn how Microsoft Defender ATP helps protect against threats. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting +keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -64,7 +64,7 @@ The attack surface reduction set of capabilities provide the first line of defen - [Application control](windows-defender-application-control/windows-defender-application-control.md) - [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](microsoft-defender-atp/exploit-protection.md) -- [Network protection](microsoft-defender-atp/network-protection.md), [Web protection](microsoft-defender-atp/web-protection-overview.md) +- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md) - [Controlled folder access](microsoft-defender-atp/controlled-folders.md) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index f00d63e08f..f6b12d45e0 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -24,15 +24,17 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from - [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) > [!NOTE] -> The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions). +> Starting November 2019, Safety Scanner will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run Safety Scanner. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). -Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. +## Important information -> [!NOTE] -> This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). +- The security intelligence update version of the Microsoft Safety Scanner matches the version described [in this web page](https://www.microsoft.com/wdsi/definitions). -> [!NOTE] -> Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. +- Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. + +- Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. + +- This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/windows/comprehensive-security) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/wdsi/help/troubleshooting-infection). ## System requirements diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index adfe6b2035..1723f5ee27 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -19,18 +19,11 @@ ms.topic: article The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -MVI members will receive access to Windows APIs (such as those used by Windows Defender Antivirus), and other technologies including IOAV, AMSI and Cloud Files, malware telemetry and samples, and invitations to security related events and conferences. +MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences. -MVI requires members to develop and own antimalware technology and to be present in the antimalware industry community. +## Become a member -## Join MVI - -A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. - - -### Initial selection criteria - -Your organization must meet the following eligibility requirements to qualify for the MVI program: +A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program: 1. Offer an antimalware or antivirus product that is one of the following: @@ -39,10 +32,9 @@ Your organization must meet the following eligibility requirements to qualify fo 2. Have your own malware research team unless you build a product based on an SDK. -3. Be active and have a positive reputation in the antimalware industry. Your organization is: +3. Be active and have a positive reputation in the antimalware industry. - * Certified through independent testing by an industry standard organization such as [ICSA Labs](https://www.icsalabs.com/), [West Coast Labs](http://www.westcoastlabs.com/), [PCSL IT Consulting Institute](https://www.pitci.net/), or [SKD Labs](http://www.skdlabs.com/html/english/). - * Be active in the antimalware industry. For example, participate in industry conferences, be reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. @@ -52,6 +44,19 @@ Your organization must meet the following eligibility requirements to qualify fo 7. Submit your app to Microsoft for periodic performance testing. -### Apply now +8. Certified through independent testing by at least one industry standard organization. + +Test Provider | Lab Test Type | Minimum Level / Score +------------- |---------------|---------------------- +AV-Comparatives | Real-World Protection Test
      https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives +AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted
      https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) +ICSA Labs | Endpoint Anti-Malware Detection
      https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified +NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
      https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS +SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
      http://www.skdlabs.com/html/english/
      http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests +SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
      https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating +VB 100 | VB100 Certification Test V1.1
      https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification +West Coast Labs | Checkmark Certified
      http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance + +## Apply now If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index e269b25de8..c0b6610350 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -25,6 +25,8 @@ ms.date: 10/08/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +[!include[Prerelease information](prerelease.md)] + The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema. ## Schema tables @@ -45,7 +47,11 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events | | **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events | | **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Vulnerabilities in your software inventory | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Publicly-available vulnerabilities and whether they exist in your software inventory | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Security configuration assessment information | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Basis of security configuration assessment such as security industry standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) \ No newline at end of file +- [Learn the query language](advanced-hunting-query-language.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md new file mode 100644 index 0000000000..35d38020d6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| Timestamp | datetime |Date and time when the record was generated| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured | + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md new file mode 100644 index 0000000000..857a5731c6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -0,0 +1,53 @@ +--- +title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSecureConfigurationAssessmentKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| ConfigurationId | string | Unique identifier for a specific configuration | +| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | +| ConfigurationName | string | Display name of the configuration | +| ConfigurationDescription | string | Description of the configuration | +| RiskDescription | string | Description of the associated risk | +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration | +| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration | +| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md new file mode 100644 index 0000000000..fcf0c2e4bd --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -0,0 +1,56 @@ +--- +title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareInventoryVulnerabilities + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| MachineId | string | Unique identifier for the machine in the service | +| ComputerName | string | Fully qualified domain name (FQDN) of the machine | +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| OSVersion | string | Version of the operating system running on the machine | +| OSArchitecture | string | Architecture of the operating system running on the machine| +| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| SoftwareName | string | Name of the software product| +|SoftwareVersion | string | Version number of the software product| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| + + + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md new file mode 100644 index 0000000000..757ad9858c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -0,0 +1,51 @@ +--- +title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema +description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network. +keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 10/27/2019 +--- + +# DeviceTvmSoftwareVulnerabilitiesKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory. + +For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| +| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)| +| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available| +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| LastModifiedTime | datetime | Date and time the item or related metadata was last modified| +| PublishedDate | datetime | Date vulnerability was disclosed to public| +| VulnerabilityDescription | string | Description of vulnerability and associated risks| +| AffectedSoftware | string | List of all software products affected by the vulnerability| + +## Related topics + +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) +- [Advanced hunting query best practices](advanced-hunting-best-practices.md) +- [Query data using Advanced hunting](advanced-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 010fb7a43b..7558960aa6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -22,8 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. The API Explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. You can also use the API Explorer to perform actions or find data that might not yet be available through the user interface. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index e526a20669..1e42b10a63 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -33,7 +33,7 @@ API calls per connection | 100 | 60 seconds Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file. -Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. +Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653. Privacy information can be found at https://privacy.microsoft.com/en-us/ Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 4eafbbefa8..6a076bfb65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -60,7 +60,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) > >To download the security updates: ->1. Go to [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/home.aspx). +>1. Go to [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/home.aspx). >2. Key-in the security update KB number that you need to download, then click **Search**. ## Related topics @@ -68,7 +68,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index d0dfe6add3..2373d0cf56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -33,10 +33,10 @@ The topics in this section describe how to configure attack surface reduction. E Topic | Description -|- -[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to preprare for and install Application Guard, including hardware and softeware requirements -[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and potect kernel mode processes +[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements +[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes [Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps -[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains +[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains [Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps -[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware +[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 584f376ee3..6140a832e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -23,10 +23,11 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - ## Before you begin -Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. + +>[!NOTE] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. ## Register to Microsoft Threat Experts managed threat hunting service If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. @@ -63,9 +64,6 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization ->[!NOTE] ->The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. - You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. >[!NOTE] @@ -77,10 +75,12 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w >![Image of Microsoft Threat Experts Experts on Demand from the menu](images/mte-eod-menu.png) ->A flyout screen opens. - +>A flyout screen opens. The following screen shows when you are on a trial subscription. >![Image of Microsoft Threat Experts Experts on Demand screen](images/mte-eod.png) +> The following screen shows when you are on a full Microsoft Threat Experts - Experts on Demand subscription. +>![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) + >The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request. 3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation. @@ -120,7 +120,7 @@ Response from Microsoft Threat Experts varies according to your inquiry. They wi - Investigation requires more time - Initial information was enough to conclude the investigation -It is crucial to respond in a timely manner to keep the investigation moving. See the Premier customer service and support service level agreement for details. +It is crucial to respond in a timely manner to keep the investigation moving. ## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 8c0c0aa43c..698e0aeb8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -111,7 +111,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec -|- Common URLs for all locations | ```crl.microsoft.com```
      ```ctldl.windowsupdate.com```
      ```events.data.microsoft.com```
      ```notify.windows.com```
      ```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
      ```eu-v20.events.data.microsoft.com```
      ```usseu1northprod.blob.core.windows.net```
      ```usseu1westprod.blob.core.windows.net```
      ```winatp-gw-neu.microsoft.com```
      ```winatp-gw-weu.microsoft.com```
      ```wseu1northprod.blob.core.windows.net```
      ```wseu1westprod.blob.core.windows.net``` -United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.data.microsoft.com```
      ```ussuk1southprod. blob.core.windows.net```
      ```ussuk1westprod. blob.core.windows.net```
      ```winatp-gw-uks.microsoft.com```
      ```winatp-gw-ukw.microsoft.com```
      ```wsuk1southprod. blob.core.windows.net```
      ```wsuk1westprod. blob.core.windows.net``` +United Kingdom | ```uk.vortex-win.data.microsoft.com```
      ```uk-v20.events.data.microsoft.com```
      ```ussuk1southprod.blob.core.windows.net```
      ```ussuk1westprod.blob.core.windows.net```
      ```winatp-gw-uks.microsoft.com```
      ```winatp-gw-ukw.microsoft.com```
      ```wsuk1southprod.blob.core.windows.net```
      ```wsuk1westprod.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
      ```ussus1eastprod.blob.core.windows.net```
      ```ussus1westprod.blob.core.windows.net```
      ```ussus2eastprod.blob.core.windows.net```
      ```ussus2westprod.blob.core.windows.net```
      ```ussus3eastprod.blob.core.windows.net```
      ```ussus3westprod.blob.core.windows.net```
      ```ussus4eastprod.blob.core.windows.net```
      ```ussus4westprod.blob.core.windows.net```
      ```us-v20.events.data.microsoft.com```
      ```winatp-gw-cus.microsoft.com```
      ```winatp-gw-eus.microsoft.com```
      ```wsus1eastprod.blob.core.windows.net```
      ```wsus1westprod.blob.core.windows.net```
      ```wsus2eastprod.blob.core.windows.net```
      ```wsus2westprod.blob.core.windows.net``` If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. @@ -141,7 +141,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 1. Download the [connectivity verification tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of WDATPConnectivityAnalyzer on the machine. +2. Extract the contents of MDATPClientAnalyzer on the machine. 3. Open an elevated command-line: @@ -152,19 +152,19 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 4. Enter the following command and press **Enter**: ```PowerShell - HardDrivePath\WDATPConnectivityAnalyzer.cmd + HardDrivePath\MDATPClientAnalyzer.cmd ``` - Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example + Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example ```PowerShell - C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd + C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd ``` -5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. +5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. -6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

      - The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: +6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

      + The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 7e89edf437..45538af5d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -28,7 +28,7 @@ ms.topic: article - Windows Server, 2019 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) +> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) Microsoft Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Microsoft Defender Security Center console. @@ -43,6 +43,9 @@ The service supports the onboarding of the following servers: For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). +> [!NOTE] +> An Azure Security Center Standard license is required, per node, to enroll Microsoft Defender ATP on a supported Windows Server platform, see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services) + ## Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP: @@ -70,19 +73,19 @@ You'll need to take the following steps if you choose to onboard servers through - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. - >[!NOTE] - >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. +> [!NOTE] +> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - Turn on server monitoring from Microsoft Defender Security Center. - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). ->[!TIP] +> [!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ### Configure and update System Center Endpoint Protection clients ->[!IMPORTANT] ->This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. +> [!IMPORTANT] +> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. @@ -138,8 +141,8 @@ Agent Resource | Ports ## Windows Server, version 1803 and Windows Server 2019 To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. ->[!NOTE] ->The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). +> [!NOTE] +> The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs). Supported tools include: - Local script @@ -178,21 +181,18 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh ## Integration with Azure Security Center Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. ->[!NOTE] ->You'll need to have the appropriate license to enable this feature. - The following capabilities are included in this integration: - Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). - >[!NOTE] - > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. +> [!NOTE] +> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. - Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach ->[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. ->- If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> [!IMPORTANT] +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. @@ -203,8 +203,8 @@ For other server versions, you have two options to offboard servers from the ser - Uninstall the MMA agent - Remove the Microsoft Defender ATP workspace configuration ->[!NOTE] ->Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. +> [!NOTE] +> Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall servers by uninstalling the MMA agent To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 97adf97d65..20a35409f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -22,7 +22,6 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] Connected applications integrates with the Microsoft Defender ATP platform using APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 97a6409ed0..7f23be0e27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -83,8 +83,8 @@ You can use the following procedure to enable network protection on domain-joine You can confirm network protection is enabled on a local computer by using Registry editor: 1. Click **Start** and type **regedit** to open **Registry Editor**. -1. Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -1. Click **EnableNetworkProtection** and confirm the value: +2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection +3. Click **EnableNetworkProtection** and confirm the value: * 0=Off * 1=On * 2=Audit diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md new file mode 100644 index 0000000000..94b0798855 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -0,0 +1,153 @@ +--- +title: Enable Microsoft Defender ATP Insider Machine +description: Install and use Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Enable Microsoft Defender ATP Insider Machine + +Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). + +>[!IMPORTANT] +>Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions. + +## Enable the Insider program with Jamf + +a. Create configuration profile com.microsoft.wdav.plist with the following content: + +```XML + + + + + edr + + earlyPreview + + + + +``` + +b. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. + +c. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier. + +>[!WARNING] +>You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product + +## Enable the Insider program with Intune + +a. Create configuration profile com.microsoft.wdav.plist with the following content: + + ```XML + + + + + PayloadUUID + C4E6A782-0C8D-44AB-A025-EB893987A295 + PayloadType + Configuration + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP settings + PayloadDescription + Microsoft Defender ATP configuration settings + PayloadVersion + 1 + PayloadEnabled + + PayloadRemovalDisallowed + + PayloadScope + System + PayloadContent + + + PayloadUUID + 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 + PayloadType + com.microsoft.wdav + PayloadOrganization + Microsoft + PayloadIdentifier + com.microsoft.wdav + PayloadDisplayName + Microsoft Defender ATP configuration settings + PayloadDescription + + PayloadVersion + 1 + PayloadEnabled + + edr + + earlyPreview + + + + + + +``` + +b. Open  **Manage > Device configuration**. Select  **Manage > Profiles > Create Profile**. + +c. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. + +d. Save the .plist created earlier as com.microsoft.wdav.xml. + +e. Enter com.microsoft.wdav as the custom configuration profile name. + +f. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1. + +g. Select  **OK**. + +h. Select  **Manage > Assignments**. In the  **Include**  tab, select  **Assign to All Users & All devices**. + +>[!WARNING] +>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. + +## Enable the Insider program manually on a single machine + +In the command prompt, run: + +```bash + mdatp --edr --early-preview true + ``` + +## Troubleshooting + +### Verify you are running the correct version + +To verify you are running the correct version, run ‘mdatp --health’ on the machine. + +* The required version is 100.72.15 or later. +* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal. +* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). +* If you are not using Office for Mac, download and run the AutoUpdate tool. + +### A machine still does not appear on Microsoft Defender Security Center + +After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running ‘mdatp --connectivity-test’. + +* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. + +If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png new file mode 100644 index 0000000000..aecffb5789 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/threat-protection-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/threat-protection-reports.png new file mode 100644 index 0000000000..026a246309 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/threat-protection-reports.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png new file mode 100644 index 0000000000..27b00fdd87 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-cancellation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png new file mode 100644 index 0000000000..d0eb92e377 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-confirmation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png new file mode 100644 index 0000000000..3f8ead879c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png new file mode 100644 index 0000000000..9acba5c77f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png new file mode 100644 index 0000000000..31d16836b0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dropdown.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png new file mode 100644 index 0000000000..6cafba6c3d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png new file mode 100644 index 0000000000..e01d9f53a5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png new file mode 100644 index 0000000000..072835588a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png new file mode 100644 index 0000000000..dbd99451af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png new file mode 100644 index 0000000000..98d59f5c07 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png new file mode 100644 index 0000000000..00d29b4a0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-granular-exploit.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png index a40e39c3d0..2f9717883f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png new file mode 100644 index 0000000000..36ca63f7bf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png index ebd390bd98..863c7e4fbe 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_alert_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png index b87ba02a90..e81d73f631 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_bug_icon.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index c46302a04f..38b96e9451 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -53,6 +53,9 @@ When you have configured exploit protection to your desired state (including bot 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. +> [!IMPORTANT] +> If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file. + ![Highlight of the Export Settings option](../images/wdsc-exp-prot-export.png) > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md new file mode 100644 index 0000000000..2dda7ca218 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -0,0 +1,81 @@ +--- +title: Configure and validate exclusions for Microsoft Defender ATP for Mac +description: Provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes. +keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure and validate exclusions for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. + +>[!IMPORTANT] +>The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. + +You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans. + +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac. + +>[!WARNING] +>Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +## Supported exclusion types + +The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac. + +Exclusion | Definition | Examples +---|---|--- +File extension | All files with the extension, anywhere on the machine | .test +File | A specific file identified by the full path | /var/log/test.log +Folder | All files under the specified folder | /var/log/ +Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat
      cat + +## How to configure the list of exclusions + +### From the management console + +For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). + +### From the user interface + +Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: + +![[Manage exclusions screenshot](../windows-defender-antivirus/images/mdatp-37-exclusions.png) + +Select the type of exclusion that you wish to add and follow the prompts. + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using `curl` to download a test file. + +In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path. + +```bash +$ curl -o test.txt http://www.eicar.org/download/eicar.com.txt +``` + +If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). + +If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: + +```bash +echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt +``` + +You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md similarity index 53% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index bed05f108c..117296a474 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,8 +1,7 @@ --- -title: Installing Microsoft Defender ATP for Mac manually -ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac manually, from the command line. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +title: Manual deployment for Microsoft Defender ATP for Mac +description: Install Microsoft Defender ATP for Mac manually, from the command line. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment +# Manual deployment for Microsoft Defender ATP for Mac **Applies to:** @@ -42,7 +41,7 @@ Download the installation and onboarding packages from Windows Defender Security 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Windows Defender Security Center screenshot](images/ATP_Portal_Onboarding_page.png) + ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) 5. From a command prompt, verify that you have the two files. Extract the contents of the .zip files: @@ -63,83 +62,28 @@ To complete this process, you must have admin privileges on the machine. 1. Navigate to the downloaded wdav.pkg in Finder and open it. - ![App install screenshot](images/MDATP_28_AppInstall.png) + ![App install screenshot](../windows-defender-antivirus/images/MDATP-28-AppInstall.png) 2. Select **Continue**, agree with the License terms, and enter the password when prompted. - ![App install screenshot](images/MDATP_29_AppInstallLogin.png) + ![App install screenshot](../windows-defender-antivirus/images/MDATP-29-AppInstallLogin.png) > [!IMPORTANT] - > You will be prompted to allow a driver from Microsoft to be installed (either "System Exception Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. + > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed. - ![App install screenshot](images/MDATP_30_SystemExtension.png) + ![App install screenshot](../windows-defender-antivirus/images/MDATP-30-SystemExtension.png) 3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**: - ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png) + ![Security and privacy window screenshot](../windows-defender-antivirus/images/MDATP-31-SecurityPrivacySettings.png) The installation proceeds. -> [!NOTE] -> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled. +> [!CAUTION] +> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this. > [!NOTE] -> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-Time Protection will not be available until the machine is rebooted. - -### Fixing disabled Real-Time Protection - -If you did not enable Microsoft's driver during installation, then the application displays a banner prompting you to enable it: - - ![RTP disabled screenshot](images/MDATP_32_Main_App_Fix.png) - -You can also run ```mdatp --health```. It reports if Real-Time Protection is enabled but not available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : false -realTimeProtectionEnabled : true -... -``` - -> [!NOTE] -> You have a 30 minute window to enable Real-Time Protection from the warning banner, immediately following installation. - -The warning banner contains a **Fix** button, which allows you to quickly enable Real-Time Protection, without having to open a command prompt. Select the **Fix** button. It prompts the **Security & Privacy** system window, where you have to **Allow** system software from developers "Microsoft Corporation". - -If you don't see a prompt, it means that 30 or more minutes have already passed, and Real-Time Protection has still not been enabled: - -![Security and privacy window after prompt expired screenshot](images/MDATP_33_SecurityPrivacySettings_NoPrompt.png) - -In this case, you need to perform the following steps to enable Real-Time Protection instead. - -1. In Terminal, attempt to install the driver. (The operation will fail) - ```bash - $ sudo kextutil /Library/Extensions/wdavkext.kext - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } - Diagnostics for /Library/Extensions/wdavkext.kext: - ``` - -2. Open **System Preferences...** > **Security & Privacy** from the menu. (Close it first, if it's opened.) - -3. **Allow** system software from developers "Microsoft Corporation" - -4. In Terminal, install the driver again. This time the operation will succeed: - -```bash -$ sudo kextutil /Library/Extensions/wdavkext.kext -``` - -The banner should disappear from the Defender application, and ```mdatp --health``` should now report that Real-Time Protection is both enabled and available: - -```bash -$ mdatp --health -... -realTimeProtectionAvailable : true -realTimeProtectionEnabled : true -... -``` +> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted. ## Client configuration @@ -167,7 +111,7 @@ realTimeProtectionEnabled : true After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + ![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) ## How to Allow Full Disk Access @@ -178,8 +122,8 @@ To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Fu ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md similarity index 85% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 84e9cb78dd..6a79d9fca6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -1,8 +1,7 @@ --- -title: Installing Microsoft Defender ATP for Mac with Microsoft Intune -ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac, using Microsoft Intune. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +title: Intune-based deployment for Microsoft Defender ATP for Mac +description: Install Microsoft Defender ATP for Mac, using Microsoft Intune. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Intune-based deployment +# Intune-based deployment for Microsoft Defender ATP for Mac **Applies to:** @@ -44,7 +43,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). - ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) + ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -91,11 +90,11 @@ You need no special provisioning for a Mac device beyond a standard [Company Por 1. You are asked to confirm device management. -![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png) +![Confirm device management screenshot](../windows-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: -![Management profile screenshot](images/MDATP_4_ManagementProfile.png) +![Management profile screenshot](../windows-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. @@ -103,7 +102,7 @@ You may now enroll more devices. You can also enroll them later, after you have 3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed: -![Add Devices screenshot](images/MDATP_5_allDevices.png) +![Add Devices screenshot](../windows-defender-antivirus/images/MDATP-5-allDevices.png) ## Create System Configuration profiles @@ -112,7 +111,7 @@ You may now enroll more devices. You can also enroll them later, after you have 3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections. 4. Select **OK**. - ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png) + ![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-6-SystemConfigurationProfiles.png) 5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. 6. Repeat steps 1 through 5 for more profiles. @@ -287,7 +286,7 @@ You may now enroll more devices. You can also enroll them later, after you have Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**: -![System configuration profiles screenshot](images/MDATP_7_DeviceStatusBlade.png) +![System configuration profiles screenshot](../windows-defender-antivirus/images/MDATP-7-DeviceStatusBlade.png) ## Publish application @@ -295,43 +294,43 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. +5. Use **macOS High Sierra 10.13** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. + > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. - ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) + ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) 6. Select **OK** and **Add**. - ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png) + ![Device status blade screenshot](../windows-defender-antivirus/images/MDATP-9-IntunePkgInfo.png) 7. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**. - ![Client apps screenshot](images/MDATP_10_ClientApps.png) + ![Client apps screenshot](../windows-defender-antivirus/images/MDATP-10-ClientApps.png) 8. Change **Assignment type** to **Required**. 9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**. - ![Intune assignments info screenshot](images/MDATP_11_Assignments.png) + ![Intune assignments info screenshot](../windows-defender-antivirus/images/MDATP-11-Assignments.png) 10. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**: - ![Intune device status screenshot](images/MDATP_12_DeviceInstall.png) + ![Intune device status screenshot](../windows-defender-antivirus/images/MDATP-12-DeviceInstall.png) ## Verify client device state 1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device. - ![System Preferences screenshot](images/MDATP_13_SystemPreferences.png) - ![System Preferences Profiles screenshot](images/MDATP_14_SystemPreferencesProfiles.png) + ![System Preferences screenshot](../windows-defender-antivirus/images/MDATP-13-SystemPreferences.png)
      + ![System Preferences Profiles screenshot](../windows-defender-antivirus/images/MDATP-14-SystemPreferencesProfiles.png) 2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune: - ![Profiles screenshot](images/MDATP_15_ManagementProfileConfig.png) + ![Profiles screenshot](../windows-defender-antivirus/images/MDATP-15-ManagementProfileConfig.png) 3. You should also see the Microsoft Defender icon in the top-right corner: - ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) + ![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) ## Troubleshooting @@ -341,8 +340,8 @@ Solution: Follow the steps above to create a device profile using WindowsDefende ## Logging installation issues -For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) . +For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues) . ## Uninstallation -See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md similarity index 85% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 99a5b6cc89..259e8692cd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -1,8 +1,7 @@ --- -title: Installing Microsoft Defender ATP for Mac with JAMF -ms.reviewer: -description: Describes how to install Microsoft Defender ATP for Mac, using JAMF. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +title: JAMF-based deployment for Microsoft Defender ATP for Mac +description: Install Microsoft Defender ATP for Mac, using JAMF. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# JAMF-based deployment +# JAMF-based deployment for Microsoft Defender ATP for Mac **Applies to:** @@ -46,7 +45,7 @@ Download the installation and onboarding packages from Windows Defender Security 3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png) + ![Windows Defender Security Center screenshot](../windows-defender-antivirus/images/MDATP-2-DownloadPackages.png) 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: @@ -79,7 +78,7 @@ To set the onboarding information, add a property list file with the name, _jamf >[!IMPORTANT] > You must set the Preference Domain as "com.microsoft.wdav.atp" -![Configuration profile screenshot](images/MDATP_16_PreferenceDomain.png) +![Configuration profile screenshot](../windows-defender-antivirus/images/MDATP-16-PreferenceDomain.png) ### Approved Kernel Extension @@ -88,7 +87,7 @@ To approve the kernel extension: 1. In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**. 2. Use **UBF8T346G9** for Team Id. -![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png) +![Approved kernel extensions screenshot](../windows-defender-antivirus/images/MDATP-17-approvedKernelExtensions.png) ### Privacy Preferences Policy Control @@ -104,7 +103,7 @@ Add the following JAMF policy to grant Full Disk Access to Microsoft Defender AT 3. Set Code Requirement to `identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9`. 4. Set app or service to SystemPolicyAllFiles and access to Allow. -![Privacy Preferences Policy Control](images/MDATP_35_JAMF_PrivacyPreferences.png) +![Privacy Preferences Policy Control](../windows-defender-antivirus/images/MDATP-35-JAMF-PrivacyPreferences.png) #### Configuration Profile's Scope @@ -112,7 +111,7 @@ Configure the appropriate scope to specify the devices that will receive the con Open **Computers** > **Configuration Profiles**, and select **Scope > Targets**. From there, select the devices you want to target. -![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png) +![Configuration profile scope screenshot](../windows-defender-antivirus/images/MDATP-18-ConfigurationProfilesScope.png) Save the **Configuration Profile**. @@ -132,7 +131,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific 1. Create a package in **Settings > Computer Management > Packages**. - ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png) + ![Computer management packages screenshot](../windows-defender-antivirus/images/MDATP-19-MicrosoftDefenderWDAVPKG.png) 2. Upload the package to the Distribution Point. 3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_. @@ -141,7 +140,7 @@ Starting in macOS 10.15 (Catalina) a user must manually allow to display notific Your policy should contain a single package for Microsoft Defender. -![Microsoft Defender packages screenshot](images/MDATP_20_MicrosoftDefenderPackages.png) +![Microsoft Defender packages screenshot](../windows-defender-antivirus/images/MDATP-20-MicrosoftDefenderPackages.png) Configure the appropriate scope to specify the computers that will receive this policy. @@ -156,12 +155,12 @@ You'll need no special provisioning for a macOS computer, beyond the standard JA 1. Open **Device Profiles**, from the **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's currently set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile. -![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png) -![MDM screenshot](images/MDATP_22_MDMProfileApproved.png) +![MDM approve button screenshot](../windows-defender-antivirus/images/MDATP-21-MDMProfile1.png)
      +![MDM screenshot](../windows-defender-antivirus/images/MDATP-22-MDMProfileApproved.png) After a moment, the device's User Approved MDM status will change to **Yes**. -![MDM status screenshot](images/MDATP_23_MDMStatus.png) +![MDM status screenshot](../windows-defender-antivirus/images/MDATP-23-MDMStatus.png) You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages. @@ -176,17 +175,17 @@ You can monitor deployment status in the **Logs** tab: - **Pending** means that the deployment is scheduled but has not yet happened - **Completed** means that the deployment succeeded and is no longer scheduled -![Status on server screenshot](images/MDATP_24_StatusOnServer.png) +![Status on server screenshot](../windows-defender-antivirus/images/MDATP-24-StatusOnServer.png) ### Status on client device After the Configuration Profile is deployed, you'll see the profile for the device in **System Preferences** > **Profiles >**. -![Status on client screenshot](images/MDATP_25_StatusOnClient.png) +![Status on client screenshot](../windows-defender-antivirus/images/MDATP-25-StatusOnClient.png) Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner. -![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png) +![Microsoft Defender icon in status bar screenshot](../windows-defender-antivirus/images/MDATP-Icon-Bar.png) You can monitor policy installation on a device by following the JAMF log file: @@ -231,11 +230,11 @@ If the product is not healthy, the exit code (which can be checked through `echo ## Logging installation issues -See [Logging installation issues](microsoft-defender-atp-mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. ## Uninstallation -This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling). +This method is based on the script described in [Uninstalling](mac-resources.md#uninstalling). ### Script @@ -258,12 +257,12 @@ This script removes Microsoft Defender ATP from the /Applications directory: echo "Done!" ``` -![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png) +![Microsoft Defender uninstall screenshot](../windows-defender-antivirus/images/MDATP-26-Uninstall.png) ### Policy Your policy should contain a single script: -![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png) +![Microsoft Defender uninstall script screenshot](../windows-defender-antivirus/images/MDATP-27-UninstallScript.png) Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md similarity index 77% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 91a5f56395..d67b31e398 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -1,7 +1,7 @@ --- -title: Installing Microsoft Defender ATP for Mac with different MDM product -description: Describes how to install Microsoft Defender ATP for Mac on other management solutions. -keywords: microsoft, defender, atp, mac, installation, deploy, macos, mojave, high sierra, sierra +title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac +description: Install Microsoft Defender ATP for Mac on other management solutions. +keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Deployment with a different Mobile Device Management (MDM) system +# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac **Applies to:** @@ -49,21 +49,21 @@ You can deploy Defender without the last requirement from the preceding list, ho ## Deployment -Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) as a template. +Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template. ### Package -Configure deployment of a [required application package](microsoft-defender-atp-mac-install-with-jamf.md#package), -with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +Configure deployment of a [required application package](mac-install-with-jamf.md#package), +with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages). In order to deploy the package to your enterprise, use the instructions associated with your MDM solution. ### License settings -Set up [a system configuration profile](microsoft-defender-atp-mac-install-with-jamf.md#configuration-profile). +Set up [a system configuration profile](mac-install-with-jamf.md#configuration-profile). Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS. -Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](microsoft-defender-atp-mac-install-with-jamf.md#download-installation-and-onboarding-packages). +Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md#download-installation-and-onboarding-packages). Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. Alternatively, it may require you to convert the property list to a different format first. @@ -76,4 +76,4 @@ Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to ## Check installation status -Run [mdatp](microsoft-defender-atp-mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status. +Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md similarity index 96% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 80ec6a0f67..0d0904ba75 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -1,8 +1,7 @@ --- title: Set preferences for Microsoft Defender ATP for Mac -ms.reviewer: -description: Describes how to configure Microsoft Defender ATP for Mac in enterprises. -keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, mojave, high sierra, sierra +description: Configure Microsoft Defender ATP for Mac in enterprises. +keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,7 +24,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] ->This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](microsoft-defender-atp-mac-resources.md#configuring-from-the-command-line) page. +>This topic contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise environments. If you are interested in configuring the product on a device from the command-line, please refer to the [Resources](mac-resources.md#configuring-from-the-command-line) page. In enterprise environments, Microsoft Defender ATP for Mac can be managed through a configuration profile. This profile is deployed from management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. @@ -262,6 +261,28 @@ Whether the status menu icon (shown in the top-right corner of the screen) is hi | **Data type** | Boolean | | **Possible values** | false (default)
      true | +### EDR preferences + +The *edr* section of the configuration profile is used to manage the preferences of the EDR component of the product. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | edr | +| **Data type** | Dictionary (nested preference) | +| **Comments** | See the following sections for a description of the dictionary contents. | + +#### Enable / disable early preview + +Whether EDR early preview features are enabled or not. + +||| +|:---|:---| +| **Domain** | com.microsoft.wdav | +| **Key** | earlyPreview | +| **Data type** | Boolean | +| **Possible values** | true (default)
      false | + ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md similarity index 98% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 0c56970e6f..ab118ea2ca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -1,7 +1,6 @@ --- title: Privacy for Microsoft Defender ATP for Mac -ms.reviewer: -description: Describes privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac. +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -62,7 +61,7 @@ When this feature is enabled and the sample that is collected is likely to conta If you're an IT administrator, you might want to configure these controls at the enterprise level. -The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md similarity index 82% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-pua.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index 2696590c99..0f63486ad1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -1,7 +1,6 @@ --- -title: Detect and block potentially unwanted applications -ms.reviewer: -description: Describes how to detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac. +title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac +description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Detect and block potentially unwanted applications +# Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac **Applies to:** @@ -59,8 +58,8 @@ $ mdatp --threat --type-handling potentially_unwanted_application [off|audit|blo ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](microsoft-defender-atp-mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) topic. +In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md) topic. ## Related topics -- [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md) \ No newline at end of file +- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md similarity index 84% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index f37fa94b99..ad4bf7ef53 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -1,8 +1,7 @@ --- -title: Microsoft Defender ATP for Mac Resources -ms.reviewer: -description: Describes resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +title: Resources for Microsoft Defender ATP for Mac +description: Resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product. +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Resources +# Resources for Microsoft Defender ATP for Mac **Applies to:** @@ -95,18 +94,24 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Do a full scan |`mdatp --scan --full` | |Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | |Protection |Request a security intelligence update |`mdatp --definition-update` | +|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` | +|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | +|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` | ## Microsoft Defender ATP portal information -In the Microsoft Defender ATP portal, you'll see two categories of information: +In the Microsoft Defender ATP portal, you'll see two categories of information. + +Antivirus alerts, including: -- Antivirus alerts, including: - Severity - Scan type - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) - Threat information (name, type, and state) -- Device information, including: + +Device information, including: + - Machine identifier - Tenant identifier - App version diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md new file mode 100644 index 0000000000..bbf4825f45 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -0,0 +1,90 @@ +--- +title: Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac +description: Troubleshoot kernel extension-related issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, kernel, extension +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac. + +Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device. + +If you did not approve the kernel extension during the deployment / installation of Microsoft Defender ATP for Mac, then the application displays a banner prompting you to enable it: + + ![RTP disabled screenshot](../windows-defender-antivirus/images/MDATP-32-Main-App-Fix.png) + +You can also run ```mdatp --health```. It reports if real-time protection is enabled but not available. This is an indication that the kernel extension is not approved to run on your device. + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : false +realTimeProtectionEnabled : true +... +``` + +The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac. + +## Managed deployment + +See the instructions corresponding to the management tool that you used to deploy the product: + +- [JAMF-based deployment](mac-install-with-jamf.md#configuration-profile) +- [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) + +## Manual deployment + +If less than 30 minutes have passed since the product was installed, navigate to **System Preferences** > **Security & Privacy**, where you have to **Allow** system software from developers "Microsoft Corporation". + +If you don't see this prompt, it means that 30 or more minutes have passed, and the kernel extension still not been approved to run on your device: + +![Security and privacy window after prompt expired screenshot](../windows-defender-antivirus/images/MDATP-33-SecurityPrivacySettings-NoPrompt.png) + +In this case, you need to perform the following steps to trigger the approval flow again. + +1. In Terminal, attempt to install the driver. The following operation will fail, because the kernel extension was not approved to run on the device, however it will trigger the approval flow again. + + ```bash + $ sudo kextutil /Library/Extensions/wdavkext.kext + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Kext rejected due to system policy: { URL = "file:///Library/StagedExtensions/Library/Extensions/wdavkext.kext/", ID = "com.microsoft.wdavkext" } + Diagnostics for /Library/Extensions/wdavkext.kext: + ``` + +2. Open **System Preferences** > **Security & Privacy** from the menu. (Close it first, if it's opened.) + +3. **Allow** system software from developers "Microsoft Corporation" + +4. In Terminal, install the driver again. This time the operation will succeed: + +```bash +$ sudo kextutil /Library/Extensions/wdavkext.kext +``` + +The banner should disappear from the Defender application, and ```mdatp --health``` should now report that real-time protection is both enabled and available: + +```bash +$ mdatp --health +... +realTimeProtectionAvailable : true +realTimeProtectionEnabled : true +... +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md new file mode 100644 index 0000000000..3d1a203e82 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -0,0 +1,54 @@ +--- +title: Troubleshoot performance issues for Microsoft Defender ATP for Mac +description: Troubleshoot performance issues in Microsoft Defender ATP for Mac. +keywords: microsoft, defender, atp, mac, performance +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Troubleshoot performance issues for Microsoft Defender ATP for Mac + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) + +This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Mac. + +Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. + +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Mac. + +The following steps can be used to troubleshoot and mitigate these issues: + +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the performance issues. + + If your device is not managed by your organization, real-time protection can be disabled using one of the following options: + + - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**. + + ![Manage real-time protection screenshot](../windows-defender-antivirus/images/mdatp-36-rtp.png) + + - From the Terminal. For security purposes, this operation requires elevation. + + ```bash + $ mdatp --config realTimeProtectionEnabled false + ``` + + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). + +2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. + +3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. + + See [Configure and validate exclusions for Microsoft Defender ATP for Mac](mac-exclusions.md) for details. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md similarity index 97% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index 50267f26bb..7770111d6d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -1,7 +1,6 @@ --- title: Deploy updates for Microsoft Defender ATP for Mac -ms.reviewer: -description: Describes how to control updates for Microsoft Defender ATP for Mac in enterprise environments. +description: Control updates for Microsoft Defender ATP for Mac in enterprise environments. keywords: microsoft, defender, atp, mac, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,7 +27,7 @@ Microsoft regularly publishes software updates to improve performance, security, To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. -![MAU screenshot](images/MDATP_34_MAU.png) +![MAU screenshot](../windows-defender-antivirus/images/MDATP-34-MAU.png) If you decide to deploy updates by using your software distribution tools, you should configure MAU to manually check for software updates. You can deploy preferences to configure how and when MAU checks for updates for the Macs in your organization. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md similarity index 76% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md rename to windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 7312d11a2d..e229fbbd91 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -1,6 +1,5 @@ --- -title: Microsoft Defender ATP for Mac What's New -ms.reviewer: +title: What's new in Microsoft Defender Advanced Threat Protection for Mac description: List of major changes for Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, installation, macos, whatsnew search.product: eADQiWindows 10XVcnh @@ -20,13 +19,17 @@ ms.topic: conceptual # What's new in Microsoft Defender Advanced Threat Protection for Mac +## 100.72.15 + +- Bug fixes + ## 100.70.99 - Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence. ## 100.68.99 -- Added the ability to configure the antivirus functionality to run in [passive mode](microsoft-defender-atp-mac-preferences.md#enable--disable-passive-mode) +- Added the ability to configure the antivirus functionality to run in [passive mode](mac-preferences.md#enable--disable-passive-mode) - Performance improvements & bug fixes ## 100.65.28 @@ -38,7 +41,7 @@ ms.topic: conceptual > > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP: > -> - For manual deployments, see the updated instructions in the [Manual deployment](microsoft-defender-atp-mac-install-manually.md#how-to-allow-full-disk-access) topic. -> - For managed deployments, see the updated instructions in the [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md#create-system-configuration-profiles) topics. +> - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic. +> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md#privacy-preferences-policy-control) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. - Performance improvements & bug fixes diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index f0cf3d6772..d006defd48 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -23,7 +23,6 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) @@ -108,7 +107,7 @@ When you add an indicator hash for a file, you can choose to raise an alert and Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. -## Create indicators for IPs and URLs/domains (preview) +## Create indicators for IPs and URLs/domains Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs through SmartScreen for Microsoft browsers and Network Protection for non-Microsoft browsers and calls made outside the browser. The threat intelligence data set for this has been managed by Microsoft. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md similarity index 63% rename from windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md rename to windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index f87f5332c7..c64de21b8c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -1,8 +1,8 @@ --- title: Microsoft Defender ATP for Mac -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Mac. -keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, mojave, high sierra, sierra +keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -27,36 +27,56 @@ This topic describes how to install, configure, update, and use Microsoft Defend ## What’s new in the latest release -[What's new](microsoft-defender-atp-mac-whatsnew.md) +[What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md) -If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. +[What's new in Microsoft Defender ATP for Mac](mac-whatsnew.md) + +> [!TIP] +> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. + +To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac machines), configure your macOS machine running Microsoft Defender ATP to be an "Insider" machine. See [Enable Microsoft Defender ATP Insider Machine](endpoint-detection-response-mac-preview.md). ## How to install Microsoft Defender ATP for Mac ### Prerequisites -- Access to the Microsoft Defender Security Center portal +- A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal - Beginner-level experience in macOS and BASH scripting - Administrative privileges on the device (in case of manual deployment) +### Installation instructions + +There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. + +- Third-party management tools: + - [Microsoft Intune-based deployment](mac-install-with-intune.md) + - [JAMF-based deployment](mac-install-with-jamf.md) + - [Other MDM products](mac-install-with-other-mdm.md) + +- Command-line tool: + - [Manual deployment](mac-install-manually.md) + ### System requirements -> [!CAUTION] -> The three most recent major releases of macOS are supported. Beta versions of macOS are not supported. +The three most recent major releases of macOS are supported. -- Supported macOS versions: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra) +- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra) - Disk space: 650 MB +Beta versions of macOS are not supported. macOS Sierra (10.12) support will end on January 1, 2020. + After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. +### Network connections + The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. | Service location | DNS record | | ---------------------------------------- | ----------------------- | -| Common URLs for all locations | x.cp.wd.microsoft.com
      cdn.x.cp.wd.microsoft.com
      eu-cdn.x.cp.wd.microsoft.com
      wu-cdn.x.cp.wd.microsoft.com
      *.blob.core.windows.net
      officecdn-microsoft-com.akamaized.net | -| European Union | europe.x.cp.wd.microsoft.com | -| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com | -| United States | unitedstates.x.cp.wd.microsoft.com | +| Common URLs for all locations | x.cp.wd.microsoft.com
      cdn.x.cp.wd.microsoft.com
      eu-cdn.x.cp.wd.microsoft.com
      wu-cdn.x.cp.wd.microsoft.com
      *.blob.core.windows.net
      officecdn-microsoft-com.akamaized.net
      crl.microsoft.com
      events.data.microsoft.com | +| European Union | europe.x.cp.wd.microsoft.com
      eu-v20.events.data.microsoft.com | +| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
      uk-v20.events.data.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com
      us-v20.events.data.microsoft.com | Microsoft Defender ATP can discover a proxy server by using the following discovery methods: - Web Proxy Auto-discovery Protocol (WPAD) @@ -74,40 +94,28 @@ $ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'http The output from this command should be similar to the following: -> `OK https://x.cp.wd.microsoft.com/api/report` -> -> `OK https://cdn.x.cp.wd.microsoft.com/ping` + `OK https://x.cp.wd.microsoft.com/api/report` + + `OK https://cdn.x.cp.wd.microsoft.com/ping` > [!CAUTION] > We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. -### Installation instructions - -There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. - -In general you need to take the following steps: - -- Ensure that you have a Microsoft Defender ATP subscription and have access to the Microsoft Defender ATP Portal -- Deploy Microsoft Defender ATP for Mac using one of the following deployment methods: - - Via third-party management tools: - - [Microsoft Intune-based deployment](microsoft-defender-atp-mac-install-with-intune.md) - - [JAMF-based deployment](microsoft-defender-atp-mac-install-with-jamf.md) - - [Other MDM products](microsoft-defender-atp-mac-install-with-other-mdm.md) - - Via the command-line tool: - - [Manual deployment](microsoft-defender-atp-mac-install-manually.md) +Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: +```bash +$ mdatp --connectivity-test +``` ## How to update Microsoft Defender ATP for Mac -Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. - -To read more on how to configure MAU in enterprise environments, refer to [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) +Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) ## How to configure Microsoft Defender ATP for Mac -Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-preferences.md). +Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). ## Resources -- For more information about logging, uninstalling, or other topics, see the [Resources](microsoft-defender-atp-mac-resources.md) page. +- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page. -- [Privacy for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-privacy.md) +- [Privacy for Microsoft Defender ATP for Mac](mac-privacy.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 71b44a53e7..358b596f33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -22,11 +22,12 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[!include[Prerelease information](prerelease.md)] - Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand. + +>[!NOTE] +>Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive targeted attack notifications and to collaborate with experts on demand. A Microsoft Threat Experts subscription is a prerequisite for experts on demand collaboration. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details. ## Targeted attack notification Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes: @@ -36,9 +37,6 @@ Microsoft Threat Experts provides proactive hunting for the most important threa - Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. ## Collaborate with experts, on demand ->[!NOTE] ->The Microsoft Threat Experts' experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. - Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: - Get additional clarification on alerts including root cause or scope of the incident diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 57782a8e2b..e9723fa61e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -37,7 +37,7 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr - Windows 10 Enterprise E5 - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E3 (M365 E3) with Identity and Threat Protection package + For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare). diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 3a670e00a5..eecae45f38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -62,7 +62,7 @@ Microsoft Defender ATP’s Threat & Vulnerability Management allows security adm - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index ce96f68340..e403692a49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -55,11 +55,11 @@ You'll need to have access to: - Method: "GET" as a value to get the list of machines. - URI: Enter `https://api.securitycenter.windows.com/api/machines`. - Authentication: Select "Active Directory OAuth". - - Tenant: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. + - Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\` - - Client ID: Sign-in to http://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value. + - Client ID: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value. - Credential Type: Select "Secret". - - Secret: Sign-in to http://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. + - Secret: Sign-in to https://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. ![Image of the HTTP conditions](images/http-conditions.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 692f8cc37b..6d4a1e101e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -42,17 +42,15 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Connected Azure AD applications](connected-applications.md)
      The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. +- [Endpoint detection and response for Mac devices](endpoint-detection-response-mac-preview.md). Recently, [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) released. Expanding on the protection available in Microsoft Defender ATP for Mac, endpoint detection and response capabilities are now in preview. -- [API Explorer](api-explorer.md)
      The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. +- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
      You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). + +- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table)
      You can now use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase. + + - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
      You can now use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions. -- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
      You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation. - -- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
      You can now allow or block URLs/domains using your own threat intelligence. - -- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac)
      Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. - -- [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
      You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). +- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
      You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. - [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index f7512247e0..df00947476 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -143,12 +143,40 @@ When an exception is created for a recommendation, the recommendation is no long 2. Click the top-most recommendation. A flyout panel opens with the recommendation details. 3. Click **Exception options**. +![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png) 4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. +> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png) + 5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created. +![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png) 6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past). +![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png) + +## Use Advanced hunting query to search for machines with High active alerts or critical CVE public exploit + +1. Go to **Advanced hunting** from the left-hand navigation pane. + +2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names. + +3. Enter the following queries: + +``` +// Search for machines with High active alerts or Critical CVE public exploit +DeviceTvmSoftwareInventoryVulnerabilities +| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId +| where IsExploitAvailable == 1 and CvssScore >= 7 +| summarize NumOfVulnerabilities=dcount(CveId), +ComputerName=any(ComputerName) by MachineId +| join kind =inner(AlertEvents) on MachineId +| summarize NumOfVulnerabilities=any(NumOfVulnerabilities), +ComputerName=any(ComputerName) by MachineId, AlertId +| project ComputerName, NumOfVulnerabilities, AlertId +| order by NumOfVulnerabilities desc + +``` ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) @@ -156,6 +184,8 @@ When an exception is created for a recommendation, the recommendation is no long - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) +- [Advanced hunting overview](overview-hunting.md) +- [All Advanced hunting tables](advanced-hunting-reference.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index b7440c607e..7a7e652415 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -27,7 +27,7 @@ The threat protection report provides high-level information about alerts genera The dashboard is structured into two sections: -![Image of the threat protection report](images/atp-threat-protection-reports.png) +![Image of the threat protection report](images/threat-protection-reports.png) Section | Description :---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 1704845ac8..668b2a1cb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -53,7 +53,7 @@ Area | Description (2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**. **Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. **Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information. **Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information. **Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information. (3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**. @@ -73,7 +73,7 @@ See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/t - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 8eebb66298..fca24b4b1f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -42,7 +42,7 @@ Reduce the exposure score by addressing what needs to be remediated based on the - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Configuration score](configuration-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 674d4b0309..99b1ae6759 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,6 +1,6 @@ --- -title: Remediation -description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). +title: Remediation and exception +description: You can lower down your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations or filing exceptions provided there are compensation controls. Threat & Vulnerability Management bridges the gap between security administration and IT administration during remediation process. It does so by creating a security task or ticket through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM). keywords: microsoft defender atp tvm remediation, mdatp tvm, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/11/2019 --- -# Remediation +# Remediation and exception **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -47,11 +47,62 @@ When you submit a remediation request from Threat & Vulnerability Management, it It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune. -You also have the option to export all remediation activity data to CSV for records, reporting purposes, or if you want to notify your IT administration counterpart that a remediation ticket has been submitted. The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task. -However, if the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The exceptions you've filed will also show up in the **Remediation** page, in the **Exceptions** tab. +## When to file for exception instead of remediating issues +You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores. + +When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**. + +Select **Exception options** and a flyout screen opens. + +![Screenshot of exception flyout screen](images/tvm-exception-flyout.png) + +### Exception justification +If the security recommendation stemmed from a false positive report, or if there are existing business justification that blocks the remediation, such as compensating control, productivity needs, compliance, or if there's already a planned remediation grace period, you can file an exception and indicate the reason. The following list details the justifications behind the exception options: + +- **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus +- **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow +- **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive +- **Planned remediation (grace)** - Already planned but is awaiting execution or authorization +- **Other** - False positive + + + ![Screenshot of exception reason dropdown menu](images/tvm-exception-dropdown.png) + +### Exception visibility +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. +However, you also have the option to filter your view based on exception justification, type, and status. + +![Screenshot of exception tab and filters](images/tvm-exception-filters.png) + +Aside from that, there's also an option to **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard](images/tvm-exception-dashboard.png) + +Clicking the link opens up to the **Security recommendations** page, where you can select the item exempted item with details. + +![Screenshot of exception details in the Security recommendation page](images/tvm-exception-details.png) + +### Actions on exceptions +- Cancel - You can cancel the exceptions you've filed any time +- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change, which adversely affect the exposure impact associated with a recommendation that had previously been excluded + +### Exception status +- **Canceled** - The exception has been canceled and is no longer in effect +- **Expired** - The exception that you've filed is no longer in effect +- **In effect** - The exception that you've filed is in progress + +### Exception impact on scores +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner: +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores +- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made + +The exception impact shows on both the Security recommendations page column and in the flyout pane. + +![Screenshot of where to find the exception impact](images/tvm-exception-impact.png) ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index cb1913abcb..ee75d061da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -79,14 +79,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context. - - ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) - [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index a7ff6812ce..e1d39cdf5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -63,6 +63,6 @@ You can report a false positive when you see any vague, inaccurate version, inco - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendation](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Weaknesses](tvm-weaknesses.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index e2615c2319..7eefec6595 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -15,25 +15,32 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 +ms.date: 10/31/2019 --- # Weaknesses **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559 + +[!include[Prerelease information](prerelease.md)] Threat & Vulnerability Management leverages the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights. >[!IMPORTANT] ->To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network: +>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: >- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) >- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) >- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) >- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>

      Downloading the above-mentioned security updates will be mandatory starting Patch Tuesday, October 8, 2019. ## Navigate through your organization's weaknesses page -You can see the list of vulnerabilities in four ways: +You can access the list of vulnerabilities in a few places in the portal: +- Global search +- Weaknesses option in the navigation menu +- Top vulnerable software widget in the dashboard +- Discovered vulnerabilities page in the machine page *Vulnerabilities in global search* 1. Click the global search drop-down menu. @@ -46,12 +53,13 @@ You can see the list of vulnerabilities in four ways: *Weaknesses page in the menu* 1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization. -2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. +2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export. +![Screenshot of the CVE details in the flyout pane in the Weaknesses page](images/tvm-weaknesses-page.png) *Top vulnerable software widget in the dashboard* 1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. ![tvm-top-vulnerable-software](images/tvm-top-vulnerable-software.png) -2. Click the software that you want to investigate and it takes you to the software page. You will the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation. +2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation. 3. Select the **Discovered vulnerabilities** tab. 4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. @@ -68,22 +76,25 @@ You can see the list of vulnerabilities in four ways: 5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. ## How it works -When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page. +When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page. -If the **Exposed Machines** column shows 0, that means you are not infected. +If the **Exposed Machines** column shows 0, that means you are not at risk. -If there's a number in the **Exposed Machines**, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk. +If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk. You can also see the related alert and threat insights in the **Threat** column. -The breach insights icons are highlighted if there are active alerts associated with the vulnerability found in your organization. +The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it means there might be a breach in your organization. + ![tvm-breach-insights](images/tvm-breach-insights.png) -The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is connected to specific campaign for which, Threat Analytics report links are provided that you can read. +The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories. + ![tvm-threat-insights](images/tvm-threat-insights.png) + >[!NOTE] - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and possible active alert ![possible active alert](images/tvm_alert_icon.png) icon. + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon. ## Report inaccuracy @@ -115,6 +126,6 @@ You can report a false positive when you see any vague, inaccurate, missing, or - [Exposure score](tvm-exposure-score.md) - [Configuration score](configuration-score.md) - [Security recommendation](tvm-security-recommendation.md) -- [Remediation](tvm-remediation.md) +- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) - [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 8d498f43b4..e3afd90910 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -19,12 +19,12 @@ ms.topic: article # Create and manage roles for role-based access control **Applies to:** - - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink) +[!include[Prerelease information](prerelease.md)] + ## Create roles and assign the role to an Azure Active Directory group The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups. @@ -37,25 +37,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur - **Role name** - **Description** - **Permissions** - - **View data** - Users can view information in the portal. - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. + - **View data** - Users can view information in the portal. + >[!NOTE] + >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**. + + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + >[!NOTE] + >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**. + + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. > [!NOTE] > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. - - **Live response capabilities** - Users can take basic or advanced live response commands. - - Basic commands allow users to: - - Start a live response session - - Run read only live response commands on a remote machine - - Advanced commands allow users to: - - Run basic actions - - Download a file from the remote machine - - View a script from the files library - - Run a script on the remote machine from the files library take read and write commands. + - **Live response capabilities** - Users can take basic or advanced live response commands. + - Basic commands allow users to: + - Start a live response session + - Run read only live response commands on a remote machine + - Advanced commands allow users to: + - Run basic actions + - Download a file from the remote machine + - View a script from the files library + - Run a script on the remote machine from the files library take read and write commands. For more information on the available commands, see [Investigate machines using Live response](live-response.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index 0673d31c32..da6e550794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -1,7 +1,7 @@ --- title: Monitoring web browsing security in Microsoft Defender ATP description: Use web protection in Microsoft Defender ATP to monitor web browsing security -keywords: web protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,9 +22,7 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] - -Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains the following cards that provide web threat detection statistics: +Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics. - **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) @@ -44,7 +42,7 @@ Web protection categorizes malicious and unwanted websites as: - **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking ## View the domain list -Clicking on a specific web threat category in the **Web threat protection summary** card opens the **Domains** page, which shows a list of the domains prefiltered under that threat category. The page provides the following information for each domain: +Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain: - **Access count** — number of requests for URLs in the domain - **Blocks** — number of times requests were blocked @@ -52,7 +50,7 @@ Clicking on a specific web threat category in the **Web threat protection summar - **Threat category** — type of web threat - **Machines** — number of machines with access attempts -Selecting a domain opens a panel that shows the list of URLs in that domain that have been accessed. The panel also lists machines that have attempted to access URLs in the domain. +Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs. ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 714ddb9915..37f62a101c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,7 +1,7 @@ --- title: Overview of web protection in Microsoft Defender ATP description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization -keywords: web protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,18 +22,16 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] +Web protection in Microsoft Defender ATP uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). -Web protection in Microsoft Defender ATP leverages [network protection](network-protection.md) to secure your machines against web threats without relying on a web proxy, providing security for devices that are either away or on premises. By integrating with Microsoft Edge as well as popular third-party browsers like Chrome and Firefox, web protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +>[!Note] +>It can take up to an hour for machines to receive new customer indicators. With web protection, you also get: - Comprehensive visibility into web threats affecting your organization - Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs - A full set of security features that track general access trends to malicious and unwanted websites ->[!Note] ->It can take up to an hour for machines to receive new customer indicators. - ## Prerequisites Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index 1d2a797e10..e963f8f504 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -1,7 +1,7 @@ --- title: Respond to web threats in Microsoft Defender ATP description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications -keywords: web protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, +keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -22,8 +22,6 @@ ms.date: 08/30/2019 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -[!include[Prerelease information](prerelease.md)] - Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list. ## View web threat alerts @@ -62,10 +60,10 @@ You can also check the machine that attempted to access a blocked URL. Selecting With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows. ![Image of Microsoft Edge showing a 403 error and the Windows notification](images/wtp-browser-blocking-page.png) -*Web threat blocked by Microsoft Edge* +*Web threat blocked on Microsoft Edge* -![Image of Chrome showing a secure connection warning and the Windows notification](images/wtp-chrome-browser-blocking-page.png) -*Web threat blocked by the Chrome web browser* +![Image of Chrome web browser showing a secure connection warning and the Windows notification](images/wtp-chrome-browser-blocking-page.png) +*Web threat blocked on Chrome* ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index be3d95c1f3..658a41d9f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -27,6 +27,21 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). +## November 2019 + +- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
      Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices. ([Endpoint detection and response is currently in preview](preview.md).) + +## October 2019 + +- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
      You can now allow or block URLs/domains using your own threat intelligence. + + +- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
      You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation. + +- [Connected Azure AD applications](connected-applications.md)
      The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. + +- [API Explorer](api-explorer.md)
      The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint. + ## September 2019 diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index e73bbfe476..d600158473 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -46,7 +46,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). +As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication. | **Service**| **Description** |**URL** | diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 1fbf4b6b35..20f5db2632 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp +audience: ITPro ms.date: 10/02/2018 ms.reviewer: manager: dansimp @@ -21,76 +22,93 @@ manager: dansimp **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) -The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. +Potentially unwanted applications are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. -These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. +For example: -Typical PUA behavior includes: +* **Advertising software:** Software that displays advertisements or promotions, including software that inserts advertisements to webpages. +* **Bundling software:** Software that offers to install other software that is not digitally signed by the same entity. Also, software that offers to install other software that qualify as PUA. +* **Evasion software:** Software that actively tries to evade detection by security products, including software that behaves differently in the presence of security products. -- Various types of software bundling -- Ad injection into web browsers -- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) +For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](../intelligence/criteria.md). -These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. - ->[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. ## How it works -Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined. +### Microsoft Edge -When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). +The next major version of Microsoft Edge, which is Chromium-based, blocks potentially unwanted application downloads and associated resource URLs. This feature is provided via [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md). -They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). +#### Enable PUA protection in Chromium-based Microsoft Edge -## View PUA events +Although potentially unwanted application protection in Microsoft Edge (Chromium-based) is off by default, it can easily be turned on from within the browser. -PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune. +1. From the tool bar, select **Settings and more** > **Settings** +1. Select **Privacy and services** +1. Under the **Services** section, you can toggle **Potentially unwanted app blocking** on or off -You can turn on email notifications for PUA detections. +> [!TIP] +> If you are running Microsoft Edge (Chromium-based), you can safely explore the URL-blocking feature of PUA protection by testing it out on one of our Windows Defender SmartScreen demo pages. -See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. + -## Configure PUA protection +### Windows Defender Antivirus -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets. +The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network. -You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. +> [!NOTE] +> This feature is only available in Windows 10. -This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. +Windows Defender Antivirus blocks detected PUA files, and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. -**Use Intune to configure PUA protection** +When a PUA is detected on an endpoint, Windows Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as other threat detections. The notification will be prefaced with _PUA:_ to indicate its content. + +The notification will appear in the usual [quarantine list within the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). + +#### Configure PUA protection in Windows Defender Antivirus + +You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or via PowerShell cmdlets. + +You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. + +> [!TIP] +> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. + +PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. + +##### Use Intune to configure PUA protection See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use Configuration Manager to configure PUA protection:** +##### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. +PUA protection is enabled by default in the System Center Configuration Manager (current branch), starting with version 1606. See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] -> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. +> PUA events blocked by Windows Defender Antivirus are reported in the Windows Event Viewer and not in System Center Configuration Manager. -**Use Group Policy to configure PUA protection:** +##### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components > Windows Defender Antivirus**. 4. Double-click **Configure protection for potentially unwanted applications**. -5. Click **Enabled** to enable PUA protection. +5. Select **Enabled** to enable PUA protection. -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**. +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. -**Use PowerShell cmdlets to configure PUA protection:** +##### Use PowerShell cmdlets to configure PUA protection Use the following cmdlet: @@ -98,12 +116,24 @@ Use the following cmdlet: Set-MpPreference -PUAProtection ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. -Setting `AuditMode` will detect PUAs but will not block them. +Setting `AuditMode` will detect PUAs without blocking them. See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +#### View PUA events + +PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or in Intune. + +You can turn on email notifications to receive mail about PUA detections. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID **1160**. + +#### Allow-listing apps + +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. + ## Related topics - [Next gen protection](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/ATP_Portal_Onboarding_page.png b/windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/ATP_Portal_Onboarding_page.png rename to windows/security/threat-protection/windows-defender-antivirus/images/atp-portal-onboarding-page.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_1_RegisterApp.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-1-registerapp.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_10_ClientApps.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-10-clientapps.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_11_Assignments.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-11-assignments.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_12_DeviceInstall.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-12-deviceinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_13_SystemPreferences.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-13-systempreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_14_SystemPreferencesProfiles.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-14-systempreferencesprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_15_ManagementProfileConfig.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-15-managementprofileconfig.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_16_PreferenceDomain.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-16-preferencedomain.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_17_approvedKernelExtensions.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-17-approvedkernelextensions.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_18_ConfigurationProfilesScope.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-18-configurationprofilesscope.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_19_MicrosoftDefenderWDAVPKG.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-19-microsoftdefenderwdavpkg.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-2-downloadpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_20_MicrosoftDefenderPackages.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-20-microsoftdefenderpackages.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_21_MDMProfile1.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-21-mdmprofile1.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_22_MDMProfileApproved.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-22-mdmprofileapproved.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_23_MDMStatus.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-23-mdmstatus.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_24_StatusOnServer.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-24-statusonserver.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_25_StatusOnClient.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-25-statusonclient.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-26-uninstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_27_UninstallScript.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-27-uninstallscript.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_28_AppInstall.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-28-appinstall.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_29_AppInstallLogin.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-29-appinstalllogin.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_3_ConfirmDeviceMgmt.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-3-confirmdevicemgmt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_30_SystemExtension.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-30-systemextension.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_31_SecurityPrivacySettings.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-31-securityprivacysettings.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-32-main-app-fix.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-33-securityprivacysettings-noprompt.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-34-mau.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_35_JAMF_PrivacyPreferences.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_35_JAMF_PrivacyPreferences.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-35-jamf-privacypreferences.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png new file mode 100644 index 0000000000..dab113680f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-36-rtp.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png new file mode 100644 index 0000000000..d33e01e247 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-37-exclusions.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_4_ManagementProfile.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-4-managementprofile.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_5_allDevices.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-5-alldevices.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_6_SystemConfigurationProfiles.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-6-systemconfigurationprofiles.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_7_DeviceStatusBlade.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-7-devicestatusblade.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-8-intuneappinfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_9_IntunePkgInfo.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-9-intunepkginfo.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon_Bar.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon-bar.png diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png b/windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/MDATP_Icon.png rename to windows/security/threat-protection/windows-defender-antivirus/images/mdatp-icon.png diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md new file mode 100644 index 0000000000..d1fde8548c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -0,0 +1,232 @@ +--- +title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10) +description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 10/30/2019 +--- + +# Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices + +**Applies to:** + +- Windows 10 + +Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices. + +With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from “every app is Microsoft-verified" to “every app is verified by Microsoft or your organization”. + +# Policy Authorization Process +![Policy Authorization](images/wdac-intune-policy-authorization.png) +The general steps for expanding the S mode base policy on your devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. +1. Generate a supplemental policy with WDAC tooling + + This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. + + Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. + + Below are a basic set of instructions for creating an S mode supplemental policy: + - Create a new base policy using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) + + ```powershell + New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash + ``` + - Change it to a supplemental policy using [Set-CIPolicyIdInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo?view=win10-ps) + + ```powershell + Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "\SupplementalPolicy.xml" + ``` + Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID. + - Put the policy in enforce mode using [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) + + ```powershell + Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete + ``` + This deletes the ‘audit mode’ qualifier. + - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) + + ```powershell + ConvertFrom-CIPolicy -XmlFilePath "\SupplementalPolicy.xml" -BinaryFilePath "\SupplementalPolicy.bin> + ``` + +2. Sign policy + + Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. + + Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: + + ```powershell + Add-SignerRule -FilePath -CertificatePath -User -Update` + ``` + Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML + +3. Deploy the signed supplemental policy using Microsoft Intune + + Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. + +> [!Note] +> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number. + +# Standard Process for Deploying Apps through Intune +![Deploying Apps through Intune](images/wdac-intune-app-deployment.png) +Refer to [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management) for guidance on the existing procedure of packaging signed catalogs and app deployment. + +# Optional: Process for Deploying Apps using Catalogs +![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png) +Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don’t want to allow as well. + +Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don’t want to trust all apps that may share the same signing certificate. + +The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using the DGSS or a custom PKI. After that, IT Pros can use the standard Intune app deployment process outlined above. Refer to [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md) for more in-depth guidance on generating catalogs. + +> [!Note] +> Every time an app updates, you will need to deploy an updated catalog. Because of this, IT Pros should try to avoid using catalog files for applications that auto-update and direct users not to update applications on their own. + +# Sample Policy +Below is a sample policy that allows kernel debuggers, PowerShell ISE, and Registry Editor. It also demonstrates how to specify your organization's code signing and policy signing certificates. +```xml + + + 10.0.0.0 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + {5951A96A-E0B5-4D3D-8FB8-3E5B61030784} + + {52671094-ACC6-43CF-AAF1-096DC69C1345} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Example Policy Name + + + + + Example-Policy-10.0.0.0 + + + + +``` +# Policy Removal +> [!Note] +> This feature currently has a known a policy deletion bug, with a fix expected in the 2D update in late February 2020. Devices of users who are unenrolled will still have their WDAC policies removed. In the mentime, IT Pros are recommended to update their policy with the below 'empty' policy which makes no changes to S mode. + +```xml + + + 10.0.0.1 + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + {5951A96A-E0B5-4D3D-8FB8-3E5B61030784} + {52671094-ACC6-43CF-AAF1-096DC69C1345} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Example Policy Name - Empty + + + + + Example-Policy-Empty-10.0.0.1 + + + + +``` diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 196c8dc9a2..02767f2f29 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -1,20 +1,17 @@ # [Windows Defender Application Control](windows-defender-application-control.md) ## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md) -### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) -### [Select the types of rules to create](select-types-of-rules-to-create.md) -### [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) -#### [Document your application control management processes](document-your-windows-defender-application-control-management-processes.md) -### [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md) +### [Plan for WDAC policy lifecycle management](plan-windows-defender-application-control-management.md) +### Design and create your WDAC policy +#### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) +#### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) +#### [Create an initial default policy](create-initial-default-policy.md) +#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) ### [Types of devices](types-of-devices.md) -### Use WDAC with custom policies -#### [Create an initial default policy](create-initial-default-policy.md) -#### [Create path-based rules](create-path-based-rules.md) -#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) @@ -35,7 +32,9 @@ ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) #### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md) ### [Disable WDAC policies](disable-windows-defender-application-control-policies.md) -### [Device Guard and AppLocker](windows-defender-device-guard-and-applocker.md) +### [LOB Win32 Apps on S Mode](LOB-win32-apps-on-s.md) + + ## [AppLocker](applocker\applocker-overview.md) ### [Administer AppLocker](applocker\administer-applocker.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index c0e0200d21..039a888196 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,13 +1,19 @@ --- title: Allow COM object registration in a Windows Defender Application Control policy (Windows 10) description: You can allow COM object registration in a Windows Defender Application Control policy. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/21/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index eef2cc16e8..320db86050 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -80,12 +80,6 @@ The following are examples of scenarios in which AppLocker can be used: AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies. -## System requirements - -AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. Group Policy is required to distribute Group Policy Objects that contain AppLocker policies. For more info, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). - -AppLocker rules can be created on domain controllers. - ## Installing AppLocker AppLocker is included with enterprise-level editions of Windows. You can author AppLocker rules for a single computer or for a group of computers. For a single computer, you can author the rules by using the Local Security Policy editor (secpol.msc). For a group of computers, you can author the rules within a Group Policy Object by using the Group Policy Management Console (GPMC). diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 10a2c6c988..a866996a6f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Audit Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- @@ -96,5 +99,5 @@ Use the following procedure after you have been running a computer with a WDAC p You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). -> [!NOTE] -> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. +> [!Note] +> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 92c3c3aa47..9d7b5e5f7c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,6 +1,7 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 67c1e0ccef..9f2f505f65 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,7 @@ --- -title: Create an initial default policy (Windows 10) +title: Create a Windows Defender Application Control policy from a reference computer (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- @@ -26,6 +32,14 @@ For this example, you must initiate variables to be used during the creation pro Then create the WDAC policy by scanning the system for installed applications. The policy file is converted to binary format when it gets created so that Windows can interpret it. +## Overview of the process of creating Windows Defender Application Control policies + +A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). + +Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. + +If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). + > [!NOTE] > Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md deleted file mode 100644 index 44a9846b76..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ /dev/null @@ -1,66 +0,0 @@ ---- -title: Windows Defender Application Control path-based rules (Windows 10) -description: Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib -ms.date: 05/17/2019 ---- - -# Create Windows Defender Application Control path-based rules - -**Applies to:** - -- Windows 10 -- Windows Server 2016 - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. - -- New-CIPolicy parameters - - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) - - ```powershell - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u - ``` - - Optionally, add -UserWriteablePaths to ignore user writeability - - - FilePathRule: create a rule where filepath string is directly set to value of \ - - ```powershell - New-CIPolicyRule -FilePathRule - ``` - - Useful for wildcards like C:\foo\\* - -- Usage follows the same flow as per-app rules: - - ```powershell - $rules = New-CIPolicyRule … - $rules += New-CIPolicyRule … - … - New-CIPolicyRule -f .\mypolicy.xml -u - ``` - -- Wildcards supported - - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - - One or the other, not both at the same time - - Does not support wildcard in the middle (ex. C:\\*\foo.exe) -- Supported Macros: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... - -- Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: - - ```powershell - Set-RuleOption -o 18 .\policy.xml - ``` - diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md deleted file mode 100644 index d7f2a132fb..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md +++ /dev/null @@ -1,382 +0,0 @@ ---- -title: Create your Windows Defender Application Control (WDAC) planning document (Windows 10) -description: This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document. -ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e -ms.reviewer: -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# Create your Windows Defender Application Control (WDAC) planning document - -**Applies to** -- Windows 10 -- Windows Server - -This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document. - -## The WDAC deployment design - -The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using WDAC. - -You should have completed these steps in the design and planning process: - -1. [Select types of rules to create](select-types-of-rules-to-create.md) -2. [Plan for WDAC policy management](document-your-windows-defender-application-control-management-processes.md) - -### WDAC planning document contents - -Your planning document should contain: - -- A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information. -- Application control policy project target dates, both for planning and deployment. -- A complete list of apps used by each business group (or organizational unit), including version information and installation paths. -- What condition to apply to rules governing each application (or whether to use the default set provided by WDAC). -- A strategy for using Group Policy to deploy the WDAC policies. -- A strategy in processing the application usage events generated by WDAC. -- A strategy to maintain and manage WDAC polices after deployment. - -### Sample template for an WDAC planning document - -You can use the following form to construct your own WDAC planning document. - -**Business group**: - -**Operating system environment**: (Windows and non-Windows) - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - -

      Contacts

      Business contact:

      Technical contact:

      Other departments

      In this business group:

      Affected by this project:

      Security policies

      Internal:

      Regulatory/compliance:

      Business goals

      Primary:

      Secondary:

      Project target dates

      Design signoff date:

      Policy deployment date:

      - -Rules - - ----------- - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupOrganizational unitImplement WDAC?AppsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

       

      - -Event processing - - ------- - - - - - - - - - - - - - - - - - - -
      Business groupWDAC event collection locationArchival policyAnalyzed?Security policy

       

      - -Policy maintenance - - ------- - - - - - - - - - - - - - - - - - - -
      Business groupRule update policyApp decommission policyApp version policyApp deployment policy

       

      Planned:

      -

      Emergency:

      - -### Example of a WDAC planning document - -**Rules** - - ----------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupOrganizational unitImplement WDAC?ApplicationsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

      Bank Tellers

      Teller-East and Teller-West

      Yes

      Teller Software

      C:\Program Files\Woodgrove\Teller.exe

      File is signed; create a publisher condition

      Allow

      Tellers-WDACTellerRules

      Web help

      Windows files

      -

      C:\Windows

      Create a path exception to the default rule to exclude \Windows\Temp

      Allow

      Help desk

      Human Resources

      HR-All

      Yes

      Check Payout

      C:\Program Files\Woodgrove\HR\Checkcut.exe

      File is signed; create a publisher condition

      Allow

      HR-WDACHRRules

      Web help

      Time Sheet Organizer

      C:\Program Files\Woodgrove\HR\Timesheet.exe

      File is not signed; create a file hash condition

      Allow

      Web help

      Internet Explorer 7

      C:\Program Files\Internet Explorer</p>

      File is signed; create a publisher condition

      Deny

      Web help

      -

      Windows files

      C:\Windows

      Use the default rule for the Windows path

      Allow

      Help desk

      - -Event processing - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupWDAC event collection locationArchival policyAnalyzed?Security policy

      Bank Tellers

      Forwarded to: WDAC Event Repository on srvBT093

      Standard

      None

      Standard

      Human Resources

      DO NOT FORWARD. srvHR004

      60 months

      Yes, summary reports monthly to managers

      Standard

      - -Policy maintenance - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupRule update policyApp decommission policyApp version policyApp deployment policy

      Bank Tellers

      Planned: Monthly through business office triage

      -

      Emergency: Request through help desk

      Through business office triage

      -

      30-day notice required

      General policy: Keep past versions for 12 months

      -

      List policies for each application

      Coordinated through business office

      -

      30-day notice required

      Human Resources

      Planned: Monthly through HR triage

      -

      Emergency: Request through help desk

      Through HR triage

      -

      30-day notice required

      General policy: Keep past versions for 60 months

      -

      List policies for each application

      Coordinated through HR

      -

      30-day notice required

      - -### Additional resources - -- [Windows Defender Application Control](windows-defender-application-control.md) - - diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 13fa578687..586cf70292 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -1,16 +1,19 @@ --- title: Deploy catalog files to support Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index e24750f74b..d70793409e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,13 +1,19 @@ --- title: Deploy multiple Windows Defender Application Control Policies (Windows 10) description: Windows Defender Application Control supports multiple code integrity policies for one device. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: mdsakibMSFT -ms.author: mdsakib +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/17/2019 --- @@ -18,9 +24,6 @@ ms.date: 05/17/2019 - Windows 10 - Windows Server 2016 ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1. Enforce and Audit Side-by-Side @@ -44,10 +47,10 @@ Note that multiple policies will not work on pre-1903 systems. ### Allow Multiple Policies -In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in New-CIPolicy results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. +In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -foo –bar +New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash ``` Optionally, you can choose to make the new base policy supplementable (allow supplemental policies). @@ -64,19 +67,19 @@ Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [- ### Supplemental Policy Creation -In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. -- "SupplementsBasePolicyID": guid of new supplemental policy -- "BasePolicyToSupplementPath": base policy that the supplemental policy applies to +In order to create a supplemental policy, begin by creating a new policy in the Multiple Policy Format. From there, use Set-CIPolicyIdInfo to convert it to a supplemental policy and specify which base policy it expands. You can use either SupplementsBasePolicyID or BasePolicyToSupplementPath to specify the base policy. +- "SupplementsBasePolicyID": GUID of base policy that the supplemental policy applies to +- "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to ```powershell Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] ``` -Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy guids back to a random guid. +Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. ### Merging policies -When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \. +When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \. ### Deploying policies diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index e4c776c47e..7bbbc5f8e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,16 +1,19 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Group Policy (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/28/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 61a3e06b58..8a2a80de85 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,16 +1,19 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/17/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 79cdfd3512..59112ea46a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Disable Windows Defender Application Control policies (Windows 10) description: This topic covers how to disable unsigned or signed WDAC policies. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md deleted file mode 100644 index f29188cd79..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md +++ /dev/null @@ -1,239 +0,0 @@ ---- -title: Document your application control management processes (Windows 10) -description: This planning topic describes the WDAC policy maintenance information to record for your design document. -ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb -ms.reviewer: -ms.author: dansimp -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 09/21/2017 ---- - -# Document your application control management processes - -**Applies to** -- Windows 10 -- Windows Server - -This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document. - -## Record your findings - -To complete this planning document, you should first complete the following steps: - -3. [Select the types of rules to create](select-types-of-rules-to-create.md) -4. [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) - -The three key areas to determine for WDAC policy management are: - -1. Support policy - - Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. - -2. Event processing - - Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis. - -3. Policy maintenance - - Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added. - -The following table contains the added sample data that was collected when determining how to maintain and manage WDAC policies. - - ----------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupOrganizational unitImplement WDAC?AppsInstallation pathUse default rule or define new rule conditionAllow or denyGPO nameSupport policy

      Bank Tellers

      Teller-East and Teller-West

      Yes

      Teller Software

      C:\Program Files\Woodgrove\Teller.exe

      File is signed; create a publisher condition

      Allow

      Tellers-WDACTellerRules

      Web help

      Windows files

      -

      C:\Windows

      Create a path exception to the default rule to exclude \Windows\Temp

      Allow

      Help desk

      Human Resources

      HR-All

      Yes

      Check Payout

      C:\Program Files\Woodgrove\HR\Checkcut.exe

      File is signed; create a publisher condition

      Allow

      HR-WDACHRRules

      Web help

      Time Sheet Organizer

      C:\Program Files\Woodgrove\HR\Timesheet.exe

      File is not signed; create a file hash condition

      Allow

      Web help

      Internet Explorer 7

      C:\Program Files\Internet Explorer</p>

      File is signed; create a publisher condition

      Deny

      Web help

      -

      Windows files

      C:\Windows

      Use the default rule for the Windows path

      Allow

      Help desk

      - -The following two tables illustrate examples of documenting considerations to maintain and manage WDAC policies. - -**Event processing policy** - -One discovery method for app usage is to use Audit mode. This will write events to the CodeIntegrity log, which can be managed and analyzed like other Windows logs. - -The following table is an example of what to consider and record. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupWDAC event collection locationArchival policyAnalyzed?Security policy

      Bank Tellers

      Forwarded to: CodeIntegrity Event Repository on srvBT093

      Standard

      None

      Standard

      Human Resources

      DO NOT FORWARD. srvHR004

      60 months

      Yes, summary reports monthly to managers

      Standard

      - -Policy maintenance policy -When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. -The following table is an example of what to consider and record. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
      Business groupRule update policyApplication decommission policyApplication version policyApplication deployment policy

      Bank Tellers

      Planned: Monthly through business office triage

      -

      Emergency: Request through help desk

      Through business office triage

      -

      30-day notice required

      General policy: Keep past versions for 12 months

      -

      List policies for each application

      Coordinated through business office

      -

      30-day notice required

      Human Resources

      Planned: Monthly through HR triage

      -

      Emergency: Request through help desk

      Through HR triage

      -

      30-day notice required

      General policy: Keep past versions for 60 months

      -

      List policies for each application

      Coordinated through HR

      -

      30-day notice required

      - -## Next steps - -After you determine your application control management strategy for each business group, [create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 13a60fe360..7d5a20d2d6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png new file mode 100644 index 0000000000..754cf041ba Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-catalogs.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png new file mode 100644 index 0000000000..91fc4f136b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-app-deployment.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png new file mode 100644 index 0000000000..d011fc4408 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-policy-authorization.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index fbad450704..e6b57b9722 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,16 +1,19 @@ --- title: Manage packaged apps with Windows Defender Application Control (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/14/2019 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 4d04e9f6fa..01d8f1abb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,16 +1,19 @@ --- title: Merge Windows Defender Application Control (WDAC) policies (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 387ba074e2..a9250a0e9e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,16 +1,20 @@ --- title: Microsoft recommended block rules (Windows 10) description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp audience: ITPro -ms.date: 04/09/2019 -ms.reviewer: -manager: dansimp +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 04/09/2019 --- # Microsoft recommended block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index be74ddf1f0..2d05216e90 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,32 +1,73 @@ --- title: Plan for Windows Defender Application Control policy management (Windows 10) description: Plan for Windows Defender Application Control policy management. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 02/21/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 02/21/2018 --- -# Plan for Windows Defender Application Control policy management +# Plan for Windows Defender Application Control lifecycle policy management **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above -This topic for describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. +This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. -## Policy management +## Policy XML lifecycle management -Before you begin the deployment process, consider how the WDAC rules will be managed. Developing a process for managing WDAC rules helps assure that WDAC continues to effectively control how applications are allowed to run in your organization. +Before you begin deploying WDAC, consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps assure that WDAC continues to effectively control how applications are allowed to run in your organization. -### Application and user support policy + +Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include: + +1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. +2. Deploy the audit mode policy to intended computers. +3. Monitor audit block events from the intended computers and add/edit/delete rules as needed to address unexpected/unwanted blocks. +4. Repeat steps 2-3 until the remaining block events meet expectations. +5. Generate the enforced mode version of the policy. +6. Deploy the enforced mode policy to intended computers. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly. +7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes. + +### Keep WDAC policies in a source control or document management solution + +To effectively manage WDAC policies, you should store and maintain your policy XML documents in a central repository that is accessible to everyone responsible for WDAC policy management. We recommend a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration), which provide version control and allow you to specify metadata about the XML documents. + +### Set PolicyName, PolicyID, and Version metadata for each policy + +Use the [Set-CIPolicyIDInfo](https://docs.microsoft.com/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy. + +> [!NOTE] +> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10. +> PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy. + +In addition, we recommend using the [Set-CIPolicyVersion](https://docs.microsoft.com/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0"). + +### Policy rule updates + +As new apps are deployed or existing apps are updated by the software publisher, you may need to make revisions to your rules to ensure that these apps run correctly. Whether policy rule updates are required will depend significantly on the types of rules your policy includes. Rules based on codesigning certificates provide the most resiliency against app changes while rules based on file attributes or hash are most likely to require updates when apps change. Alternatively, if you leverage WDAC [managed installer](use-windows-defender-application-control-with-managed-installer.md) functionality and consistently deploy all apps and their updates through your managed installer, then you are less likely to need policy updates. + +## WDAC event management + +Each time that a process is blocked by WDAC, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file. + +Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012). + +Additionally, WDAC events are collected by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature. + +## Application and user support policy Considerations include: @@ -35,7 +76,7 @@ Considerations include: - How are existing rules updated? - Are events forwarded for review? -**Help desk support** +### Help desk support If your organization has an established help desk support department in place, consider the following when deploying WDAC policies: @@ -44,49 +85,17 @@ If your organization has an established help desk support department in place, c - Who are the contacts in the support department? - How will the support department resolve application control issues between the end user and those who maintain the WDAC rules? -**End-user support** +### End-user support Because WDAC is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? -**WDAC event management** - -Each time that a process requests permission to run, WDAC creates an event in the CodeIntegrity log. The event details which file tried to run, the attributes of that file, and the user that initiated the request. - -Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012). - -### Policy maintenance - -As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current. - -To ensure version control when modifying an WDAC policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). -  -**New version of a supported app** - -When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. - -To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. - -For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. - -For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app - -**Recently deployed app** - -To support a new app, you must add one or more rules to the existing WDAC policy. - -**App is no longer supported** - -If your organization has determined that it will no longer support an application that has WDAC rules associated with it, the easiest way to prevent users from running the app is to delete these rules. - -## Next steps +## Document your plan After deciding how your organization will manage your WDAC policy, record your findings. - **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary. - **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis. -- **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined. - -For information and steps how to document your processes, see [Document your application control management processes](document-your-windows-defender-application-control-management-processes.md). +- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time. diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index fa2f7af6ec..183701e0a9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,16 +1,20 @@ --- title: Querying Application Control events centrally using Advanced hunting (Windows 10) description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 -ms.mktglfcycl: manage +ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp -ms.date: 12/06/2018 -ms.reviewer: manager: dansimp +ms.date: 12/06/2018 --- # Querying Application Control events centrally using Advanced hunting diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9abcd191f4..6e77768954 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -1,55 +1,51 @@ --- title: Select the types of rules to create (Windows 10) description: Select the types of rules to create. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 04/20/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 04/20/2018 --- -# Deploy Windows Defender Application Control policy rules and file rules +# Understand WDAC policy rules and file rules **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy, and *file rules* (or *file rule levels*) that specify the level at which applications will be identified and trusted. -## Overview of the process of creating Windows Defender Application Control policies - -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). - -Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. - -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). - ## Windows Defender Application Control policy rules -To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy: +To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy: - To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: - `Set-RuleOption -FilePath -Option 0` + `Set-RuleOption -FilePath -Option 0` Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Application Control will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. - To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command: - `Set-RuleOption -FilePath -Option 0 -Delete` + `Set-RuleOption -FilePath -Option 0 -Delete` -You can set several rule options within a WDAC policy. Table 2 describes each rule option. +You can set several rule options within a WDAC policy. Table 1 describes each rule option. > [!NOTE] > We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode. -**Table 2. Windows Defender Application Control policy - policy rule options** +**Table 1. Windows Defender Application Control policy - policy rule options** | Rule option | Description | |------------ | ----------- | @@ -64,7 +60,7 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | -| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to Restricted Language Mode. NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | +| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. | | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | @@ -78,15 +74,15 @@ You can set several rule options within a WDAC policy. Table 2 describes each ru File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as fine-tuned as the hash of each binary or as general as a CA certificate. You specify file rule levels both when you create a new WDAC policy from a scan and when you create a policy from audit events. In addition, to combine rule levels found in multiple policies, you can merge the policies. When merged, WDAC policies combine their file rules, so that any application that would be allowed by either of the original policies will be allowed by the combined policy. -Each file rule level has its benefit and disadvantage. Use Table 3 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario. +Each file rule level has its benefit and disadvantage. Use Table 2 to select the appropriate protection level for your available administrative resources and Windows Defender Application Control deployment scenario. -Table 3. Windows Defender Application Control policy - file rule levels +**Table 2. Windows Defender Application Control policy - file rule levels** | Rule level | Description | |----------- | ----------- | | **Hash** | Specifies individual hash values for each discovered binary. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. | | **FileName** | Specifies individual binary file names. Although the hash values for an application are modified when updated, the file names are typically not. This offers less specific security than the hash level but does not typically require a policy update when any binary is modified. | -| **FilePath** | Beginning with Windows 10 version 1903, this specifies rules that allow execution of binaries contained in paths that are admin-writeable only. By default, WDAC performs a user-writeability check at runtime which ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access.
      Note that filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. IT Pros should take care while crafting path rules to allow paths that they know are likely to remain to be admin-writeable only and deny execution from sub-directories where standard users can modify ACLs on the folder.
      There is a defined list of SIDs which are recognized as admins (below). If a file has write permissions for a SID not in this list, the file will be flagged as user writeable.
      S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
      Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path scan all directories for files with a specific name (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
      Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%.| +| **FilePath** | Beginning with Windows 10 version 1903, this specifies rules that allow execution of binaries contained under specific file path locations. Additional information about FilePath level rules can be found below. | > [!NOTE] > Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) @@ -115,3 +111,20 @@ As part of normal operations, they will eventually install software updates, or They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required). +## More information about filepath rules + +Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. IT Pros should take care while crafting path rules to allow paths that they know are likely to remain to be admin-writeable only and deny execution from sub-directories where standard users can modify ACLs on the folder. + +By default, WDAC performs a user-writeability check at runtime which ensures that the current permissions on the specified filepath and its parent directories (recursively) do not allow standard users write access. + +There is a defined list of SIDs which WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable even if the additional SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above. + +WDAC's list of well-known admin SIDs are:
      +S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523. + +When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards and include them in your [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) scan using the -Rules switch. + +Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
      Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%. + +> [!NOTE] +> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md index 7f2c0b16d3..4d6bb94c8f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md @@ -1,16 +1,20 @@ --- title: Signing Windows Defender Application Control policies with SignTool.exe (Windows 10) description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 02/21/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 02/21/2018 --- # Signing Windows Defender Application Control policies with SignTool.exe diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index aacc7afb09..6a955009ea 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,18 +1,20 @@ --- -title: types of devices (Windows 10) +title: Types of devices (Windows 10) description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/01/2018 -ms.reviewer: +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 03/01/2018 --- # Windows Defender Application Control deployment in different scenarios: types of devices diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index 5f6b6c7849..87a4942ff4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -1,6 +1,7 @@ --- title: Understand Windows Defender Application Control policy design decisions (Windows 10) description: Understand Windows Defender Application Control policy design decisions. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/08/2018 --- @@ -19,57 +25,64 @@ ms.date: 02/08/2018 **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above -This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. +This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance. -You should consider using WDAC as part of your organization's application control policies if all the following are true: +You should consider using WDAC as part of your organization's application control policies if the following are true: -- You have deployed or plan to deploy the supported versions of Windows in your organization. +- You have deployed or plan to deploy the supported versions of Windows in your organization. - You need improved control over the access to your organization's applications and the data your users access. -- The number of applications in your organization is known and manageable. +- Your organization has a well-defined process for application management and deployed. - You have resources to test policies against the organization's requirements. - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. -The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). +## Decide what policies to create -### Which apps do you need to control in your organization? +Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. While this opens up many new use cases for organizations, your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create. -You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. +The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust", we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML. + +For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store. + +Microsoft Endpoint Configuration Manager (previously known as System Center Configuration Manager (SCCM)), uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow SCCM and its dependencies, sets the managed installer policy rule, and additionally configures SCCM as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the SCCM administrator which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for SCCM's native WDAC integration. + +The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order and are not meant to be an exhaustive set of design considerations. + +## WDAC design considerations + +### How are apps managed and deployed in your organization? + +Organizations with well-defined, centrally-managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization. | Possible answers | Design considerations| | - | - | -| Control all apps | WDAC policies control applications by creating an allowed list of applications. Exceptions are also possible. WDAC policies can only be applied to applications installed on computers running Windows 10 . | -| Control specific apps | When you create WDAC rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. WDAC policies can only be applied to apps installed on computers running Windows 10 or Windows Server 2016. | -|Control only Classic Windows applications, only Universal Windows apps, or both| WDAC policies control apps by creating an allowed list of apps based on code signing certificate and\or file hash information. Because Universal Windows apps are all signed by the Windows Store, Classic Windows applications and Universal Windows apps can be controlled together. WDAC policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with WDAC on Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.| -| Control apps by business group | WDAC policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). | -| Control apps by computer, not user | WDAC is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your WDAC planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the CodeIntegrity log in Event Viewer to create WDAC policies.| +| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](use-windows-defender-application-control-with-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. | +| Some apps are centrally managed and deployed, but teams can install additional apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can leverage managed installers to install their team-specific apps or admin-only file path rules can be used to allow apps installed by admin users. | +| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Windows Defender Antivirus and SmartScreen) to allow only apps and binaries that have positive reputation. | +| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.| -### How do you currently control app usage in your organization? +### Are internally-developed line-of-business (LOB) apps and apps developed by 3rd parties digitally signed? -Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. WDAC includes improvements over AppLocker and SRP in the architecture and management of application control policies. +Traditional Win32 apps on Windows can run without being digitally signed. This practice can expose Windows devices to malicious or tampered code and presents a security vulnerability to your Windows devices. Adopting code-signing as part of your organization's app development practices or augmenting apps with signed catalog files as part of your app ingestion and distribution can greatly improve the integrity and security of apps used. | Possible answers | Design considerations | | - | - | -| Security polices (locally set or through Mobile Device Management (MDM) or Group Policy) | Using WDAC requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| -| Non-Microsoft app control software | Using WDAC requires a complete app control policy evaluation and implementation.| -| Managed usage by group or OU | Using WDAC requires a complete app control policy evaluation and implementation.| -| Authorization Manager or other role-based access technologies | Using WDAC requires a complete app control policy evaluation and implementation.| -| Other | Using WDAC requires a complete app control policy evaluation and implementation.| +| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). | +| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows 10 tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific app catalog signatures to existing apps as a part of the app deployment process which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed app catalogs. | ### Are there specific groups in your organization that need customized application control policies? -Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. +Most business teams or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization. There is overhead in managing policies which may lead you to choose between broad, organization-wide policies and multiple team-specific policies. | Possible answers | Design considerations | | - | - | -| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
      If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply WDAC rules in a GPO to specific user groups.| +| Yes | WDAC policies can be created unique per team, or team-specific supplemental policies can be used to expand what is allowed by a common, centrally-defined base policy.| | No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| - + ### Does your IT department have resources to analyze application usage, and to design and manage the policies? The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance. @@ -77,8 +90,8 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | | Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| -| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | - +| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. Alternatively, you can create a policy with a broad trust profile to authorize as many apps as possible. | + ### Does your organization have Help Desk support? Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. @@ -87,56 +100,3 @@ Preventing your users from accessing known, deployed, or personal applications w | - | - | | Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. | | No | Invest time in developing online support processes and documentation before deployment. | - - -### Do you know what applications require restrictive policies? -Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data. - -| Possible answers | Design considerations | -| - | - | -| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | -| No | You will have to perform an audit and requirements gathering project to discover the application usage. WDAC provides the means to deploy policies in audit mode.| - -### How do you deploy or sanction applications (upgraded or new) in your organization? - -Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies. - -| Possible answers | Design considerations | -| - | - | -| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| -| Strict written policy or guidelines to follow | You need to develop WDAC rules that reflect those policies, and then test and maintain the rules. | -| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. | - -### What are your organization's priorities when implementing application control policies? - -Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of WDAC. - -| Possible answers | Design considerations | -| - | - | -| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | -| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. WDAC policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| -| Security: The organization must protect data in part by ensuring that only approved apps are used. | WDAC can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| - -### How are apps currently accessed in your organization? - -WDAC is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, WDAC can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from WDAC policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. - -| Possible answers | Design considerations | -| - | - | -| Users run without administrative rights. | Apps are installed by using an installation deployment technology.| -| WDAC can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using WDAC to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.
      **Note: **WDAC can also be effective in helping create standardized desktops in organizations where users run as administrators. | Users must be able to install applications as needed. -| Users currently have administrator access, and it would be difficult to change this.|Enforcing WDAC rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using WDAC or to implement the audit only enforcement setting.| - -### Is the structure in Active Directory Domain Services based on the organization's hierarchy? - -Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. -Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins. - -| Possible answers | Design considerations | -| - | - | -| Yes | WDAC rules can be developed and implemented through Group Policy, based on your AD DS structure.| -| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.| - -## Record your findings - -The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index 597df3c8b3..e35f247793 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,6 +1,7 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 567c3db270..bb2b9834f3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -1,6 +1,7 @@ --- title: Use the Device Guard Signing Portal in the Microsoft Store for Business (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 02/19/2019 --- @@ -30,11 +36,11 @@ Before you get started, be sure to review these best practices: **Best practices** - Test your code integrity policies on a pilot group of devices before deploying them to production. -- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](hhttps://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create). +- Use rule options 9 and 10 during testing. For more information, see the section Code integrity policy rules in the [Deploy Windows Defender Application Control policy rules and file rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create). **To sign a code integrity policy** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, click **Store settings**, and then click **Device Guard**. 3. Click **Upload** to upload your code integrity policy. 4. After the files are uploaded, click **Sign** to sign the code integrity policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 7cca116982..edbac5d2b9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -1,6 +1,7 @@ --- title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10) description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 8919d6d670..2151bc0de5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -1,6 +1,7 @@ --- title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: manager: dansimp @@ -10,7 +11,12 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 05/03/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 8d7885f549..90585fe7cb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,16 +1,19 @@ --- title: Windows Defender Application Control and .NET Hardening (Windows 10) description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 08/20/2018 --- diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 91eec3f5c5..62085ad482 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -1,14 +1,20 @@ --- title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 06/14/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 06/14/2018 --- # Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index 1c2b670b16..aac3df82fc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,15 +1,20 @@ --- title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10) description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 06/13/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 06/13/2018 --- # Deploy Managed Installer for Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 38cfd605db..80ddc17590 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -1,15 +1,20 @@ --- title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10) description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. -keywords: virtualization, security, malware +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.date: 05/16/2018 -ms.reviewer: -manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm ms.author: dansimp +manager: dansimp +ms.date: 05/16/2018 --- # Planning and getting started on the Windows Defender Application Control deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index e9719fd4e4..605383ec22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -1,28 +1,41 @@ --- title: Windows Defender Application Control design guide (Windows 10) -description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. -keywords: virtualization, security, malware +description: Microsoft Windows Defender Application Control allows organizations to control what apps and drivers will run on their managed Windows 10 devices. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security ms.localizationpriority: medium -author: dansimp -manager: dansimp audience: ITPro ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.topic: conceptual ms.date: 02/20/2018 -ms.reviewer: -ms.author: dansimp --- # Windows Defender Application Control design guide **Applies to** - Windows 10 -- Windows Server +- Windows Server 2016 and above This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. +## Plan for success + +A common refrain you may hear about application control is that it is "too hard". While it is true that application control is not as simple as flipping a switch, organizations can be very successful if they take a methodical approach and carefully plan their approach. In reality, the issues that lead to failure with application control often arise from business issues rather than technology challenges. Organizations that have successfully deployed application control have ensured the following before starting their planning: + +- Executive sponsorship and organizational buy-in is in place. +- There is a clear **business** objective for using application control and it is not being planned as a purely technical problem from IT. +- The organization has a plan to handle potential helpdesk support requests for users who are blocked from running some apps. +- The organization has considered where application control can be most useful (e.g. securing sensitive workloads or business functions) and also where it may be difficult to achieve (e.g. developer workstations). + +Once these business factors are in place, you are ready to begin planning your WDAC deployment. The following topics can help guide you through your planning process. ## In this section @@ -31,7 +44,5 @@ This guide covers design and planning for Windows Defender Application Control ( | [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | | [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | -| [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md) | This planning topic summarizes the information you need to research and include in your planning document. | After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. - diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index b3bbec14d2..b05ffe98c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -1,20 +1,23 @@ --- -title: Windows Defender Application Control (WDAC) (Windows 10) -description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +title: Application Control for Windows +description: Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp ms.date: 01/08/2019 --- -# Windows Defender Application Control +# Application Control **Applies to:** @@ -22,36 +25,77 @@ ms.date: 01/08/2019 - Windows Server 2016 - Windows Server 2019 -With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. -In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. +With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. -However, when a user runs a process, that process has the same level of access to data that the user has. -As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. +In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. However, when a user runs a process, that process has the same level of access to data that the user has. As a result, sensitive information could easily be deleted or transmitted out of the organization if a user knowingly or unknowingly runs malicious software. -Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. -Specifically, application control moves away from the traditional application trust model where all applications are assumed trustworthy by default to one where applications must earn trust in order to run. -Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). +Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). -Windows Defender Application Control (WDAC) can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). -WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs in [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1). +Application control is a crucial line of defense for protecting enterprises given today’s threat landscape, and it has an inherent advantage over traditional antivirus solutions. Specifically, application control moves away from an application trust model where all applications are assumed trustworthy to one where applications must earn trust in order to run. Many organizations, like the Australian Signals Directorate, understand this and frequently cite application control as one of the most effective means for addressing the threat of executable file-based malware (.exe, .dll, etc.). + +> [!NOTE] +> Although application control can significantly harden your computers against malicious code, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. + +Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements:
      +- **Windows Defender Application Control**; and +- **AppLocker** + +## Windows Defender Application Control + +Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). > [!NOTE] > Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. -## WDAC System Requirements +WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: +- Attributes of the codesigning certificate(s) used to sign an app and its binaries; +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; +- The reputation of the app as determined by Microsoft's Intelligent Security Graph; +- The identity of the process that initiated the installation of the app and its binaries (managed installer); +- The path from which the app or file is launched (beginning with Windows 10 version 1903); +- The process that launched the app or binary. -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. +### WDAC System Requirements + +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy or Intune can be used to distribute WDAC policies. +Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above. -## New and changed functionality +## AppLocker -Prior to Windows 10, version 1709, Windows Defender Application Control was known as Windows Defender Device Guard configurable code integrity policies. +AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers. -Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). -For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md). +AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: +- Attributes of the codesigning certificate(s) used to sign an app and its binaries; +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; +- The path from which the app or file is launched (beginning with Windows 10 version 1903). + +### AppLocker System Requirements + +AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). +AppLocker policies can be deployed using Group Policy or MDM. + +## Choose when to use WDAC or AppLocker + +Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. + +**WDAC is best when:** +- You are adopting application control primarily for security reasons. +- Your application control policy can be applied to all users on the managed computers. +- All of the devices you wish to manage are running Windows 10. + +**AppLocker is best when:** +- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. +- You need to apply different policies for different users or groups on a shared computer. +- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature. +- You do not wish to enforce application control on application files such as DLLs or drivers. + +**When to use both WDAC and AppLocker together** +AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. +As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. ## See also - [WDAC design guide](windows-defender-application-control-design-guide.md) - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md) +- [AppLocker overview](applocker/applocker-overview.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md deleted file mode 100644 index bc80b871c8..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-device-guard-and-applocker.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Windows Defender Device Guard and AppLocker (Windows 10) -description: Explains how -keywords: virtualization, security, malware -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -author: dansimp -ms.date: 05/03/2018 -ms.reviewer: -manager: dansimp -ms.author: dansimp ---- - -# Windows Defender Device Guard with AppLocker - -Although [AppLocker](applocker/applocker-overview.md) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when Windows Defender Application Control (WDAC) cannot be fully implemented or its functionality does not cover every desired scenario. -There are many scenarios in which WDAC would be used alongside AppLocker rules. -As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. - -> [!NOTE] -> One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule. - -AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. -In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 990977f063..3f9f335b8f 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -56,7 +56,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:

      • Enable Application Guard to print into the XPS format.
      • Enable Application Guard to print into the PDF format.
      • Enable Application Guard to print to locally attached printers.
      • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
      **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

      **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

      Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

      **Disabled or not configured.** All user data within Application Guard is reset between sessions.

      **Note**
      If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
      **To reset the container:**
      1. Open a command-line program and navigate to Windows/System32.
      2. Type `wdagtool.exe cleanup`.
        The container environment is reset, retaining only the employee-generated data.
      3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
        The container environment is reset, including discarding all employee-generated data.
      | -|Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| +|Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
      • Enable Windows Defender Application Guard only for Microsoft Edge;
      • Enable Windows Defender Application Guard only for Microsoft Office;
      • Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office.
      **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

      **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

      Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

        **Important**
        Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

      **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| |Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

      Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

      **Important**
      Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

      **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 9d214a2b3c..475ce2cff3 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -7,38 +7,41 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: mjcaparas +ms.author: macapara +audience: ITPro ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: manager: dansimp -ms.author: macapara --- # Windows Defender SmartScreen + **Applies to:** - Windows 10 - Windows 10 Mobile -Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. +Windows Defender SmartScreen protects against phishing or malware websites, and the downloading of potentially malicious files. **SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. +- Analyzing visited webpages, looking for indications of suspicious behavior. If SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. -- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. +- Checking visited sites against a dynamic list of reported phishing and malicious software sites. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. **SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** -- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If SmartScreen finds a match, it will show a warning indicating that the site might be malicious. -- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. +- Checking downloaded files against a list of files that are well-known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. - >[!NOTE] - >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + > [!NOTE] + > Before Windows 10, version 1703, this feature was called _the SmartScreen Filter_ when used within the browser and _Windows SmartScreen_ when used outside of the browser. ## Benefits of Windows Defender SmartScreen -Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +Windows Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) @@ -50,28 +53,27 @@ Windows Defender SmartScreen helps to provide an early warning system against we - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). +- **Blocking URLs associated with potentially unwanted applications.** In the next major version of Microsoft Edge (based on Chromium), SmartScreen will blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md). + ## Viewing Windows Defender SmartScreen anti-phishing events + When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). - ## Viewing Windows event logs for SmartScreen + SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. > [!NOTE] > For information on how to use the Event Viewer, see [Windows Event Viewer](https://docs.microsoft.com/host-integration-server/core/windows-event-viewer1). -|EventID | Description | -| :---: | :---: | -|1000 | Application SmartScreen Event| -|1001 | Uri SmartScreen Event| -|1002 | User Decision SmartScreen Event| +EventID | Description +-|- +1000 | Application SmartScreen Event +1001 | Uri SmartScreen Event +1002 | User Decision SmartScreen Event ## Related topics + - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) - - [Threat protection](../index.md) - - [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index f2d8e10f0a..8efa0d1a1c 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -23,7 +23,7 @@ Microsoft is committed to optimizing the security of its products and services. The Security Target describes security functionality and assurance measures used to evaluate Windows. -- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) +- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) @@ -43,7 +43,7 @@ The Security Target describes security functionality and assurance measures used - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) -- [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) +- [Microsoft Windows Server 2008 R2 Hyper-V Role](https://www.microsoft.com/download/en/details.aspx?id=29305) - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) @@ -60,7 +60,7 @@ These documents describe how to configure Windows to replicate the configuration **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** -- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) +- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) @@ -137,7 +137,7 @@ These documents describe how to configure Windows to replicate the configuration An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. -- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) +- [Microsoft Windows 10 (April 2018 Update)](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)