diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4a01c45a31..195bd1e6bf 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -1,484 +1,484 @@ -{ - "build_entry_point": "", - "docsets_to_publish": [ - { - "docset_name": "education", - "build_source_folder": "education", - "build_output_subfolder": "education", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "hololens", - "build_source_folder": "devices/hololens", - "build_output_subfolder": "hololens", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "internet-explorer", - "build_source_folder": "browsers/internet-explorer", - "build_output_subfolder": "internet-explorer", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "keep-secure", - "build_source_folder": "windows/keep-secure", - "build_output_subfolder": "keep-secure", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "mdop", - "build_source_folder": "mdop", - "build_output_subfolder": "mdop", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "microsoft-edge", - "build_source_folder": "browsers/edge", - "build_output_subfolder": "microsoft-edge", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "release-information", - "build_source_folder": "windows/release-information", - "build_output_subfolder": "release-information", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": false, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "smb", - "build_source_folder": "smb", - "build_output_subfolder": "smb", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "store-for-business", - "build_source_folder": "store-for-business", - "build_output_subfolder": "store-for-business", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "surface", - "build_source_folder": "devices/surface", - "build_output_subfolder": "surface", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "surface-hub", - "build_source_folder": "devices/surface-hub", - "build_output_subfolder": "surface-hub", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-access-protection", - "build_source_folder": "windows/access-protection", - "build_output_subfolder": "win-access-protection", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-app-management", - "build_source_folder": "windows/application-management", - "build_output_subfolder": "win-app-management", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-client-management", - "build_source_folder": "windows/client-management", - "build_output_subfolder": "win-client-management", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-configuration", - "build_source_folder": "windows/configuration", - "build_output_subfolder": "win-configuration", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-deployment", - "build_source_folder": "windows/deployment", - "build_output_subfolder": "win-deployment", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-device-security", - "build_source_folder": "windows/device-security", - "build_output_subfolder": "win-device-security", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-configure", - "build_source_folder": "windows/configure", - "build_output_subfolder": "windows-configure", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-deploy", - "build_source_folder": "windows/deploy", - "build_output_subfolder": "windows-deploy", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-hub", - "build_source_folder": "windows/hub", - "build_output_subfolder": "windows-hub", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-manage", - "build_source_folder": "windows/manage", - "build_output_subfolder": "windows-manage", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-plan", - "build_source_folder": "windows/plan", - "build_output_subfolder": "windows-plan", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-privacy", - "build_source_folder": "windows/privacy", - "build_output_subfolder": "windows-privacy", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-security", - "build_source_folder": "windows/security", - "build_output_subfolder": "windows-security", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "windows-update", - "build_source_folder": "windows/update", - "build_output_subfolder": "windows-update", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-threat-protection", - "build_source_folder": "windows/threat-protection", - "build_output_subfolder": "win-threat-protection", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - }, - { - "docset_name": "win-whats-new", - "build_source_folder": "windows/whats-new", - "build_output_subfolder": "win-whats-new", - "locale": "en-us", - "monikers": [], - "moniker_ranges": [], - "open_to_public_contributors": true, - "type_mapping": { - "Conceptual": "Content", - "ManagedReference": "Content", - "RestApi": "Content" - }, - "build_entry_point": "docs", - "template_folder": "_themes" - } - ], - "notification_subscribers": [ - "elizapo@microsoft.com" - ], - "sync_notification_subscribers": [ - "daniha@microsoft.com" - ], - "branches_to_filter": [ - "" - ], - "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", - "skip_source_output_uploading": false, - "need_preview_pull_request": true, - "resolve_user_profile_using_github": true, - "contribution_branch_mappings": {}, - "dependent_repositories": [ - { - "path_to_root": "_themes.pdf", - "url": "https://github.com/Microsoft/templates.docs.msft.pdf", - "branch": "master", - "branch_mapping": {} - }, - { - "path_to_root": "_themes", - "url": "https://github.com/Microsoft/templates.docs.msft", - "branch": "master", - "branch_mapping": {} - } - ], - "branch_target_mapping": { - "live": [ - "Publish", - "Pdf" - ], - "master": [ - "Publish", - "Pdf" - ] - }, - "need_generate_pdf_url_template": true, - "targets": { - "Pdf": { - "template_folder": "_themes.pdf" - } - }, - "need_generate_pdf": false, - "need_generate_intellisense": false +{ + "build_entry_point": "", + "docsets_to_publish": [ + { + "docset_name": "education", + "build_source_folder": "education", + "build_output_subfolder": "education", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "hololens", + "build_source_folder": "devices/hololens", + "build_output_subfolder": "hololens", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "internet-explorer", + "build_source_folder": "browsers/internet-explorer", + "build_output_subfolder": "internet-explorer", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "keep-secure", + "build_source_folder": "windows/keep-secure", + "build_output_subfolder": "keep-secure", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "mdop", + "build_source_folder": "mdop", + "build_output_subfolder": "mdop", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "microsoft-edge", + "build_source_folder": "browsers/edge", + "build_output_subfolder": "microsoft-edge", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "release-information", + "build_source_folder": "windows/release-information", + "build_output_subfolder": "release-information", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "smb", + "build_source_folder": "smb", + "build_output_subfolder": "smb", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "store-for-business", + "build_source_folder": "store-for-business", + "build_output_subfolder": "store-for-business", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "surface", + "build_source_folder": "devices/surface", + "build_output_subfolder": "surface", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "surface-hub", + "build_source_folder": "devices/surface-hub", + "build_output_subfolder": "surface-hub", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-access-protection", + "build_source_folder": "windows/access-protection", + "build_output_subfolder": "win-access-protection", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-app-management", + "build_source_folder": "windows/application-management", + "build_output_subfolder": "win-app-management", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-client-management", + "build_source_folder": "windows/client-management", + "build_output_subfolder": "win-client-management", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-configuration", + "build_source_folder": "windows/configuration", + "build_output_subfolder": "win-configuration", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-deployment", + "build_source_folder": "windows/deployment", + "build_output_subfolder": "win-deployment", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-device-security", + "build_source_folder": "windows/device-security", + "build_output_subfolder": "win-device-security", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-configure", + "build_source_folder": "windows/configure", + "build_output_subfolder": "windows-configure", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-deploy", + "build_source_folder": "windows/deploy", + "build_output_subfolder": "windows-deploy", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-hub", + "build_source_folder": "windows/hub", + "build_output_subfolder": "windows-hub", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-manage", + "build_source_folder": "windows/manage", + "build_output_subfolder": "windows-manage", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-plan", + "build_source_folder": "windows/plan", + "build_output_subfolder": "windows-plan", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-privacy", + "build_source_folder": "windows/privacy", + "build_output_subfolder": "windows-privacy", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-security", + "build_source_folder": "windows/security", + "build_output_subfolder": "windows-security", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "windows-update", + "build_source_folder": "windows/update", + "build_output_subfolder": "windows-update", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-threat-protection", + "build_source_folder": "windows/threat-protection", + "build_output_subfolder": "win-threat-protection", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, + { + "docset_name": "win-whats-new", + "build_source_folder": "windows/whats-new", + "build_output_subfolder": "win-whats-new", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": true, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + } + ], + "notification_subscribers": [ + "elizapo@microsoft.com" + ], + "sync_notification_subscribers": [ + "daniha@microsoft.com" + ], + "branches_to_filter": [ + "" + ], + "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", + "git_repository_branch_open_to_public_contributors": "master", + "skip_source_output_uploading": false, + "need_preview_pull_request": true, + "resolve_user_profile_using_github": true, + "contribution_branch_mappings": {}, + "dependent_repositories": [ + { + "path_to_root": "_themes.pdf", + "url": "https://github.com/Microsoft/templates.docs.msft.pdf", + "branch": "master", + "branch_mapping": {} + }, + { + "path_to_root": "_themes", + "url": "https://github.com/Microsoft/templates.docs.msft", + "branch": "master", + "branch_mapping": {} + } + ], + "branch_target_mapping": { + "live": [ + "Publish", + "Pdf" + ], + "master": [ + "Publish", + "Pdf" + ] + }, + "need_generate_pdf_url_template": true, + "targets": { + "Pdf": { + "template_folder": "_themes.pdf" + } + }, + "need_generate_pdf": false, + "need_generate_intellisense": false } \ No newline at end of file diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index c53e6d17a6..5273dbe9ce 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -1,44 +1,44 @@ ---- -title: Change history for Microsoft Education Get Started -description: New and changed topics in the Microsoft Education get started guide. -keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -author: levinec -ms.author: ellevin -ms.date: 07/07/2017 -ms.reviewer: -manager: dansimp ---- - -# Change history for Microsoft Education Get Started - -This topic lists the changes in the Microsoft Education IT admin get started. - -## July 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | -| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | -| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | -| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | -| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | -| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | -| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | -| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | - - -## June 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | - -## May 2017 - -| New or changed topic | Description | -| --- | ---- | -| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | +--- +title: Change history for Microsoft Education Get Started +description: New and changed topics in the Microsoft Education get started guide. +keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +author: levinec +ms.author: ellevin +ms.date: 07/07/2017 +ms.reviewer: +manager: dansimp +--- + +# Change history for Microsoft Education Get Started + +This topic lists the changes in the Microsoft Education IT admin get started. + +## July 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Broke up the get started guide to highlight each phase in the Microsoft Education deployment and management process. | +| [Set up an Office 365 Education tenant](set-up-office365-edu-tenant.md) | New. Shows the video and step-by-step guide on how to set up an Office 365 for Education tenant. | +| [Use School Data Sync to import student data](use-school-data-sync.md) | New. Shows the video and step-by-step guide on School Data Sync and sample CSV files to import student data in a trial environment. | +| [Enable Microsoft Teams for your school](enable-microsoft-teams.md) | New. Shows how IT admins can enable and deploy Microsoft Teams in schools. | +| [Configure Microsoft Store for Education](configure-microsoft-store-for-education.md) | New. Shows the video and step-by-step guide on how to accept the services agreement and ensure your Microsoft Store account is associated with Intune for Education. | +| [Use Intune for Education to manage groups, apps, and settings](use-intune-for-education.md) | New. Shows the video and step-by-step guide on how to set up Intune for Education, buy apps from the Microsoft Store for Education, and install the apps for all users in your tenant. | +| [Set up Windows 10 education devices](set-up-windows-10-education-devices.md) | New. Shows options available to you when you need to set up new Windows 10 devices and enroll them to your education tenant. Each option contains a video and step-by-step guide. | +| [Finish Windows 10 device setup and other tasks](finish-setup-and-other-tasks.md) | New. Shows the video and step-by-step guide on how to finish preparing your Windows 10 devices for use in the classroom. | + + +## June 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | Includes the following updates:

- New configuration guidance for IT administrators to deploy Microsoft Teams.
- Updated steps for School Data Sync to show the latest workflow and user experience.
- Updated steps for Option 2: Try out Microsoft Education in a trial environment. You no longer need the SDS promo code to try SDS in a trial environment. | + +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Get started: Deploy and manage a full cloud IT solution with Microsoft Education](get-started-with-microsoft-education.md) | New. Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. | diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 356dbca7b5..3551b9aa41 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -1,33 +1,33 @@ ---- -title: Create tests using Microsoft Forms -ms.reviewer: -manager: dansimp -description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. -keywords: school, Take a Test, Microsoft Forms -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -author: levinec -ms.author: ellevin -redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms ---- - -# Create tests using Microsoft Forms -**Applies to:** - -- Windows 10 - - -For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. - -To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. - -Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. - -[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) - - -## Related topics - -[Take tests in Windows 10](take-tests-in-windows-10.md) +--- +title: Create tests using Microsoft Forms +ms.reviewer: +manager: dansimp +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. +keywords: school, Take a Test, Microsoft Forms +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: levinec +ms.author: ellevin +redirect_url: https://support.microsoft.com/help/4000711/windows-10-create-tests-using-microsoft-forms +--- + +# Create tests using Microsoft Forms +**Applies to:** + +- Windows 10 + + +For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. + +To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. + +Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. + +[Learn how to block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 5808bdcd4d..ab45a9f0a7 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -1,84 +1,84 @@ ---- -title: Set up School PCs app technical reference overview -description: Describes the purpose of the Set up School PCs app for Windows 10 devices. -keywords: shared cart, shared PC, school, set up school pcs -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu -ms.localizationpriority: medium -author: mjcaparas -ms.author: macapara -ms.date: 07/11/2018 -ms.reviewer: -manager: dansimp ---- - -What is Set up School PCs? -================================================= - -**Applies to:** - -- Windows 10 - -The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The -app, which is available for Windows 10 version 1703 and later, configures and saves -school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. - -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up -School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. - - -## Join PC to Azure Active Directory -If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up -School PCs app creates a setup file that joins your PC to your Azure Active -Directory tenant. - -The app also helps set up PCs for use with or without Internet connectivity. - -## List of Set up School PCs features -The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. - -| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | -|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| -| **Fast sign-in** | X | X | X | X | -| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | -| **Custom Start experience** | X | X | X | X | -| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | -| **Guest account, no sign-in required** | X | X | X | X | -| Set up computers for use by anyone with or without an account. | | | | | -| **School policies** | X | X | X | X | -| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | -| **Azure AD Join** | | X | X | X | -| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | -| **Single sign-on to Office 365** | | | X | X | -| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | -| **Take a Test app** | | | | X | -| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | -| [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | -| Synchronize student and application data across devices for a personalized experience. | | | | | - +--- +title: Set up School PCs app technical reference overview +description: Describes the purpose of the Set up School PCs app for Windows 10 devices. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: mjcaparas +ms.author: macapara +ms.date: 07/11/2018 +ms.reviewer: +manager: dansimp +--- + +What is Set up School PCs? +================================================= + +**Applies to:** + +- Windows 10 + +The **Set up School PCs** app helps you configure new Windows 10 PCs for school use. The +app, which is available for Windows 10 version 1703 and later, configures and saves +school-optimized settings, apps, and policies into a single provisioning package. You can then save the package to a USB drive and distribute it to your school PCs. + +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app will create a setup file. This file joins the PC to your Azure Active Directory tenant. The app also helps set up PCs for use with or without Internet connectivity. + + +## Join PC to Azure Active Directory +If your school uses Azure Active Directory (Azure AD) or Office 365, the Set up +School PCs app creates a setup file that joins your PC to your Azure Active +Directory tenant. + +The app also helps set up PCs for use with or without Internet connectivity. + +## List of Set up School PCs features +The following table describes the Set up School PCs app features and lists each type of Intune subscription. An X indicates that the feature is available with the specific subscription. + +| Feature | No Internet | Azure AD | Office 365 | Azure AD Premium | +|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------|----------|------------|------------------| +| **Fast sign-in** | X | X | X | X | +| Students sign in and start using the computer in under a minute, even on initial sign-in. | | | | | +| **Custom Start experience** | X | X | X | X | +| Necessary classroom apps are pinned to Start and unnecessary apps are removed. | | | | | +| **Guest account, no sign-in required** | X | X | X | X | +| Set up computers for use by anyone with or without an account. | | | | | +| **School policies** | X | X | X | X | +| Settings create a relevant, useful learning environment and optimal computer performance. | | | | | +| **Azure AD Join** | | X | X | X | +| Computers join with your existing Azure AD or Office 365 subscription for centralized management. | | | | | +| **Single sign-on to Office 365** | | | X | X | +| Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | +| **Take a Test app** | | | | X | +| Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | +| [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| Synchronize student and application data across devices for a personalized experience. | | | | | + > [!NOTE] -> If your school uses Active Directory, use [Windows Configuration -> Designer](set-up-students-pcs-to-join-domain.md) -> to configure your PCs to join the domain. You can only use the Set up School -> PCs app to set up PCs that are connected to Azure AD. - - - -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) -* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - - - - - - - - +> If your school uses Active Directory, use [Windows Configuration +> Designer](set-up-students-pcs-to-join-domain.md) +> to configure your PCs to join the domain. You can only use the Set up School +> PCs app to set up PCs that are connected to Azure AD. + + + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [What's in my provisioning package](set-up-school-pcs-provisioning-package.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + + + + diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md index 401c84e8fe..6f995f3299 100644 --- a/windows/deployment/windows-autopilot/enrollment-status.md +++ b/windows/deployment/windows-autopilot/enrollment-status.md @@ -1,76 +1,76 @@ ---- -title: Windows Autopilot Enrollment Status page -ms.reviewer: -manager: laurawi -description: Gives an overview of the enrollment status page capabilities, configuration -keywords: Autopilot Plug and Forget, Windows 10 -ms.prod: w10 -ms.technology: Windows -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -ms.localizationpriority: medium -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Enrollment Status page - -**Applies to** - -- Windows 10 - -The Windows Autopilot Enrollment Status Page displays the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being configured. The Enrollment Status Page can be also configured to prevent access to the desktop until the configuration process is complete. - - ![Enrollment status page](images/enrollment-status-page.png) - -From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time. - -## Available settings - - The following settings can be configured to customize behavior of the enrollment status page: - - -
SettingYesNo -
Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page is not displayed. -
Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. -The enrollment status page is displayed with no additional options to address installation failures. -
Allow users to reset device if installation error occursA Reset device button is displayed if there is an installation failure.The Reset device button is not displayed if there is an installation failure. -
Allow users to use device if installation error occursA Continue anyway button is displayed if there is an installation failure.The Continue anyway button is not displayed if there is an installation failure. -
Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. -
Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
Oh no! Something didn't do what it was supposed to. Please contact your IT department. -
Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cab		The Collect logs button is not displayed if there is an installation error. -
Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. -
- -See the following example: - - ![Enrollment status page settings](images/esp-settings.png) - -## Installation progress tracking - -The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: - -- Certain types of app installations. - - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp). - - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). -- Certain device configuration policies. - -The following types of policies and installations are not tracked: - -- Intune Management Extensions PowerShell scripts -- Office 365 ProPlus installations** -- System Center Configuration Manager apps, packages, and task sequences - -**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
- -## More information - -For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
-For more information about blocking for app installation: -- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). -- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). +--- +title: Windows Autopilot Enrollment Status page +ms.reviewer: +manager: laurawi +description: Gives an overview of the enrollment status page capabilities, configuration +keywords: Autopilot Plug and Forget, Windows 10 +ms.prod: w10 +ms.technology: Windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +ms.localizationpriority: medium +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Enrollment Status page + +**Applies to** + +- Windows 10 + +The Windows Autopilot Enrollment Status Page displays the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being configured. The Enrollment Status Page can be also configured to prevent access to the desktop until the configuration process is complete. + + ![Enrollment status page](images/enrollment-status-page.png) + +From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time. + +## Available settings + + The following settings can be configured to customize behavior of the enrollment status page: + + +
SettingYesNo +
Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page is not displayed. +
Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. +The enrollment status page is displayed with no additional options to address installation failures. +
Allow users to reset device if installation error occursA Reset device button is displayed if there is an installation failure.The Reset device button is not displayed if there is an installation failure. +
Allow users to use device if installation error occursA Continue anyway button is displayed if there is an installation failure.The Continue anyway button is not displayed if there is an installation failure. +
Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. +
Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
Oh no! Something didn't do what it was supposed to. Please contact your IT department. +
Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cab		The Collect logs button is not displayed if there is an installation error. +
Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. +
+ +See the following example: + + ![Enrollment status page settings](images/esp-settings.png) + +## Installation progress tracking + +The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: + +- Certain types of app installations. + - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp). + - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). +- Certain device configuration policies. + +The following types of policies and installations are not tracked: + +- Intune Management Extensions PowerShell scripts +- Office 365 ProPlus installations** +- System Center Configuration Manager apps, packages, and task sequences + +**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
+ +## More information + +For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
+For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index e2fb1ecaa1..bcddf84201 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -1,71 +1,71 @@ ---- -title: Windows Autopilot Self-Deploying mode (Preview) -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot Self-Deploying mode - -**Applies to: Windows 10, version 1809 or later** - -Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). - -Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. - ->[!NOTE] ->Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. - -Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. - ->[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. - -![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) - -## Requirements - -Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) - ->[!NOTE] ->If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) - -In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. - -## Step by step - -In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. -- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. - -## Validation - -When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed: - -- Once connected to a network, the Autopilot profile will be downloaded. -- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required: - - If multiple languages are preinstalled in Windows 10, the user must pick a language. - - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- The [enrollment status page](enrollment-status.md) will be displayed. -- Depending on the device settings deployed, the device will either: - - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. - - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot Self-Deploying mode (Preview) +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot Self-Deploying mode + +**Applies to: Windows 10, version 1809 or later** + +Windows Autopilot self-deploying mode enables a device to be deployed with little to no user interaction. For devices with an Ethernet connection, no user interaction is required; for devices connected via Wi-fi, no interaction is required after making the Wi-fi connection (choosing the language, locale, and keyboard, then making a network connection). + +Self-deploying mode joins the device into Azure Active Directory, enrolls the device in Intune (or another MDM service) leveraging Azure AD for automatic MDM enrollment, and ensures that all policies, applications, certificates, and networking profiles are provisioned on the device, leveraging the enrollment status page to prevent access to the desktop until the device is fully provisioned. + +>[!NOTE] +>Self-deploying mode does not support Active Directory Join or Hybrid Azure AD Join. All devices will be joined to Azure Active Directory. + +Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. + +>[!NOTE] +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. + +![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) + +## Requirements + +Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s Azure AD tenant, devices without TPM 2.0 cannot be used with this mode. The devices must also support TPM device attestation. (All newly-manufactured Windows devices should meet these requirements.) + +>[!NOTE] +>If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. (Hyper-V virtual TPMs are not supported.) + +In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. + +## Step by step + +In order to perform a self-deploying mode deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Create an Autopilot profile for self-deploying mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. (Note that it is not possible to create a profile in the Microsoft Store for Business or Partner Center for self-deploying mode.) +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. Ensure that the profile has been assigned to the device before attempting to deploy that device. +- Boot the device, connecting it to Wi-fi if required, then wait for the provisioning process to complete. + +## Validation + +When performing a self-deploying mode deployment using Windows Autopilot, the following end-user experience should be observed: + +- Once connected to a network, the Autopilot profile will be downloaded. +- If the Autopilot profile has been configured to automatically configure the language, locale, and keyboard layout, these OOBE screens should be skipped as long as Ethernet connectivity is available. Otherwise, manual steps are required: + - If multiple languages are preinstalled in Windows 10, the user must pick a language. + - The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- The [enrollment status page](enrollment-status.md) will be displayed. +- Depending on the device settings deployed, the device will either: + - Remain at the logon screen, where any member of the organization can log on by specifying their Azure AD credentials. + - Automatically sign in as a local account, for devices configured as a kiosk or digital signage. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 0b60714d75..cce649aaf6 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -1,99 +1,99 @@ ---- -title: Windows Autopilot User-Driven Mode -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot user-driven mode - -Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - -- Unbox the device, plug it in, and turn it on. -- Choose a language, locale and keyboard. -- Connect it to a wireless or wired network with internet access. -- Specify your e-mail address and password for your organization account. - -After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. - -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -## Available user-driven modes - -The following options are available for user-driven deployment: - -- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. -- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. - -### User-driven mode for Azure Active Directory join - -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: - -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each device that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. - -Also see the [Validation](#validation) section below. - -### User-driven mode for hybrid Azure Active Directory join - -Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). - -#### Requirements - -To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - -- A Windows Autopilot profile for user-driven mode must be created and - - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. -- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. -- The device must be running Windows 10, version 1809 or later. -- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). -- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). -- The Intune Connector for Active Directory must be installed. - - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. -- If using Proxy, WPAD Proxy settings option must be enabled and configured. - -**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. - -#### Step by step instructions - -See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - -Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. - -## Validation - -When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: - -- If multiple languages are preinstalled in Windows 10, the user must pick a language. -- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Once connected to a network, the Autopilot profile will be downloaded. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. -- Once correct credentials have been entered, the device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- If configured, the [enrollment status page](enrollment-status.md) will be displayed. -- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. -- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. - -In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. +--- +title: Windows Autopilot User-Driven Mode +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot user-driven mode + +Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: + +- Unbox the device, plug it in, and turn it on. +- Choose a language, locale and keyboard. +- Connect it to a wireless or wired network with internet access. +- Specify your e-mail address and password for your organization account. + +After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. + +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +## Available user-driven modes + +The following options are available for user-driven deployment: + +- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. + +### User-driven mode for Azure Active Directory join + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the [Validation](#validation) section below. + +### User-driven mode for hybrid Azure Active Directory join + +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +#### Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be able to access an Active Directory domain controller, so it must be connected to the organization's network (where it can resolve the DNS records for the AD domain and the AD domain controller, and communicate with the domain controller to authenticate the user). +- The device must be able to access the Internet, following the [documented Windows Autopilot network requirements](windows-autopilot-requirements.md). +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. +- If using Proxy, WPAD Proxy settings option must be enabled and configured. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +#### Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. + +## Validation + +When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: + +- If multiple languages are preinstalled in Windows 10, the user must pick a language. +- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. +- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. +- Once connected to a network, the Autopilot profile will be downloaded. +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- Once correct credentials have been entered, the device will join Azure Active Directory. +- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). +- If configured, the [enrollment status page](enrollment-status.md) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +In case the observed results do not match these expectations, consult the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index ac1c72cda0..5ef4bd2feb 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -1,121 +1,121 @@ ---- -title: Windows Autopilot requirements -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot requirements - -**Applies to: Windows 10** - -Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. - -**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). - -## Software requirements - -- Windows 10 version 1703 (semi-annual channel) or higher is required. -- The following editions are supported: - - Windows 10 Pro - - Windows 10 Pro Education - - Windows 10 Pro for Workstations - - Windows 10 Enterprise - - Windows 10 Education - - Windows 10 Enterprise 2019 LTSC - -## Networking requirements - -Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: - -- Ensure DNS name resolution for internet DNS names -- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) - -In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: - -
ServiceInformation -
Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
- -For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. -
Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. -
IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. -
Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
- -If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. - -
Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
- -If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). - -
Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. -
Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. -
Diagnostics dataTo enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
- -If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. -
Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). - -www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. -
Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
- -If the WNS services are not available, the Autopilot process will still continue without notifications. -
Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
- -If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. - -
Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). -
Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. -
Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -
- -## Licensing requirements - -Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: - -To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: - - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) - - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) - - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) - - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). - -Additionally, the following are also recommended (but not required): -- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). -- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. - -## Configuration requirements - -Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. - -- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. -- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). -- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. - -Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - -- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. -- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. - -See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. - -For a walkthrough for some of these and related steps, see this video: -
 
- - -There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). - -## Related topics - -[Configure Autopilot deployment](configure-autopilot.md) +--- +title: Windows Autopilot requirements +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot requirements + +**Applies to: Windows 10** + +Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. + +**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). + +## Software requirements + +- Windows 10 version 1703 (semi-annual channel) or higher is required. +- The following editions are supported: + - Windows 10 Pro + - Windows 10 Pro Education + - Windows 10 Pro for Workstations + - Windows 10 Enterprise + - Windows 10 Education + - Windows 10 Enterprise 2019 LTSC + +## Networking requirements + +Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: + +- Ensure DNS name resolution for internet DNS names +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) + +In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the required services. For additional details about each of these services and their specific requirements, review the following details: + +
ServiceInformation +
Windows Autopilot Deployment Service and Windows ActivationAfter a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 builds 18204 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com.
+ +For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See Windows activation or validation fails with error code 0x8004FE33 for details about problems that might occur when you connect to the Internet through a proxy server. +
Azure Active DirectoryUser credentials are validated by Azure Active Directory, and the device can also be joined to Azure Active Directory. See Office 365 IP Address and URL Web service for more information. +
IntuneOnce authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: Intune network configuration requirements and bandwidth. +
Windows UpdateDuring the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see How to solve connection problems concerning Windows Update or Microsoft Update.
+ +If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available. + +
Delivery OptimizationWhen downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the Delivery Optimization service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.
+ +If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer). + +
Network Time Protocol (NTP) SyncWhen a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible. +
Domain Name Services (DNS)To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names. +
Diagnostics dataTo enable Windows Analytics and related diagnostics capabilities, see Configure Windows diagnostic data in your organization.
+ +If diagnostic data cannot be sent, the Autopilot process will still continue, but services that depend on diagnostic data, such as Windows Analytics, will not work. +
Network Connection Status Indicator (NCSI)Windows must be able to tell that the device is able to access the internet. For more information, see Network Connection Status Indicator (NCSI). + +www.msftconnecttest.com must be resolvable via DNS and accessible via HTTP. +
Windows Notification Services (WNS)This service is used to enable Windows to receive notifications from apps and services. See Microsoft Store for more information.
+ +If the WNS services are not available, the Autopilot process will still continue without notifications. +
Microsoft Store, Microsoft Store for BusinessApps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see Prerequisites for Microsoft Store for Business and Education (also includes Azure AD and Windows Notification Services).
+ +If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps. + +
Office 365As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). +
Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. +
Hybrid AAD joinHybrid AAD can be join, the machine should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode +
+ +## Licensing requirements + +Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: + +To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. + - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). + +Additionally, the following are also recommended (but not required): +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). +- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise. + +## Configuration requirements + +Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. + +- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. +- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). +- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. + +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: + +- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. + +See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. + +For a walkthrough for some of these and related steps, see this video: +
 
+ + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index ec85b05086..3422c91127 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -1,68 +1,68 @@ ---- -title: Windows Autopilot scenarios and capabilities -description: Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.reviewer: mniehaus -manager: laurawi -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot scenarios and capabilities - -**Applies to: Windows 10** - -## Scenarios - -Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). - -The following Windows Autopilot scenarios are described in this guide: - - -
ScenarioMore information -
Deploy devices that will be set up by a member of the organization and configured for that person[Windows Autopilot user-driven mode](user-driven.md) -
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.[Windows Autopilot self-deploying mode](self-deploying.md) -
Re-deploy a device in a business-ready state.[Windows Autopilot Reset](windows-autopilot-reset.md) -
Pre-provision a device with up-to-date applications, policies and settings.[White glove](white-glove.md) -
Deploy Windows 10 on an existing Windows 7 or 8.1 device[Windows Autopilot for existing devices](existing-devices.md) -
- -## Windows Autopilot capabilities - -### Windows Autopilot is self-updating during OOBE - -Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. - -### Cortana voiceover and speech recognition during OOBE - -In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. - -If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. - -HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions - -The key value is a DWORD with **0** = disabled and **1** = enabled. - -| Value | Description | -| --- | --- | -| 0 | Cortana voiceover is disabled | -| 1 | Cortana voiceover is enabled | -| No value | Device will fall back to default behavior of the edition | - -To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). - -### Bitlocker encryption - -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) - -## Related topics - -[Windows Autopilot: What's new](windows-autopilot-whats-new.md) +--- +title: Windows Autopilot scenarios and capabilities +description: Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.reviewer: mniehaus +manager: laurawi +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot scenarios and capabilities + +**Applies to: Windows 10** + +## Scenarios + +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). + +The following Windows Autopilot scenarios are described in this guide: + + +
ScenarioMore information +
Deploy devices that will be set up by a member of the organization and configured for that person[Windows Autopilot user-driven mode](user-driven.md) +
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.[Windows Autopilot self-deploying mode](self-deploying.md) +
Re-deploy a device in a business-ready state.[Windows Autopilot Reset](windows-autopilot-reset.md) +
Pre-provision a device with up-to-date applications, policies and settings.[White glove](white-glove.md) +
Deploy Windows 10 on an existing Windows 7 or 8.1 device[Windows Autopilot for existing devices](existing-devices.md) +
+ +## Windows Autopilot capabilities + +### Windows Autopilot is self-updating during OOBE + +Starting with the Windows 10, version 1903, Autopilot functional and critical updates will begin downloading automatically during OOBE after a device gets connected to a network and the [critical driver and Windows zero-day patch (ZDP) updates](https://docs.microsoft.com/windows-hardware/customize/desktop/windows-updates-during-oobe) have completed. The user or IT admin cannot opt-out of these Autopilot updates; they are required for Windows Autopilot deployment to operate properly. Windows will alert the user that the device is checking for, downloading and installing the updates. + +### Cortana voiceover and speech recognition during OOBE + +In Windows 10, version 1903 and later Cortana voiceover and speech recognition during OOBE is DISABLED by default for all Windows 10 Pro, Education and Enterprise SKUs. + +If desired, you can enable Cortana voiceover and speech recognition during OOBE by creating the following registry key. This key does not exist by default. + +HKLM\Software\Microsoft\Windows\CurrentVersion\OOBE\EnableVoiceForAllEditions + +The key value is a DWORD with **0** = disabled and **1** = enabled. + +| Value | Description | +| --- | --- | +| 0 | Cortana voiceover is disabled | +| 1 | Cortana voiceover is enabled | +| No value | Device will fall back to default behavior of the edition | + +To change this key value, use WCD tool to create as PPKG as documented [here](https://docs.microsoft.com/windows/configuration/wcd/wcd-oobe#nforce). + +### Bitlocker encryption + +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. For more information, see [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md) + +## Related topics + +[Windows Autopilot: What's new](windows-autopilot-whats-new.md) diff --git a/windows/eulas/index.md b/windows/eulas/index.md index 2eb00343d3..daa4838aac 100644 --- a/windows/eulas/index.md +++ b/windows/eulas/index.md @@ -1,12 +1,12 @@ ---- -title: Windows 10 - Testing in live -description: What are Windows, UWP, and Win32 apps -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -ms.author: elizapo -author: lizap -ms.localizationpriority: medium ---- -# Testing non-editability +--- +title: Windows 10 - Testing in live +description: What are Windows, UWP, and Win32 apps +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.localizationpriority: medium +--- +# Testing non-editability diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 1dd34ad810..e4021e6946 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,32 +1,32 @@ -# [Privacy](index.yml) -## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) -## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md) -## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) -## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## Diagnostic Data Viewer -### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) -### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) -## Basic level Windows diagnostic data events and fields -### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) -### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) -### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) -### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) -### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) -## Enhanced level Windows diagnostic data events and fields -### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) -## Full level categories -### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) -### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## Manage Windows 10 connection endpoints -### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md) -### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) -### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) -### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) -### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md) -### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md) - +# [Privacy](index.yml) +## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) +## [Windows 10 & Privacy Compliance: A Guide for IT and Compliance Professionals](Windows-10-and-privacy-compliance.md) +## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) +## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) +## Diagnostic Data Viewer +### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) +## Basic level Windows diagnostic data events and fields +### [Windows 10, version 1903 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) +### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) +### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +## Enhanced level Windows diagnostic data events and fields +### [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) +## Full level categories +### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) +### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) +## Manage Windows 10 connection endpoints +### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md) +### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md) +### [Connection endpoints for non-Enterprise editions of Windows 10, version 1709](windows-endpoints-1709-non-enterprise-editions.md) + diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 12a92da773..12db0fe2fe 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,454 +1,454 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 04/29/2019 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview of Windows diagnostic data - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Improve app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How Microsoft handles diagnostic data - -The diagnostic data is categorized into four levels: - -- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels. - -Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section. - -### Data collection - -Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com -Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| | ceuswatcab01.blob.core.windows.net | -| | ceuswatcab02.blob.core.windows.net | -| | eaus2watcab01.blob.core.windows.net | -| | eaus2watcab02.blob.core.windows.net | -| | weus2watcab01.blob.core.windows.net | -| | weus2watcab02.blob.core.windows.net | -| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | -| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com
https://wdcpalt.microsoft.com | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Manage enterprise diagnostic data level - -### Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface. - - -#### Manage your diagnostic data settings - -Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls). - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**. - -### Configure the diagnostic data level - -You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Value | -| - | - | -| Security | **0** | -| Basic | **1** | -| Enhanced | **2** | -| Full | **3** | - - > [!NOTE] - > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Diagnostic data levels - -These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server. - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This level is needed to quickly identify and address Windows and Windows Server quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -### Full level - -The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -> [!NOTE] -> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc. - -## Limit Enhanced diagnostic data to the minimum required by Windows Analytics - -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode. - ->[!NOTE] -> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump. - -### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](https://privacy.microsoft.com) +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 04/29/2019 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +This article applies to Windows and Windows Server diagnostic data only. It describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. Microsoft uses diagnostic data to keep Windows secure and up to date, troubleshoot problems, and make product improvements. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview of Windows diagnostic data + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Improve app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How Microsoft handles diagnostic data + +The diagnostic data is categorized into four levels: + +- [**Security**](#security-level). Information that’s required to help keep Windows and Windows Server secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- [**Basic**](#basic-level). Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- [**Enhanced**](#enhanced-level). Additional insights, including: how Windows, Windows Server, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- [**Full**](#full-level). Includes information about the websites you browse, how you use apps and features, plus additional information about device health, device activity (sometimes referred to as usage), and enhanced error reporting. At Full, Microsoft also collects the memory state of your device when a system or app crash occurs. It includes data from the **Security**, **Basic**, and **Enhanced** levels. + +Diagnostic data levels are cumulative, meaning each subsequent level includes data collected through lower levels. For more information see the [Diagnostic data levels](#diagnostic-data-levels) section. + +### Data collection + +Windows 10 and Windows Server includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 or later, with the 2018-09 cumulative update installed| **Diagnostics data** - v10c.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com +Windows 10, versions 1803 or later, without the 2018-09 cumulative update installed | **Diagnostics data** - v10.events.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com +Windows 10, version 1709 or earlier | **Diagnostics data** - v10.vortex-win.data.microsoft.com

**Functional** - v20.vortex-win.data.microsoft.com
**Microsoft Defender Advanced Threat Protection** is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com
**Settings** - win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | ceuswatcab01.blob.core.windows.net | +| | ceuswatcab02.blob.core.windows.net | +| | eaus2watcab01.blob.core.windows.net | +| | eaus2watcab02.blob.core.windows.net | +| | weus2watcab01.blob.core.windows.net | +| | weus2watcab02.blob.core.windows.net | +| [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | +| Microsoft Defender Advanced Threat Protection | https://wdcp.microsoft.com
https://wdcpalt.microsoft.com | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Manage enterprise diagnostic data level + +### Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, in **Privacy** > **Diagnostics & feedback**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this article describes how to use group policy to configure levels and settings interface. + + +#### Manage your diagnostic data settings + +Use the steps in this article to set and/or adjust the diagnostic data settings for Windows and Windows Server in your organization. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows and Windows Server components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of privacy controls for Office 365 ProPlus](/deployoffice/privacy/overview-privacy-controls). + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server is **Enhanced**. + +### Configure the diagnostic data level + +You can configure your device's diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Value | +| - | - | +| Security | **0** | +| Basic | **1** | +| Enhanced | **2** | +| Full | **3** | + + > [!NOTE] + > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](https://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- Turn off **Improve inking and typing** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Diagnostic data levels + +These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server. + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](https://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +This is the default level for Windows 10 Education editions, as well as all desktop editions starting with Windows 10, version 1903. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Servers in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This level is needed to quickly identify and address Windows and Windows Server quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +### Full level + +The Full level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the Basic, Enhanced, and Security levels. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +> [!NOTE] +> Crash dumps collected at this diagnostic data level may unintentionally contain personal data, such as portions of memory from a documents, a web page, etc. + +## Limit Enhanced diagnostic data to the minimum required by Windows Analytics + +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduced the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** Triage dumps for user mode and mini dumps for kernel mode. + +>[!NOTE] +> Triage dumps are a type of [minidumps](https://docs.microsoft.com/windows/desktop/debug/minidump-files) that go through a process of user-sensitive information scrubbing. Some user-sensitive information may be missed in the process, and will therefore be sent with the dump. + +### Enable limiting enhanced diagnostic data to the minimum required by Windows Analytics + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](https://privacy.microsoft.com) diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index d032754214..088f0adccd 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,309 +1,309 @@ ---- -title: Windows and the GDPR-Information for IT Administrators and Decision Makers -description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). -keywords: privacy, GDPR, windows, IT -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 05/11/2018 -ms.reviewer: ---- -# Windows and the GDPR: Information for IT Administrators and Decision Makers - -Applies to: -- Windows 10, version 1809 -- Windows 10, version 1803 -- Windows 10, version 1709 -- Windows 10, version 1703 -- Windows 10 Team Edition, version 1703 for Surface Hub -- Windows Server 2019 -- Windows Server 2016 -- Windows Analytics - -This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. - -For more information about the GDPR, see: -* [Microsoft GDPR Overview](https://aka.ms/GDPROverview) -* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq) -* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp) -* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) - -## GDPR fundamentals - -Here are some GDPR fundamentals: - -* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance. -* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees. -* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. -* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. - -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. - -### What is personal data under the GDPR? - -Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to: -* Name -* Email address -* Credit card numbers -* IP addresses -* Social media posts -* Location information -* Handwriting patterns -* Voice input to cloud-based speech services - -### Controller and processor under the GDPR: Who does what - -#### Definition - -The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario. - -* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. -* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. - -#### Controller scenario - -For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled. - -#### Processor scenario - -In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx). - -## GDPR relationship between a Windows 10 user and Microsoft - -For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data. - -### Types of data exchanged with Microsoft - -Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services. - -Microsoft discloses data collection and privacy practices in detail, for example: -* As part of the Windows 10 installation; -* In the Windows 10 privacy settings; -* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and -* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). - -It is important to differentiate between two distinct types of data Windows services are dealing with. - -#### Windows functional data - -A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. - -Some other examples of Windows functional data: -* The Weather app which can use the device’s location to retrieve local weather or community news. -* Wallpaper and desktop settings that are synchronized across multiple devices. - -For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). - -#### Windows diagnostic data - -Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft. - -Some examples of diagnostic data include: -* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. -* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. - -Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). - ->[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. - -### Windows services where Microsoft is the processor under the GDPR - -Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp). - ->[!NOTE] ->Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)). - -#### Windows Analytics - -[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. - -Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. - -As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. ->[!NOTE] ->The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. - ->[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. - -#### Windows Defender ATP - -[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/). - -As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP. - ->[!NOTE] ->The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. - -#### At a glance – Windows 10 services GDPR mode of operations - -The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating. - -| Service | Microsoft GDPR mode of operation | -| --- | --- | -| Windows Functional data | Controller or Processor* | -| Windows Diagnostic data | Controller | -| Windows Analytics | Processor | -| Windows Defender Advanced Threat Detection (ATP) | Processor | - -*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* - -*/*Depending on which application/feature this is referring to.* - -## Windows diagnostic data and Windows 10 - - -### Recommended Windows 10 settings - -Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. - -* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). - ->[!NOTE] ->For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. - ->[!NOTE] ->For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. - -### Additional information for Windows Analytics - -Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. - -Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. - ->[!NOTE] ->Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy -). - -## Controlling Windows 10 data collection and notification about it - -Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. - -### Adjusting privacy settings by the user - -A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices. - -For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all. - -### Users can lower the diagnostic level - -Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**. - -If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”. - -### Notification at logon - -Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection. - -This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. - -### Diagnostic Data Viewer (DDV) - -In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft. - -A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*. - -Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*. - -### Windows 10 personal data services configuration - -Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. - -IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md). - -### Windows 10 connections to Microsoft - -To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. - -### At-a-glance: the relationship between an IT organization and the GDPR - -Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. - -## Windows Server - -Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. - -More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. - -### Windows diagnostic data and Windows Server - -The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. - -IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. - -There are two options for deleting Windows diagnostic data from a Windows Server machine: - -- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. -- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). - -### Backups and Windows Server - -Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. - -- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). -- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. - -## Windows 10 Team Edition, Version 1703 for Surface Hub - -Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. - ->[!NOTE] ->Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. - -An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). - -## Further reading - -### Optional settings / features that further improve the protection of personal data - -Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). - ->[!NOTE] ->Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). - -### Windows Security Baselines - -Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). - -### Windows Restricted Traffic Limited Functionality Baseline - -To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). - ->[!IMPORTANT] ->Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. - -### Microsoft Trust Center and Service Trust Portal - -Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). - -### Additional resources - -#### FAQs - -* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) - -#### Blogs - -* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -#### Privacy Statement - -* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -#### Other resources - -* [Privacy at Microsoft](https://privacy.microsoft.com/) +--- +title: Windows and the GDPR-Information for IT Administrators and Decision Makers +description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). +keywords: privacy, GDPR, windows, IT +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 05/11/2018 +ms.reviewer: +--- +# Windows and the GDPR: Information for IT Administrators and Decision Makers + +Applies to: +- Windows 10, version 1809 +- Windows 10, version 1803 +- Windows 10, version 1709 +- Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics + +This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. + +For more information about the GDPR, see: +* [Microsoft GDPR Overview](https://aka.ms/GDPROverview) +* [Microsoft Trust Center FAQs about the GDPR](https://aka.ms/gdpr-faq) +* [Microsoft Service Trust Portal (STP)](https://aka.ms/stp) +* [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted) + +## GDPR fundamentals + +Here are some GDPR fundamentals: + +* On May 25, 2018, this EU data privacy law is implemented. It sets a new global bar for data privacy rights, security, and compliance. +* The GDPR is fundamentally about protecting and enabling the privacy rights of individuals – both customers and employees. +* The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. +* A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. + +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. + +### What is personal data under the GDPR? + +Article 4 (1) of [the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=en) defines personal data as any information relating to an identified or identifiable person. There is no distinction between a person’s private, public, or work roles. As defined by the GDPR, personal data includes, but is not limited to: +* Name +* Email address +* Credit card numbers +* IP addresses +* Social media posts +* Location information +* Handwriting patterns +* Voice input to cloud-based speech services + +### Controller and processor under the GDPR: Who does what + +#### Definition + +The GDPR describes specific requirements for allocating responsibility for controller and processor activities related to personal data. Thus, every organization that processes personal data must determine whether it is acting as a controller or processor for a specific scenario. + +* **Controller**: GDPR Article 4 (7) defines the ‘controller’ as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. +* **Processor**: According to the GDPR Article 4 (8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. + +#### Controller scenario + +For example, when an organization is using Microsoft Windows Defender Advanced Threat Protection (ATP) to detect, investigate, and respond to advanced threats on their networks as part of their IT operations, that organization is collecting data from the user’s device – data, that might include personal data. In this scenario, the organization is the *controller* of the respective personal data, since the organization controls the purpose and means of the processing for data being collected from the devices that have Windows Defender ATP enabled. + +#### Processor scenario + +In the controller scenario described above, Microsoft is a *processor* because Microsoft provides data processing services to that controller (in the given example, an organization that subscribed to Windows Defender ATP and enabled it for the user’s device). As processor, Microsoft only processes data on behalf of the enterprise customer and does not have the right to process data beyond their instructions as specified in a written contract, such as the [Microsoft Product Terms and the Microsoft Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx). + +## GDPR relationship between a Windows 10 user and Microsoft + +For Windows 10 services, Microsoft usually is the controller (with exceptions, such as Windows Defender ATP). The following sections describe what that means for the related data. + +### Types of data exchanged with Microsoft + +Microsoft collects data from or generates data through interactions with users of Windows 10 devices. This information can contain personal data, as defined in [Article 4 (1) of the GDPR](http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN), that may be used to provide, support, and improve Windows 10 services. + +Microsoft discloses data collection and privacy practices in detail, for example: +* As part of the Windows 10 installation; +* In the Windows 10 privacy settings; +* Via the web-based [Microsoft Privacy dashboard](https://account.microsoft.com/privacy); and +* In the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). + +It is important to differentiate between two distinct types of data Windows services are dealing with. + +#### Windows functional data + +A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. + +Some other examples of Windows functional data: +* The Weather app which can use the device’s location to retrieve local weather or community news. +* Wallpaper and desktop settings that are synchronized across multiple devices. + +For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). + +#### Windows diagnostic data + +Windows diagnostic data is used to keep the operating system secure and up-to-date, troubleshoot problems, and make product improvements. The data is encrypted before being sent back to Microsoft. + +Some examples of diagnostic data include: +* The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. +* For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. + +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). + +>[!IMPORTANT] +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. + +### Windows services where Microsoft is the processor under the GDPR + +Most Windows 10 services are controller services in terms of the GDPR – for both Windows functional data and Windows diagnostic data. But there are a few Windows services where Microsoft is a processor for functional data under the GDPR, such as [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics) and [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/windowsforbusiness/windows-atp). + +>[!NOTE] +>Both Windows Analytics and Windows Defender ATP are subscription services for organizations. Some functionality requires a certain license (please see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare)). + +#### Windows Analytics + +[Windows Analytics](https://www.microsoft.com/en-us/windowsforbusiness/windows-analytics) is a service that provides rich, actionable information for helping organizations to gain deep insights into the operational efficiency and health of the Windows devices in their environment. It uses Windows diagnostic data from devices enrolled by the IT organization of an enterprise into the Windows Analytics service. + +Windows [transmits Windows diagnostic data](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) to Microsoft datacenters, where that data is analyzed and stored. With Windows Analytics, the IT organization can then view the analyzed data to detect and fix issues or to improve their processes for upgrading to Windows 10. + +As a result, in terms of the GDPR, the organization that has subscribed to Windows Analytics is acting as the controller, while Microsoft is the processor for Windows Analytics. +>[!NOTE] +>The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. + +>[!IMPORTANT] +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. + +#### Windows Defender ATP + +[Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) is cloud-based service that collects and analyzes usage data from an organization’s devices to detect security threats. Some of the data can contain personal data as defined by the GDPR. Enrolled devices transmit usage data to Microsoft datacenters, where that data is analyzed, processed, and stored. The security operations center (SOC) of the organization can view the analyzed data using the [Windows Defender ATP portal](https://securitycenter.windows.com/). + +As a result, in terms of the GDPR, the organization that has subscribed to Windows Defender ATP is acting as the controller, while Microsoft is the processor for Windows Defender ATP. + +>[!NOTE] +>The IT organization must explicitly enable Windows Defender ATP for a device after the organization subscribes. + +#### At a glance – Windows 10 services GDPR mode of operations + +The following table lists in what GDPR mode – controller or processor – Windows 10 services are operating. + +| Service | Microsoft GDPR mode of operation | +| --- | --- | +| Windows Functional data | Controller or Processor* | +| Windows Diagnostic data | Controller | +| Windows Analytics | Processor | +| Windows Defender Advanced Threat Detection (ATP) | Processor | + +*Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* + +*/*Depending on which application/feature this is referring to.* + +## Windows diagnostic data and Windows 10 + + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). + +>[!NOTE] +>For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). + +* For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. + +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. + +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it + +Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. + +### Adjusting privacy settings by the user + +A user has the ability to adjust additional privacy settings in Windows by navigating to *Start > Settings > Privacy*. For example, a user can control if location is enabled or disabled, whether or not to transmit feedback on inking and typing input to Microsoft for improving the personal accuracy of these services, or if Windows collects activities for syncing it with other devices. + +For a standard user in an organization, some privacy settings might be controlled by their IT department. This is done using Group Policies or Mobile Device Management (MDM) settings. If this is the case, the user will see an alert that says ‘Some settings are hidden or managed by your organization’ when they navigate to *Start > Settings > Privacy*. As such, the user can only change some settings, but not all. + +### Users can lower the diagnostic level + +Starting with Windows 10, version 1803, a user can change the Windows diagnostics data level for their device below to what was set by their IT department. Organizations can allow or disallow this feature by configuring the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface** or the MDM policy **ConfigureTelemetryOptInSettingsUx**. + +If an IT organization has not disabled this policy, users within the organization can change their own Windows diagnostic data collection level in *Start > Settings > Privacy > Diagnostics & feedback*. For example, if the IT organization enabled this policy and set the level to “Full”, a user can modify the Windows diagnostics data level setting to “Basic”. + +### Notification at logon + +Windows 10, version 1803, and later can provide users with a notification during their logon. If the IT organization has not disabled the Group Policy **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications** or the MDM policy **ConfigureTelemetryOptInChangeNotification**, Windows diagnostic data notifications can appear at logon so that the users of a device are aware of the data collection. + +This notification can also be shown when the diagnostic level for the device was changed. For instance, if the diagnostic level on the device is set to “Basic” and the IT organization changes it to “Full”, users will be notified on their next logon. + +### Diagnostic Data Viewer (DDV) + +In Windows 10, version 1803 and later, users can invoke the [Diagnostic Data Viewer (DDV)](diagnostic-data-viewer-overview.md) to see what Windows diagnostic data is collected on their local device. This app lets a user review the diagnostic data collected on his device that is being sent to Microsoft. The DDV groups the information into simple categories based on how it is used by Microsoft. + +A user can turn on Windows diagnostic data viewing by going to go to *Start > Settings > Privacy > Diagnostics & feedback*. Under the ‘Diagnostic data viewer’ section, the user has to enable the ‘If data viewing is enabled, you can see your diagnostics data’ option. After DDV is installed on the device, the user can start it by clicking the ‘Diagnostic Data Viewer’ in the ‘Diagnostic data viewer’ section of *Start > Settings > Privacy > Diagnostics & feedback*. + +Also, the user can delete all Windows diagnostic data collected from the device. This is done by clicking the ‘Delete’ button in the ‘Delete diagnostic data’ section of *Start > Settings > Privacy > Diagnostics & feedback*. + +### Windows 10 personal data services configuration + +Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. + +IT Professionals that are interested in this configuration, see [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md). + +### Windows 10 connections to Microsoft + +To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. + +### At-a-glance: the relationship between an IT organization and the GDPR + +Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. + +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +There are two options for deleting Windows diagnostic data from a Windows Server machine: + +- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. +- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + +## Further reading + +### Optional settings / features that further improve the protection of personal data + +Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). + +>[!NOTE] +>Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). + +### Windows Security Baselines + +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). + +### Windows Restricted Traffic Limited Functionality Baseline + +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). + +>[!IMPORTANT] +>Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. + +### Microsoft Trust Center and Service Trust Portal + +Please visit our [GDPR section of the Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/privacy/gdpr) to obtain additional resources and to learn more about how Microsoft can help you fulfill specific GDPR requirements. There you can find lots of useful information about the GDPR, including how Microsoft is helping customers to successfully master the GDPR, a FAQ list, and a list of [resources for GDPR compliance](https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/resources). Also, please check out the [Compliance Manager](https://aka.ms/compliancemanager) of the Microsoft [Service Trust Portal (STP)](https://aka.ms/stp) and [Get Started: Support for GDPR Accountability](https://servicetrust.microsoft.com/ViewPage/GDPRGetStarted). + +### Additional resources + +#### FAQs + +* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) + +#### Blogs + +* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +#### Privacy Statement + +* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +#### Other resources + +* [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index f9dbed1a8c..d886aa19d1 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -1,295 +1,295 @@ ---- -title: Windows 10, version 1709, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 -ms.reviewer: ---- -# Windows 10, version 1709, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1709 -- Windows 10 Professional, version 1709 -- Windows 10 Education, version 1709 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Home - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | -| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | -| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Pro - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | -| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | -| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | -| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | -| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| fs.microsoft.com | HTTPS | Used to download fonts on demand | -| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | -| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | -| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | -| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | -| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | -| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | -| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| *.dscd.akamai.net | HTTP | Used to download content. | -| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.dspw65.akamai.net | HTTP | Used to download content. | -| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamai.net | HTTP | Used to download content. | -| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | -| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | -| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | -| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | -| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | -| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | -| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | -| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | -| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | -| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | -| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | -| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | -| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | -| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | -| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | -| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | -| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | -| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | -| login.live.com/* | HTTPS | Used to authenticate a device. | -| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | -| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | -| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | -| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | -| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | -| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | -| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | -| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | -| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | - -| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | -| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +--- +title: Windows 10, version 1709, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +ms.reviewer: +--- +# Windows 10, version 1709, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1709 +- Windows 10 Professional, version 1709 +- Windows 10 Education, version 1709 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1709. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Home + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTP | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTP | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | +| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | +| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.*.akamai.net | HTTP | Used to download content. | +| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. | +| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. | +| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. | +| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | +| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| fs.microsoft.com | HTTPS | Used to download fonts on demand | +| g.live.com | HTTP | Used by a redirection service to automatically update URLs. | +| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oem.twimg.com | HTTP | Used for the Twitter Live Tile. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | +| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | +| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | +| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | +| www.facebook.com | HTTPS | Used for the Facebook Live Tile. | +| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | +| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | +| *.dscd.akamai.net | HTTP | Used to download content. | +| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.dspw65.akamai.net | HTTP | Used to download content. | +| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamai.net | HTTP | Used to download content. | +| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | +| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates | +| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | +| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. | +| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. | +| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. | +| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. | +| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. | +| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. | +| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. | +| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| download.windowsupdate.com | HTTP | Enables connections to Windows Update. | +| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office. | +| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | +| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | +| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | +| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . | +| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. | +| login.live.com/* | HTTPS | Used to authenticate a device. | +| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. | +| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. | +| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. | +| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. | +| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | +| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | +| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | +| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | +| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | + +| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | +| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index 7b3c0d3958..574818973c 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -1,165 +1,165 @@ ---- -title: Windows 10, version 1803, connection endpoints for non-Enterprise editions -description: Explains what Windows 10 endpoints are used in non-Enterprise editions. -keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 6/26/2018 -ms.reviewer: ---- -# Windows 10, version 1803, connection endpoints for non-Enterprise editions - - **Applies to** - -- Windows 10 Home, version 1803 -- Windows 10 Professional, version 1803 -- Windows 10 Education, version 1803 - -In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. - -We used the following methodology to derive these network endpoints: - -1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. -2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). -3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. -4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. -6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. - -> [!NOTE] -> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. - -## Windows 10 Family - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | -| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | -| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | -| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | -| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | -| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | -| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | - - -## Windows 10 Pro -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | -| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | -| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | -| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | -| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | - - -## Windows 10 Education - -| **Destination** | **Protocol** | **Description** | -| --- | --- | --- | -| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | -| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | -| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | -| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | -| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | -| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | -| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store -| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | -| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | -| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | -| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | -| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | -| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | -| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| flightingservicewus.cloudapp.net | HTTPS | Insider Program | -| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | -| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | -| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | -| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | -| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | -| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | -| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | -| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | -| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | -| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | -| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | -| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | -| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | -| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | -| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | -| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | -| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | -| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | -| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | +--- +title: Windows 10, version 1803, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 6/26/2018 +ms.reviewer: +--- +# Windows 10, version 1803, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1803 +- Windows 10 Professional, version 1803 +- Windows 10 Education, version 1803 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. | +| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. | +| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). | +| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry | +| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. | +| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration.  | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | +| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. | +| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic | + + +## Windows 10 Pro +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office. | +| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| flightingservicewus.cloudapp.net | HTTPS | Insider Program | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic | +| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index a5005057fc..0b5997a3eb 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -1,408 +1,408 @@ ---- -title: Windows 10 personal data services configuration -description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR) -keywords: privacy, GDPR, windows, IT -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 05/11/2018 -ms.reviewer: ---- -# Windows 10 personal data services configuration - -Applies to: -- Windows 10, version 1803 - -Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. - -IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149). - -## Introduction - -Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services. - -Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings. - -Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection. - -## Windows diagnostic data - -Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. - -The following options for configuring Windows diagnostic data are relevant in this context. - -### Diagnostic level - -This setting determines the amount of Windows diagnostic data sent to Microsoft. - ->[!NOTE] ->In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Allow Telemetry | ->| **Default setting** | 2 - Enhanced | ->| **Recommended** | 2 - Enhanced | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Allow Telemetry | ->| **Default setting** | 2 - Enhanced | ->| **Recommended** | 2 - Enhanced | - ->[!NOTE] ->When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | AllowTelemetry | ->| **Type** | REG_DWORD | ->| **Setting** | "00000002" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | AllowTelemetry | ->| **Type** | REG_DWORD | ->| **Setting** | "00000002" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | AllowTelemetry (scope: device and user) | ->| **Default setting** | 2 – Enhanced | ->| **Recommended** | 2 – Allowed | - -### Diagnostic opt-in change notifications - -This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Configure telemetry opt-in change notifications | ->| **Default setting** | Enabled | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | DisableTelemetryOptInChangeNotification | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | ConfigureTelemetryOptInChangeNotification | ->| **Default setting** | 0 – Enabled | ->| **Recommended** | 0 – Enabled | - -### Configure telemetry opt-in setting user interface - -This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | ->| **Policy Name** | Configure telemetry opt-in setting user interface | ->| **Default setting** | Enabled | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | ->| **Value** | DisableTelemetryOptInSettingsUx | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | System | ->| **Policy** | ConfigureTelemetryOptInSettingsUx | ->| **Default setting** | 0 – Enabled | ->| **Recommended** | 0 – Enabled | - -## Policies affecting personal data protection managed by the Enterprise IT - -There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data. - -The following options for configuring these policies are relevant in this context. - -### BitLocker - -The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption. - -#### Fixed Data Drives - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | ->| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | ->| **Value** | FDVDenyWriteAccess | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | BitLocker | ->| **Policy** | FixedDrivesRequireEncryption | ->| **Default setting** | Disabled | ->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | - -#### Removable Data Drives - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | ->| **Policy Name** | Deny write access to removable drives not protected by BitLocker | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | ->| **Value** | RDVDenyWriteAccess | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | ->| **Value** | RDVDenyCrossOrg | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | BitLocker | ->| **Policy** | RemovableDrivesRequireEncryption | ->| **Default setting** | Disabled | ->| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | - -### Privacy – AdvertisingID - -This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | ->| **Policy Name** | Turn off the advertising ID | ->| **Default setting** | Not configured | ->| **Recommended** | Enabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | ->| **Value** | DisabledByGroupPolicy | ->| **Type** | REG_DWORD | ->| **Setting** | "00000001" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | Privacy | ->| **Policy** | DisableAdvertisingId | ->| **Default setting** | 65535 (default) - Not configured | ->| **Recommended** | 1 – Enabled | - -### Edge - -These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites. - ->[!NOTE] ->Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | ->| **Policy Name** | Configure Do Not Track | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | ->| **Policy Name** | Configure Do Not Track | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **MDM CSP** | Browser | ->| **Policy** | AllowDoNotTrack (scope: device + user) | ->| **Default setting** | 0 (default) – Not allowed | ->| **Recommended** | 0 – Not allowed | - -### Internet Explorer - -These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites. - -#### Group Policy - -> [!div class="mx-tableFixed"] ->| | | ->|:-|:-| ->| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | ->| **Policy Name** | Always send Do Not Track header | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | ->| **Policy Name** | Always send Do Not Track header | ->| **Default setting** | Disabled | ->| **Recommended** | Disabled | - -#### Registry - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | ->| **Value** | DoNotTrack | ->| **Type** | REG_DWORD | ->| **Setting** | "00000000" | - -#### MDM - -> [!div class="mx-tableFixed"] ->||| ->|:-|:-| ->| **MDM CSP** | N/A | - -## Additional resources - -### FAQs - -* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) - -### Blogs - -* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -### Privacy Statement - -* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -### Windows Privacy on docs.microsoft.com - -* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) -* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) -* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) - -### Other resources - -* [Privacy at Microsoft](https://privacy.microsoft.com/) +--- +title: Windows 10 personal data services configuration +description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR) +keywords: privacy, GDPR, windows, IT +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 05/11/2018 +ms.reviewer: +--- +# Windows 10 personal data services configuration + +Applies to: +- Windows 10, version 1803 + +Microsoft assembled a list of Windows 10 services configuration settings that are useful for personal data privacy protection and related regulations, such as the General Data Protection Regulation (GDPR). There is one section with settings for service data that is managed at Microsoft and a section for local data that is managed by an IT organization. + +IT Professionals that are interested in applying these settings via group policies can find the configuration for download [here](https://go.microsoft.com/fwlink/?linkid=874149). + +## Introduction + +Microsoft collects data from or generates it through interactions with users of Windows 10 devices. This information can contain personal data that may be used to provide, support, and improve Windows 10 services. + +Many Windows 10 services are controller services. A user can manage data collection settings, for example by opening *Start > Settings > Privacy* or by visiting the [Microsoft Privacy dashboard](https://account.microsoft.com/privacy). While this relationship between Microsoft and a user is evident in a consumer type scenario, an IT organization can influence that relationship. For example, the IT department has the ability to configure the Windows diagnostic data level across their organization by using Group Policy, registry, or Mobile Device Management (MDM) settings. + +Below is a collection of settings related to the Windows 10 personal data services configuration that IT Professionals can use as guidance for influencing Windows diagnostic data collection and personal data protection. + +## Windows diagnostic data + +Windows 10 collects Windows diagnostic data—such as usage data, performance data, inking, typing, and utterance data—and sends it back to Microsoft. That data is used for keeping the operating system secure and up-to-date, to troubleshoot problems, and to make product improvements. For users who have turned on "Tailored experiences", that data can also be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. + +The following options for configuring Windows diagnostic data are relevant in this context. + +### Diagnostic level + +This setting determines the amount of Windows diagnostic data sent to Microsoft. + +>[!NOTE] +>In Windows 10, version 1709, Microsoft introduced a new feature: “Limit Enhanced diagnostic data to the minimum required by Windows Analytics”. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by [Windows Analytics](https://www.microsoft.com/windowsforbusiness/windows-analytics). For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Allow Telemetry | +>| **Default setting** | 2 - Enhanced | +>| **Recommended** | 2 - Enhanced | + +>[!NOTE] +>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | AllowTelemetry | +>| **Type** | REG_DWORD | +>| **Setting** | "00000002" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | AllowTelemetry (scope: device and user) | +>| **Default setting** | 2 – Enhanced | +>| **Recommended** | 2 – Allowed | + +### Diagnostic opt-in change notifications + +This setting determines whether a device shows notifications about Windows diagnostic data levels to people on first logon or when changes occur in the diagnostic configuration. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in change notifications | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInChangeNotification | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInChangeNotification | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | + +### Configure telemetry opt-in setting user interface + +This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds | +>| **Policy Name** | Configure telemetry opt-in setting user interface | +>| **Default setting** | Enabled | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\DataCollection | +>| **Value** | DisableTelemetryOptInSettingsUx | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | System | +>| **Policy** | ConfigureTelemetryOptInSettingsUx | +>| **Default setting** | 0 – Enabled | +>| **Recommended** | 0 – Enabled | + +## Policies affecting personal data protection managed by the Enterprise IT + +There are additional settings usually managed by the Enterprise IT that also affect the protection of personal data. + +The following options for configuring these policies are relevant in this context. + +### BitLocker + +The following settings determine whether fixed and removable drives are protected by the BitLocker Drive Encryption. + +#### Fixed Data Drives + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Fixed Data Drives | +>| **Policy Name** | Deny write access to fixed drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | FDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | FixedDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | + +#### Removable Data Drives + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Bitlocker Drive Encryption\Removable Data Drives | +>| **Policy Name** | Deny write access to removable drives not protected by BitLocker | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\System\CurrentControlSet\Policies\Microsoft\FVE | +>| **Value** | RDVDenyWriteAccess | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\FVE | +>| **Value** | RDVDenyCrossOrg | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | BitLocker | +>| **Policy** | RemovableDrivesRequireEncryption | +>| **Default setting** | Disabled | +>| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption)) | + +### Privacy – AdvertisingID + +This setting determines if the advertising ID, which preventing apps from using the ID for experiences across apps, is turned off. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\System\User Profiles | +>| **Policy Name** | Turn off the advertising ID | +>| **Default setting** | Not configured | +>| **Recommended** | Enabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo | +>| **Value** | DisabledByGroupPolicy | +>| **Type** | REG_DWORD | +>| **Setting** | "00000001" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Privacy | +>| **Policy** | DisableAdvertisingId | +>| **Default setting** | 65535 (default) - Not configured | +>| **Recommended** | 1 – Enabled | + +### Edge + +These settings whether employees send “Do Not Track” from the Microsoft Edge web browser to websites. + +>[!NOTE] +>Please see [this Microsoft blog post](https://blogs.microsoft.com/on-the-issues/2015/04/03/an-update-on-microsofts-approach-to-do-not-track/) for more details on why the “Do Not Track” is no longer the default setting. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Microsoft Edge | +>| **Policy Name** | Configure Do Not Track | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **MDM CSP** | Browser | +>| **Policy** | AllowDoNotTrack (scope: device + user) | +>| **Default setting** | 0 (default) – Not allowed | +>| **Recommended** | 0 – Not allowed | + +### Internet Explorer + +These settings whether employees send “Do Not Track” header from the Microsoft Explorer web browser to websites. + +#### Group Policy + +> [!div class="mx-tableFixed"] +>| | | +>|:-|:-| +>| **Group Policy** | Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Group Policy** | User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | +>| **Policy Name** | Always send Do Not Track header | +>| **Default setting** | Disabled | +>| **Recommended** | Disabled | + +#### Registry + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKLM\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **Registry key** | HKCU\Software\Policies\Microsoft\Internet Explorer\Main | +>| **Value** | DoNotTrack | +>| **Type** | REG_DWORD | +>| **Setting** | "00000000" | + +#### MDM + +> [!div class="mx-tableFixed"] +>||| +>|:-|:-| +>| **MDM CSP** | N/A | + +## Additional resources + +### FAQs + +* [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +* [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +* [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +* [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) + +### Blogs + +* [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +### Privacy Statement + +* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +### Windows Privacy on docs.microsoft.com + +* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +* [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +* [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) +* [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + +### Other resources + +* [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index c65af63ce9..736efd6668 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -1,88 +1,88 @@ ---- -title: -# Fine-tune Windows Information Policy (WIP) with WIP Learning -description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 -ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 02/26/2019 ---- - -# Fine-tune Windows Information Protection (WIP) with WIP Learning -**Applies to:** - -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later - -With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. - -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. - -In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. - -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). - -1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. - -1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. - - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) - -1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. - - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) - -Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. - -## Use the WIP section of Device Health - -You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more. - -If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. - -Once you have WIP policies in place, by using the WIP section of Device Health, you can: - -- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. -- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. - -## Use Device Health and Intune to adjust WIP protection policy - -The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -1. In **Device Health** click the app you want to add to your policy and copy the publisher information. - -2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. - -3. Click **Protected apps**, and then click **Add Apps**. - -4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - - ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) - -5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. - - ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) - -6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). - -7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). - -8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** - -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +--- +title: +# Fine-tune Windows Information Policy (WIP) with WIP Learning +description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. +ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 +ms.reviewer: +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 02/26/2019 +--- + +# Fine-tune Windows Information Protection (WIP) with WIP Learning +**Applies to:** + +- Windows 10, version 1703 and later +- Windows 10 Mobile, version 1703 and later + +With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune. + +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. + +In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. + +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). + +1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. + +1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. + + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + +1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. + + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + +Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. + +## Use the WIP section of Device Health + +You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more. + +If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. + +Once you have WIP policies in place, by using the WIP section of Device Health, you can: + +- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. +- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. + +## Use Device Health and Intune to adjust WIP protection policy + +The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +1. In **Device Health** click the app you want to add to your policy and copy the publisher information. + +2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. + +3. Click **Protected apps**, and then click **Add Apps**. + +4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). + + ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + +5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. + + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + +6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). + +7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). + +8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** + +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 78708f3bd8..ac3e78109d 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -1,172 +1,172 @@ ---- -title: FIPS 140 Validation -description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. -ms.prod: w10 -audience: ITPro -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/03/2018 -ms.reviewer: ---- - - -# FIPS 140 Validation - -On this page - - - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) - - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) - - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) - - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) - - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) - - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) - - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) - - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) - -Updated: March 2018 - - - -## Introduction - -This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. - -### Audience - -This document is primarily focused on providing information for three parties: - -[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. - -[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. - -[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. - -### Document Map - -This document is broken into seven major sections: - -[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. - -[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. - -[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. - -[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. - -[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. - -[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. - -[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. - -## FIPS 140 Overview - -### FIPS 140 Standard - -FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). - -The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. - -### Applicability of the FIPS standard - -Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. - -The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). - -### History of 140-1 - -FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. - -### FIPS 140-2 - -FIPS 140-2 is currently the active version of the standard. - -### Microsoft FIPS Support Policy - -Microsoft actively maintains FIPS 140 validation for its cryptographic modules. - -### FIPS Mode of Operation - -The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. - -## Microsoft Product Validation (Information for Procurement Officers and Auditors) - -This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. - -### Microsoft Product Relationship with CNG and CAPI libraries - -Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. - -The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: - - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall - -## Information for System Integrators - -This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. - -There are two steps to ensure that Microsoft products operate in FIPS mode: - -1. Selecting/Installing FIPS 140 validated cryptographic modules -2. Setting FIPS local/group security policy flag. - -### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules - -Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. - -The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. - -### Step 2 – Setting FIPS Local/Group Security Policy Flag - -The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. - -**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. - -#### Instructions on Setting the FIPS Local/Group Security Policy Flag - -While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. - -1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. -2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. -3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. -4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. -5. In the properties window, select the 'Enabled' option and click the 'Apply' button. - -#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy - -The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. - - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall - -#### Effects of Setting FIPS Local/Group Security Policy Flag - -When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: - +--- +title: FIPS 140 Validation +description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +ms.prod: w10 +audience: ITPro +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.date: 04/03/2018 +ms.reviewer: +--- + + +# FIPS 140 Validation + +On this page + + - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) + - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) + - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) + - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) + - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) + - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) + - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) + - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) + +Updated: March 2018 + + + +## Introduction + +This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. + +### Audience + +This document is primarily focused on providing information for three parties: + +[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. + +[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. + +[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. + +### Document Map + +This document is broken into seven major sections: + +[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. + +[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. + +[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. + +[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. + +[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. + +[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. + +[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. + +## FIPS 140 Overview + +### FIPS 140 Standard + +FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). + +The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. + +### Applicability of the FIPS standard + +Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. + +The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). + +### History of 140-1 + +FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. + +### FIPS 140-2 + +FIPS 140-2 is currently the active version of the standard. + +### Microsoft FIPS Support Policy + +Microsoft actively maintains FIPS 140 validation for its cryptographic modules. + +### FIPS Mode of Operation + +The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. + +## Microsoft Product Validation (Information for Procurement Officers and Auditors) + +This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. + +### Microsoft Product Relationship with CNG and CAPI libraries + +Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. + +The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +## Information for System Integrators + +This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. + +There are two steps to ensure that Microsoft products operate in FIPS mode: + +1. Selecting/Installing FIPS 140 validated cryptographic modules +2. Setting FIPS local/group security policy flag. + +### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules + +Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. + +The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. + +### Step 2 – Setting FIPS Local/Group Security Policy Flag + +The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. + +**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. + +#### Instructions on Setting the FIPS Local/Group Security Policy Flag + +While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. + +1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. +2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. +3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. +4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. +5. In the properties window, select the 'Enabled' option and click the 'Apply' button. + +#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy + +The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +#### Effects of Setting FIPS Local/Group Security Policy Flag + +When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: + - Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled: - + - - TLS\_RSA\_WITH\_RC4\_128\_SHA - TLS\_RSA\_WITH\_RC4\_128\_MD5 - SSL\_CK\_RC4\_128\_WITH\_MD5 - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5 - TLS\_RSA\_WITH\_NULL\_MD5 - TLS\_RSA\_WITH\_NULL\_SHA - + - The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to: - + - - CALG\_RSA\_KEYX - RSA public key exchange algorithm - CALG\_3DES - Triple DES encryption algorithm - CALG\_AES\_128 - 128 bit AES @@ -175,6916 +175,6916 @@ When setting the FIPS local/group security policy flag, the behavior of several - CALG\_SHA\_256 - 256 bit SHA hashing algorithm - CALG\_SHA\_384 - 384 bit SHA hashing algorithm - CALG\_SHA\_512 - 512 bit SHA hashing algorithm - + - Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception. - + - Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed. - + - On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer. - -Please be aware that selection of FIPS mode can limit product functionality (See ). - -## Information for Software Developers - -This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. - -Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. - -### Using Microsoft Cryptographic Modules in a FIPS mode of operation - -No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. - -When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. - -If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. - -### Key Strengths and Validity Periods - -NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. - -## FIPS 140 FAQ - -The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. - -1. How does FIPS 140 relate to the Common Criteria? - **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. - In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. -2. How does FIPS 140 relate to Suite B? - **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. - The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. -3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? - **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. - Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. -4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? - **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. - You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). -5. What does "When operated in FIPS mode" mean on certificates? - **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). -6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? - **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. -7. Is BitLocker to Go FIPS 140-2 validated? - **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. -8. Are applications FIPS 140-2 validated? - **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. -9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? - **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) - -## Microsoft FIPS 140 Validated Cryptographic Modules - -### Modules By Operating System - -The following tables identify the Cryptographic Modules for an operating system. - -#### Windows - -##### Windows 10 Creators Update (Version 1703) - -Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

#3094

-

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

Boot Manager10.0.15063#3089

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

-

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader10.0.15063#3090

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

-

Other algorithms: NDRNG

Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
Code Integrity (ci.dll)10.0.15063#3093

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

- - -\[1\] Applies only to Home, Pro, Enterprise, Education and S - -\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub - -\[3\] Applies only to Pro, Enterprise Education and S - -##### Windows 10 Anniversary Update (Version 1607) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

Boot Manager10.0.14393#2931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

-

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.14393#2935

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

- - -\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile - -\[3\] Applies only to Pro, Enterprise and Enterprise LTSB - -##### Windows 10 November 2015 Update (Version 1511) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
Code Integrity (ci.dll)10.0.10586#2604

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

- - -\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub - -\[6\] Applies only to Home, Pro and Enterprise - -\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub - -\[8\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 10 (Version 1507) - -Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
-
-Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
Code Integrity (ci.dll)10.0.10240#2604

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: AES (non-compliant); MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
-
-Other algorithms: MD5

-

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

- - -\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB - -\[12\] Applies only to Pro, Enterprise and Enterprise LTSB - -\[13\] Applies only to Enterprise and Enterprise LTSB - -##### Windows 8.1 - -Validated Editions: RT, Pro, Enterprise, Phone, Embedded - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

-

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5

-

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

- - -\[14\] Applies only to Pro, Enterprise, and Embedded 8. - -##### Windows 8 - -Validated Editions: RT, Home, Pro, Enterprise, Phone - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A
Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -\[15\] Applies only to Home and Pro - -**Windows 7** - -Validated Editions: Windows 7, Windows 7 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

6.1.7600.16385

-

6.1.7601.17514

1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Kernel Mode Cryptographic Primitives Library (cng.sys)

6.1.7600.16385

-

6.1.7600.16915

-

6.1.7600.21092

-

6.1.7601.17514

-

6.1.7601.17725

-

6.1.7601.17919

-

6.1.7601.21861

-

6.1.7601.22076

1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Boot Manager

6.1.7600.16385

-

6.1.7601.17514

1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
-
-Other algorithms: MD5
Winload OS Loader (winload.exe)

6.1.7600.16385

-

6.1.7600.16757

-

6.1.7600.20897

-

6.1.7600.20916

-

6.1.7601.17514

-

6.1.7601.17556

-

6.1.7601.21655

-

6.1.7601.21675

1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5
BitLocker™ Drive Encryption

6.1.7600.16385

-

6.1.7600.16429

-

6.1.7600.16757

-

6.1.7600.20536

-

6.1.7600.20873

-

6.1.7600.20897

-

6.1.7600.20916

-

6.1.7601.17514

-

6.1.7601.17556

-

6.1.7601.21634

-

6.1.7601.21655

-

6.1.7601.21675

1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser
Code Integrity (CI.DLL)

6.1.7600.16385

-

6.1.7600.17122

-

6.1.7600.21320

-

6.1.7601.17514

-

6.1.7601.17950

-

6.1.7601.22108

1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
-(no change in SP1)		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
-(no change in SP1)		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Vista SP1 - -Validated Editions: Ultimate Edition - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
-
-Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

-

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

-

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

- - -##### Windows Vista - -Validated Editions: Ultimate Edition - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
-
-Other algorithms: Elephant Diffuser
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
-
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
- - -##### Windows XP SP3 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

-

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

-

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

- - -##### Windows XP SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

-

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

-

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

- - -##### Windows XP SP1 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

-

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

- - -##### Windows XP - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module5.1.2600.0241

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

-

Other algorithms: DES (Cert. #89)

- - -##### Windows 2000 SP3 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

-

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2195.3665 [SP3])

-

(Base: 5.0.2195.3839 [SP3])

-

(DSS/DH Enh: 5.0.2195.3665 [SP3])

-

(Enh: 5.0.2195.3839 [SP3]

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

-

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS:

-

5.0.2195.2228 [SP2])

-

(Base:

-

5.0.2195.2228 [SP2])

-

(DSS/DH Enh:

-

5.0.2195.2228 [SP2])

-

(Enh:

-

5.0.2195.2228 [SP2])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 SP1 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2150.1391 [SP1])

-

(Base: 5.0.2150.1391 [SP1])

-

(DSS/DH Enh: 5.0.2150.1391 [SP1])

-

(Enh: 5.0.2150.1391 [SP1])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

- - -##### Windows 2000 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

- - -##### Windows 95 and Windows 98 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

-

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

- - -##### Windows NT 4.0 - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
-
-Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
- - -#### Windows Server - -##### Windows Server 2016 - -Validated Editions: Standard, Datacenter, Storage Server - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
-
-Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager10.0.143932931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

-

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
-
-Other algorithms: AES (non-compliant); MD5
Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
-
-Other algorithms: MD5
- - -##### Windows Server 2012 R2 - -Validated Editions: Server, Storage Server, - -**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
-
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
-
-Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
-
-Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
-
-Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
-
-Other algorithms: MD5
- - -\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** - -**Windows Server 2012** - -Validated Editions: Server, Storage Server - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
-
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
-
-Other algorithms: N/A
Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
-
-Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
-
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Server 2008 R2 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
-
-Other algorithms: MD5
Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
-
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
-
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
-
-Other algorithms: Elephant Diffuser
- - -##### Windows Server 2008 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: N/A
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
-
-Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
-
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
-
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
- - -##### Windows Server 2003 SP2 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

-

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

-

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

-

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

- - -##### Windows Server 2003 SP1 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

-

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

-

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

-

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

-

[1] x86
-[2] SP1 x86, x64, IA64

- - -##### Windows Server 2003 - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

-

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

-

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

-

[1] x86
-[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

-

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

-

[1] x86
-[2] SP1 x86, x64, IA64

- - -#### Other Products - -##### Windows Embedded Compact 7 and Windows Embedded Compact 8 - - ------ - - - - - - - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

-

Allowed algorithms: HMAC-MD5; MD5; NDRNG

Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

-

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

- - - -##### Windows CE 6.0 and Windows Embedded Compact 7 - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

-

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

- - -##### Outlook Cryptographic Provider - - ------ - - - - - - - - - - - - - - -
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

-

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

- - - -### Cryptographic Algorithms - -The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. - -### Advanced Encryption Standard (AES) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-OFB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -

Microsoft Surface Hub Virtual TPM Implementations #4904

-

Version 10.0.15063.674

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-OFB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

-

Version 10.0.16299

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

-

Version 10.0.15063.674

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

-

Version 10.0.15254

    -
  • AES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CCM:
    • -
    • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • -
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • -
    • Plain Text Length: 0-32
      • -
    • AAD Length: 0-65536
      • -
    • -
  • AES-CFB128:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-CMAC:
    • -
    • -
    • Generation:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • Verification:
      • -
      • -
      • AES-128:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-192:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • AES-256:
        • -
        • -
        • Block Sizes: Full, Partial
          • -
        • Message Length: 0-65536
          • -
        • Tag Length: 16-16
          • -
        • -
      • -
    • -
  • AES-CTR:
    • -
    • -
    • Counter Source: Internal
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • -
  • AES-GCM:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • IV Generation: External
      • -
    • Key Lengths: 128, 192, 256 (bits)
      • -
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • -
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • -
    • 96 bit IV supported
      • -
    • -
  • AES-XTS:
    • -
    • -
    • Key Size: 128:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • Key Size: 256:
      • -
      • -
      • Modes: Decrypt, Encrypt
        • -
      • Block Sizes: Full
        • -
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

-

Version 10.0.16299

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4902

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

-

Version 10.0.15063.674

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4901

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

-

Version 10.0.15254

AES-KW:

-
    -
  • Modes: Decrypt, Encrypt
    • -
  • CIPHK transformation direction: Forward
    • -
  • Key Lengths: 128, 192, 256 (bits)
    • -
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • -
-

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

-

Version 10.0.16299

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4902

Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

-

Version 10.0.15063.674

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4901

Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

-

Version 10.0.15254

AES-CCM:

-
    -
  • Key Lengths: 256 (bits)
    • -
  • Tag Lengths: 128 (bits)
    • -
  • IV Lengths: 96 (bits)
    • -
  • Plain Text Length: 0-32
    • -
  • AAD Length: 0-65536
    • -
-

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

-

Version 10.0.16299

CBC ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

OFB ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

-

Version 10.0.15063

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#4624

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

-

Version 10.0.15063

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#4624

-

 

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

-

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

-

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

-

IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

-

GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

-

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

-

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

-

Version 8.00.6246

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

-

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

-

Version 8.00.6246

CBC ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

OFB ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

-

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

-

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
-Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

-

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

-

Version 10.0.14393

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

-

Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

-

Version 10.0.10586

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

-

Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
-Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
-
-

-

Version 10.0.10586

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

-

AES Val#3497

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

-

Version 10.0.10240

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#3497

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

-

Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

-

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported

-

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
-Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
-Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

-

Version 6.3.9600

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#2832

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

-

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

-

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

-

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

-

IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
-OtherIVLen_Supported
-GMAC_Supported

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

-

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#2197

-

CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
-AES Val#2197

-

GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

-

AES Val#2196

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

CFB128 ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
-AES Val#1168

Windows Server 2008 R2 and SP1 CNG algorithms #1187

-

Windows 7 Ultimate and SP1 CNG algorithms #1178

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
-AES Val#1168		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

-

 

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

GCM

-

GMAC

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

Windows Server 2008 CNG algorithms #757

-

Windows Vista Ultimate SP1 CNG algorithms #756

CBC ( e/d; 128 , 256 );

-

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

Windows Vista Ultimate BitLocker Drive Encryption #715

-

Windows Vista Ultimate BitLocker Drive Encryption #424

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CFB8 ( e/d; 128 , 192 , 256 );

Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

-

Windows Vista Symmetric Algorithm Implementation #553

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

-

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

ECB ( e/d; 128 , 192 , 256 );

-

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

-

Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

-

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

-

Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

-

Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

-

Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

- - -Deterministic Random Bit Generator (DRBG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function not used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4904

Microsoft Surface Hub Virtual TPM Implementations #1734

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function not used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4903

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

-

Version 10.0.16299

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4902

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4901

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

-

Version 10.0.15254

    -
  • Counter:
    • -
    • -
    • Modes: AES-256
      • -
    • Derivation Function States: Derivation Function used
      • -
    • Prediction Resistance Modes: Not Enabled
      • -
    • -
-

Prerequisite: AES #4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

-

Version 10.0.16299

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

-

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

-

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

-

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

-

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

-

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

-

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

-

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

-

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

-

Version 10.0.10586

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

-

Version 10.0.10240

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

-

Version 6.3.9600

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
- - -#### Digital Signature Algorithm (DSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

-

Version 10.0.15063.674

    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        •  
          • -
        •  
          • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

-

Version 10.0.15254

    -
  • DSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • PQGGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • PQGVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigGen:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • SigVer:
        • -
        • -
        • L = 2048, N = 256 SHA: SHA-256
          • -
        • L = 3072, N = 256 SHA: SHA-256
          • -
        • -
      • KeyPair:
        • -
        • -
        • L = 2048, N = 256
          • -
        • L = 3072, N = 256
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

-

Version 10.0.16299

FIPS186-4:

-

PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

-

PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

KeyPairGen:   [ (2048,256) ; (3072,256) ]

-

SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

-

SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val#3790

-

DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

-

Version 10.0.15063

FIPS186-4:
-PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SHS: Val# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

-

Version 7.00.2872

FIPS186-4:
-PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
-SHS: Val#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

-

Version 8.00.6246

FIPS186-4:
-PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 3347
-DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

-

Version 10.0.14393

FIPS186-4:
-PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 3047
-DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

-

Version 10.0.10586

FIPS186-4:
-PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 2886
-DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

-

Version 10.0.10240

FIPS186-4:
-PQG(gen)PARMS TESTED:   [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED:   [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen:    [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

-

SHS: Val# 2373
-DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

-

Version 6.3.9600

FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1903
-DRBG: #258

-

FIPS186-4:
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
FIPS186-2:
-PQG(ver) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: #1902
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

Windows Server 2008 R2 and SP1 CNG algorithms #391

-

Windows 7 Ultimate and SP1 CNG algorithms #386

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 1081
-RNG: Val# 649
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

-

Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

Windows Server 2008 CNG algorithms #284

-

Windows Vista Ultimate SP1 CNG algorithms #283

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 753
-RNG: Val# 435
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

Windows Server 2008 Enhanced DSS (DSSENH) #282

-

Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

Windows Vista CNG algorithms #227

-

Windows Vista Enhanced DSS (DSSENH) #226

FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 784
-RNG: Val# 448
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
FIPS186-2:
-SIG(ver) MOD(1024);
-SHS: Val# 783
-RNG: Val# 447
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 611
-RNG: Val# 314		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 385		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
FIPS186-2:
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SIG(ver) MOD(1024);
-SHS: Val# 181
-
-		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
FIPS186-2:
-PQG(gen) MOD(1024);
-PQG(ver) MOD(1024);
-KEYGEN(Y) MOD(1024);
-SIG(gen) MOD(1024);
-SHS: SHA-1 (BYTE)
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE)

Windows 2000 DSSENH.DLL #29

-

Windows 2000 DSSBASE.DLL #28

-

Windows NT 4 SP6 DSSENH.DLL #26

-

Windows NT 4 SP6 DSSBASE.DLL #25

FIPS186-2: PRIME;
-FIPS186-2:

-

KEYGEN(Y):
-SHS: SHA-1 (BYTE)

-

SIG(gen):
-SIG(ver) MOD(1024);
-SHS: SHA-1 (BYTE)

Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
- - -#### Elliptic Curve Digital Signature Algorithm (ECDSA) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #2373, DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

-

Version 6.3.9600

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384
          • -
        • Generation Methods: Testing Candidates
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #1253

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384
          • -
        • Generation Methods: Testing Candidates
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

-

Version 10.0.16299

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

-

Version 10.0.15063.674

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

-

Version 10.0.15254

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

-

Version 10.0.15254

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

-

Version 10.0.16299

    -
  • ECDSA:
    • -
    • -
    • 186-4:
      • -
      • -
      • Key Pair Generation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • Generation Methods: Extra Random Bits
          • -
        • -
      • Public Key Validation:
        • -
        • -
        • Curves: P-256, P-384, P-521
          • -
        • -
      • Signature Generation:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • Signature Verification:
        • -
        • -
        • P-256 SHA: SHA-256
          • -
        • P-384 SHA: SHA-384
          • -
        • P-521 SHA: SHA-512
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

-

Version 10.0.16299

FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

-

Version 10.0.15063

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

-

Version 7.00.2872

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

-

Version 8.00.6246

FIPS186-4:
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

-

SHS: Val# 3347
-DRBG: Val# 1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

-

Version 10.0.14393

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 3347
-DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

-

Version 10.0.14393

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 3047
-DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

-

Version 10.0.10586

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val# 2886
-DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

-

Version 10.0.10240

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

-

SHS: Val#2373
-DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

-

Version 6.3.9600

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
-SHS: #1903
-DRBG: #258

-

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: #1903
-DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193

-

FIPS186-4:
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

Windows Server 2008 R2 and SP1 CNG algorithms #142

-

Windows 7 Ultimate and SP1 CNG algorithms #141

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

Windows Server 2008 CNG algorithms #83

-

Windows Vista Ultimate SP1 CNG algorithms #82

FIPS186-2:
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.		Windows Vista CNG algorithms #60
- - -#### Keyed-Hash Message Authentication Code (HMAC) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4011

Microsoft Surface Hub Virtual TPM Implementations #3271

-

Version 10.0.15063.674

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

-

Version 10.0.16299

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4011

Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

-

Version 10.0.15063.674

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4010

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

-

Version 10.0.15254

    -
  • HMAC-SHA-1:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-256:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-384:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
  • HMAC-SHA2-512:
    • -
    • -
    • Key Sizes < Block Size
      • -
    • Key Sizes > Block Size
      • -
    • Key Sizes = Block Size
      • -
    • -
-

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

-

Version 10.0.16299

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

-

Version 10.0.15063

HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

-

Version 10.0.15063

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

-

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

-

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

-

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

-

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val# 3347

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3347

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

-

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

-

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHS Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

-

Version 10.0.10586

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHSVal# 2886

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHSVal# 2886

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
- SHSVal# 2886

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHSVal# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

-

Version 10.0.10240

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

-

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
-SHS Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

-

Version 6.3.9600

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

-

Version 5.2.29344

HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

-

HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

-

SHS#1903

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

-

Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

Windows Server 2008 R2 and SP1 CNG algorithms #686

-

Windows 7 and SP1 CNG algorithms #677

-

Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

-

Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

-

Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

-

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

Windows Server 2008 CNG algorithms #413

-

Windows Vista Ultimate SP1 CNG algorithms #412

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

Windows Vista Ultimate BitLocker Drive Encryption #386

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista CNG algorithms #298

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

-

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

Windows Vista BitLocker Drive Encryption #199
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

-

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

-

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
- - -#### Key Agreement Scheme (KAS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Full Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #150

-

Version 10.0.15063.674

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Full Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

-

Version 10.0.16299

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DSA #1303, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

-

Version 10.0.15063.674

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DSA #1302, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

-

Version 10.0.15254

    -
  • KAS ECC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • -
    • Schemes:
      • -
      • -
      • Ephemeral Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • KDFs: Concatenation
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • One Pass DH:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • Static Unified:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • EC:
            • -
            • -
            • Curve: P-256
              • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • ED:
            • -
            • -
            • Curve: P-384
              • -
            • SHA: SHA-384
              • -
            • MAC: HMAC
              • -
            • -
          • EE:
            • -
            • -
            • Curve: P-521
              • -
            • SHA: SHA-512
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

-
    -
  • KAS FFC:
    • -
    • -
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • -
    • Schemes:
      • -
      • -
      • dhEphem:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhOneFlow:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • dhStatic:
        • -
        • -
        • Key Agreement Roles: Initiator, Responder
          • -
        • Parameter Sets:
          • -
          • -
          • FB:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • FC:
            • -
            • -
            • SHA: SHA-256
              • -
            • MAC: HMAC
              • -
            • -
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DSA #1301, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

-

Version 10.0.16299

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

-

SHS Val#3790
-DSA Val#1135
-DRBG Val#1556

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

-

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val#3790
-DSA Val#1223
-DRBG Val#1555

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3790
-ECDSA Val#1133
-DRBG Val#1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

-

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val# 3649
-DSA Val#1188
-DRBG Val#1430

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

-

Version 7.00.2872

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
-SHS Val#3648
-DSA Val#1187
-DRBG Val#1429

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS Val#3648
-ECDSA Val#1072
-DRBG Val#1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

-

Version 8.00.6246

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
-SCHEMES  [ FullUnified  ( No_KC  < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

-

SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

-

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
-SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 3347 DSA Val#1098 DRBG Val#1217

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

-

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 3047 DSA Val#1024 DRBG Val#955

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 3047 ECDSA Val#760 DRBG Val#955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

-

Version 10.0.10586

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val# 2886 DSA Val#983 DRBG Val#868

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val# 2886 ECDSA Val#706 DRBG Val#868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

-

Version 10.0.10240

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

-

SHS Val#2373 DSA Val#855 DRBG Val#489

-

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

-

SHS Val#2373 ECDSA Val#505 DRBG Val#489

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

-

Version 6.3.9600

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS #1903 DSA Val#687 DRBG #258

-

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-
-SHS #1903 ECDSA Val#341 DRBG #258

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

KAS (SP 800–56A)

-

key agreement

-

key establishment methodology provides 80 to 256 bits of encryption strength

Windows 7 and SP1, vendor-affirmed

-

Windows Server 2008 R2 and SP1, vendor-affirmed

- - -SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • Counter:
    • -
    • -
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • -
    • -
-

MAC prerequisite: HMAC #3271

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: DRBG #1734, KAS #150

Microsoft Surface Hub Virtual TPM Implementations #161

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • -
    • -
-

MAC prerequisite: HMAC #3270

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: DRBG #1733, KAS #149

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

-

Version 10.0.16299

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4902, HMAC #3269

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
  • K prerequisite: KAS #148
    • -
-

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

-

Version 10.0.15063.674

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4901, HMAC #3268

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: KAS #147

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

-

Version 10.0.15254

    -
  • Counter:
    • -
    • -
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • -
    • -
-

MAC prerequisite: AES #4897, HMAC #3267

-
-
    -
  • Counter Location: Before Fixed Data
    • -
  • R Length: 32 (bits)
    • -
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • -
-
-

K prerequisite: KAS #146

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

-

Version 10.0.16299

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#128
-DRBG Val#1556
-MAC Val#3062

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

-

Version 10.0.15063

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
-
-KAS Val#127
-AES Val#4624
-DRBG Val#1555
-MAC Val#3061

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

-

Version 10.0.15063

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#93 DRBG Val#1222 MAC Val#2661

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

-

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

-

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

-

Version 10.0.10586

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

-

Version 10.0.10240

CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

DRBG Val#489 MAC Val#1773

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

-

Version 6.3.9600

CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

-

DRBG #258 HMAC Val#1345

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
- - -Random Number Generator (RNG) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #

FIPS 186-2 General Purpose

-

[ (x-Original); (SHA-1) ]

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2
-[ (x-Original); (SHA-1) ]

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

-

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

-

Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

-

Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]

-

FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ]

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

-

Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

-

Windows Vista RNG implementation #321

FIPS 186-2 General Purpose
-[ (x-Change Notice); (SHA-1) ]

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

-

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

FIPS 186-2
-[ (x-Change Notice); (SHA-1) ]

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

-

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

- - -#### RSA - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #2677

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 240 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

-

Version 10.0.16299

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub RSA32 Algorithm Implementations #2675

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

-

Version 10.0.16299

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

-

Version 10.0.15254

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

-

Version 10.0.15063.674

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

-

Version 10.0.15254

RSA:

-
    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

-

Version 10.0.15254

    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Public Key Exponent: Fixed (10001)
        • -
      • Provable Primes with Conditions:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.3
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

-

Version 10.0.16299

    -
  • 186-4:
    • -
    • -
    • Key Generation:
      • -
      • -
      • Probable Random Primes:
        • -
        • -
        • Mod lengths: 2048, 3072 (bits)
          • -
        • Primality Tests: C.2
          • -
        • -
      • -
    • Signature Generation PKCS1.5:
      • -
      • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Generation PSS:
      • -
      • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • Signature Verification PKCS1.5:
      • -
      • -
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • -
      • -
    • Signature Verification PSS:
      • -
      • -
      • Mod 1024:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 496 (bits)
          • -
        • -
      • Mod 2048:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • Mod 3072:
        • -
        • -
        • SHA-1: Salt Length: 160 (bits)
          • -
        • SHA-256: Salt Length: 256 (bits)
          • -
        • SHA-384: Salt Length: 384 (bits)
          • -
        • SHA-512: Salt Length: 512 (bits)
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

-

Version 10.0.16299

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

-

Version 10.0.15063

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

-

Version 10.0.15063

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
-DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

-

Version 10.0.15063

FIPS186-4:
-186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

-

Version 10.0.15063

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

-

FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

-

Version 7.00.2872

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

-

FIPS186-4:
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

-

Version 8.00.6246

FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

-

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3649
-DRBG: Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

-

Version 7.00.2872

FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

-

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3648
-DRBG: Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

-

Version 8.00.6246

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

-

SHA Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

-

Version 10.0.14393

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

-

Version 10.0.14393

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#3346

soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

-

Version 10.0.14393

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

-

Version 10.0.14393

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

-

Version 10.0.14393

FIPS186-4:
-186-4KEY(gen):  FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 3047 DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

-

Version 10.0.10586

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#3048

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

-

Version 10.0.10586

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

-

Version 10.0.10586

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

-

Version 10.0.10586

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val# 2886 DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

-

Version 10.0.10240

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

-

Version 10.0.10240

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

-

Version 10.0.10240

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

-

Version 10.0.10240

FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

-

SHA Val#2373 DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

-

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

-

Version 6.3.9600

FIPS186-4:
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

-

SHA Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

-

Version 6.3.9600

FIPS186-4:
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
-SHA #1903

-

Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-SHA #1903 DRBG: #258		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

Windows Server 2008 R2 and SP1 CNG algorithms #567

-

Windows 7 and SP1 CNG algorithms #560

FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
FIPS186-2:
-ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

Windows Server 2008 CNG algorithms #358

-

Windows Vista SP1 CNG algorithms #357

FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

-

Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.		Windows Vista RSA key generation implementation #258
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.		Windows Vista CNG algorithms #257
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
FIPS186-2:
-ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
FIPS186-2:
-ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

FIPS186-2:

-

– PKCS#1 v1.5, signature generation and verification

-

– Mod sizes: 1024, 1536, 2048, 3072, 4096

-

– SHS: SHA–1/256/384/512

Windows XP, vendor-affirmed

-

Windows 2000, vendor-affirmed

- - -#### Secure Hash Standard (SHS) - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

-

Version 10.0.15063.674

    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

-

Version 10.0.15254

    -
  • SHA-1:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-256:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-384:
    • -
    • -
    • Supports Empty Message
      • -
    • -
  • SHA-512:
    • -
    • -
    • Supports Empty Message
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

-

Version 10.0.16299

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

-

Version 10.0.15063

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

-

Version 7.00.2872

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

-

Version 8.00.6246

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

-

Version 7.00.2872

SHA-1      (BYTE-only)
-SHA-256  (BYTE-only)
-SHA-384  (BYTE-only)
-SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

-

Version 8.00.6246

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
-Version 10.0.14393
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
-Version 10.0.14393
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
-Version 10.0.10586
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
-Version 10.0.10586
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
-Version 10.0.10240
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
-Version 10.0.10240
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
-Version 6.3.9600
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
-Version 6.3.9600

SHA-1 (BYTE-only)

-

SHA-256 (BYTE-only)

-

SHA-384 (BYTE-only)

-

SHA-512 (BYTE-only)

-

Implementation does not support zero-length (null) messages.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

-

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

-

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

SHA-1 (BYTE-only)

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

-

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

-

Windows Vista Symmetric Algorithm Implementation #618

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)

Windows Vista BitLocker Drive Encryption #737

-

Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

SHA-1 (BYTE-only)

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

-

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

-

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

-

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

-

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

SHA-1 (BYTE-only)
-SHA-256 (BYTE-only)
-SHA-384 (BYTE-only)
-SHA-512 (BYTE-only)

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

-

Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

-

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

SHA-1 (BYTE-only)

Windows XP Microsoft Enhanced Cryptographic Provider #83

-

Crypto Driver for Windows 2000 (fips.sys) #35

-

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

-

Windows 2000 RSAENH.DLL #24

-

Windows 2000 RSABASE.DLL #23

-

Windows NT 4 SP6 RSAENH.DLL #21

-

Windows NT 4 SP6 RSABASE.DLL #20

- - -#### Triple DES - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

-

Version 10.0.15063.674

    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

-

Version 10.0.15254

    -
  • TDES-CBC:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB64:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-CFB8:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -
  • TDES-ECB:
    • -
    • -
    • Modes: Decrypt, Encrypt
      • -
    • Keying Option: 1
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

-

Version 10.0.16299

TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

-

Version 10.0.15063

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

CTR ( int only )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

-

Version 7.00.2872

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

-

Version 8.00.6246

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
-
-

-

Version 10.0.14393

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
-
-

-

Version 10.0.10586

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
-
-

-

Version 10.0.10240

TECB( KO 1 e/d, ) ;

-

TCBC( KO 1 e/d, ) ;

-

TCFB8( KO 1 e/d, ) ;

-

TCFB64( KO 1 e/d, )

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

-

Version 6.3.9600

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 ) ;

-

TCFB64( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 ) ;

-

TCFB8( e/d; KO 1,2 )

Windows Vista Symmetric Algorithm Implementation #549
Triple DES MAC

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

-

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

TECB( e/d; KO 1,2 ) ;

-

TCBC( e/d; KO 1,2 )

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

-

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

-

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

-

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

-

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

-

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

-

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

-

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

-

Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

-

Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

-

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

-

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

-

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

-

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

-

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

-

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

-

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

-

Windows XP Microsoft Enhanced Cryptographic Provider #81

-

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

-

Crypto Driver for Windows 2000 (fips.sys) #16

- - -#### SP 800-132 Password Based Key Derivation Function (PBKDF) - - - - - - - - - - - - - - -
- Modes / States / Key Sizes - - Algorithm Implementation and Certificate # -
- PBKDF (vendor affirmed) -

 Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)

-

Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

-

Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)

-

Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)

-
- PBKDF (vendor affirmed) -

Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

-

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

-
- - -#### Component Validation List - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Publication / Component Validated / DescriptionImplementation and Certificate #
    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

-

Version 6.3.9600

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub Virtual TPM Implementations #1519

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

 Prerequisite: DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

-

Version 10.0.15063.674

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

-

Version 10.0.15063.674

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

-

Version 10.0.15063.674

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4011, HMAC #3269

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

-

Version 10.0.15063.674

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

-

Version 10.0.15254

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

-

Version 10.0.15254

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

-

Version 10.0.15254

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4010, HMAC #3268

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

-

Version 10.0.15254

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

-

Version 10.0.15254

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

-

Version 10.0.15254

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

-

Version 10.0.15254

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

-

Version 10.0.16299

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

-

Version 10.0.16299

    -
  • ECDSA SigGen:
    • -
    • -
    • P-256 SHA: SHA-256
      • -
    • P-384 SHA: SHA-384
      • -
    • P-521 SHA: SHA-512
      • -
    • -
-

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

-

Version 10.0.16299

    -
  • RSADP:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

-

Version 10.0.16299

-

 

    -
  • RSASP1:
    • -
    • -
    • Modulus Size: 2048 (bits)
      • -
    • Padding Algorithms: PKCS 1.5
      • -
    • -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

-

Version 10.0.16299

    -
  • IKEv1:
    • -
    • -
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • -
    • Pre-shared Key Length: 64-2048
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

-
    -
  • IKEv2:
    • -
    • -
    • Derived Keying Material length: 192-1792
      • -
    • Diffie-Hellman shared secrets:
      • -
      • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 2048 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 256 (bits)
          • -
        • SHA Functions: SHA-256
          • -
        • -
      • Diffie-Hellman shared secret:
        • -
        • -
        • Length: 384 (bits)
          • -
        • SHA Functions: SHA-384
          • -
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

-
    -
  • TLS:
    • -
    • -
    • Supports TLS 1.0/1.1
      • -
    • Supports TLS 1.2:
      • -
      • -
      • SHA Functions: SHA-256, SHA-384
        • -
      • -
    • -
-

Prerequisite: SHS #4009, HMAC #3267

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

-

Version 10.0.16299

FIPS186-4 ECDSA

-

Signature Generation of hash sized messages

-

ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
-Version 10.0. 15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
-Version 10.0. 15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
-Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
-Version 10.0.10586

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
-Version 6.3.9600

FIPS186-4 RSA; PKCS#1 v2.1

-

RSASP1 Signature Primitive

-

RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
-Version 10.0.15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
-Version  10.0.10240

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
-Version 6.3.9600

FIPS186-4 RSA; RSADP

-

RSADP Primitive

-

RSADP: (Mod2048)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
-Version 10.0.15063

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
-Version 10.0.15063

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
-Version 10.0.14393

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
-Version  10.0.10240

SP800-135

-

Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

-

Version 10.0.16299

-

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
-Version 10.0.15063

-

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
-Version 7.00.2872

-

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
-Version 8.00.6246

-

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
-Version 10.0.14393

-

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
-Version 10.0.10586

-

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
-Version  10.0.10240

-

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
-Version 6.3.9600

- - -## References - -\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules - -\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ - -\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) - -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths - -## Additional Microsoft References - -Enabling FIPS mode - - -Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) - + +Please be aware that selection of FIPS mode can limit product functionality (See ). + +## Information for Software Developers + +This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. + +Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. + +### Using Microsoft Cryptographic Modules in a FIPS mode of operation + +No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. + +When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. + +If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. + +### Key Strengths and Validity Periods + +NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. + +## FIPS 140 FAQ + +The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. + +1. How does FIPS 140 relate to the Common Criteria? + **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. + In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. +2. How does FIPS 140 relate to Suite B? + **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. + The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. +3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? + **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. + Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. +4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? + **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. + You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). +5. What does "When operated in FIPS mode" mean on certificates? + **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). +6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? + **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. +7. Is BitLocker to Go FIPS 140-2 validated? + **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. +8. Are applications FIPS 140-2 validated? + **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. +9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? + **Answer:** See [https://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) + +## Microsoft FIPS 140 Validated Cryptographic Modules + +### Modules By Operating System + +The following tables identify the Cryptographic Modules for an operating system. + +#### Windows + +##### Windows 10 Creators Update (Version 1703) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

#3094

+

FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

Boot Manager10.0.15063#3089

FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

+

Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

Windows OS Loader10.0.15063#3090

FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

+

Other algorithms: NDRNG

Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
Code Integrity (ci.dll)10.0.15063#3093

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

+ + +\[1\] Applies only to Home, Pro, Enterprise, Education and S + +\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub + +\[3\] Applies only to Pro, Enterprise Education and S + +##### Windows 10 Anniversary Update (Version 1607) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

Boot Manager10.0.14393#2931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.14393#2935

FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

+ + +\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile + +\[3\] Applies only to Pro, Enterprise and Enterprise LTSB + +##### Windows 10 November 2015 Update (Version 1511) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
Code Integrity (ci.dll)10.0.10586#2604

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

+ + +\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[6\] Applies only to Home, Pro and Enterprise + +\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub + +\[8\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 10 (Version 1507) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
+
+Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
Code Integrity (ci.dll)10.0.10240#2604

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: AES (non-compliant); MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
+
+Other algorithms: MD5

+

Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

+ + +\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[12\] Applies only to Pro, Enterprise and Enterprise LTSB + +\[13\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 8.1 + +Validated Editions: RT, Pro, Enterprise, Phone, Embedded + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

+

Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5

+

Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

+ + +\[14\] Applies only to Pro, Enterprise, and Embedded 8. + +##### Windows 8 + +Validated Editions: RT, Home, Pro, Enterprise, Phone + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A
Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +\[15\] Applies only to Home and Pro + +**Windows 7** + +Validated Editions: Windows 7, Windows 7 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

6.1.7600.16385

+

6.1.7601.17514

1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Kernel Mode Cryptographic Primitives Library (cng.sys)

6.1.7600.16385

+

6.1.7600.16915

+

6.1.7600.21092

+

6.1.7601.17514

+

6.1.7601.17725

+

6.1.7601.17919

+

6.1.7601.21861

+

6.1.7601.22076

1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Boot Manager

6.1.7600.16385

+

6.1.7601.17514

1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
+
+Other algorithms: MD5
Winload OS Loader (winload.exe)

6.1.7600.16385

+

6.1.7600.16757

+

6.1.7600.20897

+

6.1.7600.20916

+

6.1.7601.17514

+

6.1.7601.17556

+

6.1.7601.21655

+

6.1.7601.21675

1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5
BitLocker™ Drive Encryption

6.1.7600.16385

+

6.1.7600.16429

+

6.1.7600.16757

+

6.1.7600.20536

+

6.1.7600.20873

+

6.1.7600.20897

+

6.1.7600.20916

+

6.1.7601.17514

+

6.1.7601.17556

+

6.1.7601.21634

+

6.1.7601.21655

+

6.1.7601.21675

1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser
Code Integrity (CI.DLL)

6.1.7600.16385

+

6.1.7600.17122

+

6.1.7600.21320

+

6.1.7601.17514

+

6.1.7601.17950

+

6.1.7601.22108

1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
+(no change in SP1)		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
+(no change in SP1)		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Vista SP1 + +Validated Editions: Ultimate Edition + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+
+Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

+

Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

+

Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

+ + +##### Windows Vista + +Validated Editions: Ultimate Edition + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+
+Other algorithms: Elephant Diffuser
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
+ + +##### Windows XP SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

+

Other algorithms: DES; MD5; HMAC MD5

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

+

Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

+ + +##### Windows XP SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

+

Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

+ + +##### Windows XP SP1 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

+

Other algorithms: DES (Cert. #156); RC2; RC4; MD5

+ + +##### Windows XP + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module5.1.2600.0241

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

+

Other algorithms: DES (Cert. #89)

+ + +##### Windows 2000 SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2195.3665 [SP3])

+

(Base: 5.0.2195.3839 [SP3])

+

(DSS/DH Enh: 5.0.2195.3665 [SP3])

+

(Enh: 5.0.2195.3839 [SP3]

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

+

Other algorithms: DES (Certs. #89)

Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS:

+

5.0.2195.2228 [SP2])

+

(Base:

+

5.0.2195.2228 [SP2])

+

(DSS/DH Enh:

+

5.0.2195.2228 [SP2])

+

(Enh:

+

5.0.2195.2228 [SP2])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 SP1 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

(Base DSS: 5.0.2150.1391 [SP1])

+

(Base: 5.0.2150.1391 [SP1])

+

(DSS/DH Enh: 5.0.2150.1391 [SP1])

+

(Enh: 5.0.2150.1391 [SP1])

103

FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

+ + +##### Windows 2000 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

+ + +##### Windows 95 and Windows 98 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

+

Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

+ + +##### Windows NT 4.0 + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+
+Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
+ + +#### Windows Server + +##### Windows Server 2016 + +Validated Editions: Standard, Datacenter, Storage Server + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+
+Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager10.0.143932931

FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

+

Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: NDRNG; MD5
BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+
+Other algorithms: AES (non-compliant); MD5
Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+
+Other algorithms: MD5
+ + +##### Windows Server 2012 R2 + +Validated Editions: Server, Storage Server, + +**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+
+Other algorithms: MD5; NDRNG
BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+
+Other algorithms: MD5
BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
+
+Other algorithms: N/A
Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+
+Other algorithms: MD5
+ + +\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +**Windows Server 2012** + +Validated Editions: Server, Storage Server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+
+Other algorithms: N/A
Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+
+Other algorithms: MD5
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Server 2008 R2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+
+Other algorithms: MD5
Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+
+Other algorithms: Elephant Diffuser
+ + +##### Windows Server 2008 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: N/A
Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5
Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+
+Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
+ + +##### Windows Server 2003 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

+

Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

+

Other algorithms: DES; HMAC-MD5

Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

+

Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

+ + +##### Windows Server 2003 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

+

[1] x86
+[2] SP1 x86, x64, IA64

+ + +##### Windows Server 2003 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

+

Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

+

Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

+

[1] x86
+[2] SP1 x86, x64, IA64

Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

+

Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

+

[1] x86
+[2] SP1 x86, x64, IA64

+ + +#### Other Products + +##### Windows Embedded Compact 7 and Windows Embedded Compact 8 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

+

Allowed algorithms: HMAC-MD5; MD5; NDRNG

Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

+

Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

+ + + +##### Windows CE 6.0 and Windows Embedded Compact 7 + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

+

Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

+ + +##### Outlook Cryptographic Provider + + ++++++ + + + + + + + + + + + + + + +
Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

+

Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

+ + + +### Cryptographic Algorithms + +The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. + +### Advanced Encryption Standard (AES) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-OFB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +

Microsoft Surface Hub Virtual TPM Implementations #4904

+

Version 10.0.15063.674

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-OFB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

+

Version 10.0.16299

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

+

Version 10.0.15063.674

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

+

Version 10.0.15254

    +
  • AES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CCM:
    • +
    • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
      • +
    • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    • +
  • AES-CFB128:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-CMAC:
    • +
    • +
    • Generation:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • Verification:
      • +
      • +
      • AES-128:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-192:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • AES-256:
        • +
        • +
        • Block Sizes: Full, Partial
          • +
        • Message Length: 0-65536
          • +
        • Tag Length: 16-16
          • +
        • +
      • +
    • +
  • AES-CTR:
    • +
    • +
    • Counter Source: Internal
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • +
  • AES-GCM:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • IV Generation: External
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Tag Lengths: 96, 104, 112, 120, 128 (bits)
      • +
    • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • AAD Lengths: 0, 8, 1016, 1024 (bits)
      • +
    • 96 bit IV supported
      • +
    • +
  • AES-XTS:
    • +
    • +
    • Key Size: 128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • Key Size: 256:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Block Sizes: Full
        • +
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

+

Version 10.0.16299

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4902

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

+

Version 10.0.15063.674

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4901

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

+

Version 10.0.15254

AES-KW:

+
    +
  • Modes: Decrypt, Encrypt
    • +
  • CIPHK transformation direction: Forward
    • +
  • Key Lengths: 128, 192, 256 (bits)
    • +
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
    • +
+

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

+

Version 10.0.16299

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4902

Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

+

Version 10.0.15063.674

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4901

Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

+

Version 10.0.15254

AES-CCM:

+
    +
  • Key Lengths: 256 (bits)
    • +
  • Tag Lengths: 128 (bits)
    • +
  • IV Lengths: 96 (bits)
    • +
  • Plain Text Length: 0-32
    • +
  • AAD Length: 0-65536
    • +
+

AES Val#4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

+

Version 10.0.16299

CBC ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

OFB ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

+

Version 10.0.15063

KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#4624

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

+

Version 10.0.15063

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#4624

+

 

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

+

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

+

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

+

IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

+

GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

+

Version 10.0.15063

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

+

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

+

Version 8.00.6246

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

+

Version 7.00.2872

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

+

Version 8.00.6246

CBC ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

OFB ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

+

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

+

Version 10.0.14393

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
+Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

+

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

+

Version 10.0.14393

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#4064

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

+

Version 10.0.14393

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

+

Version 10.0.10586

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#3629

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

+

Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
+Version 10.0.10586

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
+
+

+

Version 10.0.10586

KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

+

AES Val#3497

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

+

Version 10.0.10240

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#3497

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

+

Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

+

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
+GMAC_Supported

+

XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
+Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
+Version 10.0.10240

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

+

Version 6.3.9600

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#2832

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

+

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

+

GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

+

(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

+

IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
+OtherIVLen_Supported
+GMAC_Supported

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

+

Version 6.3.9600

CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#2197

+

CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
+AES Val#2197

+

GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
+(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
+IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
+GMAC_Supported

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

+

AES Val#2196

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

CFB128 ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+AES Val#1168

Windows Server 2008 R2 and SP1 CNG algorithms #1187

+

Windows 7 Ultimate and SP1 CNG algorithms #1178

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+AES Val#1168		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

+

 

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

GCM

+

GMAC

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

Windows Server 2008 CNG algorithms #757

+

Windows Vista Ultimate SP1 CNG algorithms #756

CBC ( e/d; 128 , 256 );

+

CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

Windows Vista Ultimate BitLocker Drive Encryption #715

+

Windows Vista Ultimate BitLocker Drive Encryption #424

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CFB8 ( e/d; 128 , 192 , 256 );

Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

+

Windows Vista Symmetric Algorithm Implementation #553

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

+

CTR ( int only; 128 , 192 , 256 )

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

ECB ( e/d; 128 , 192 , 256 );

+

CBC ( e/d; 128 , 192 , 256 );

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

+

Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

+

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

+

Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

+

Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

+

Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

+ + +Deterministic Random Bit Generator (DRBG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function not used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4904

Microsoft Surface Hub Virtual TPM Implementations #1734

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function not used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4903

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

+

Version 10.0.16299

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4902

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4901

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

+

Version 10.0.15254

    +
  • Counter:
    • +
    • +
    • Modes: AES-256
      • +
    • Derivation Function States: Derivation Function used
      • +
    • Prediction Resistance Modes: Not Enabled
      • +
    • +
+

Prerequisite: AES #4897

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

+

Version 10.0.16299

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

+

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

+

Version 10.0.15063

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

+

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

+

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

+

Version 7.00.2872

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

+

Version 8.00.6246

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

+

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

+

Version 10.0.14393

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

+

Version 10.0.10586

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

+

Version 10.0.10240

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

+

Version 6.3.9600

CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
+ + +#### Digital Signature Algorithm (DSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

+

Version 10.0.15063.674

    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        •  
          • +
        •  
          • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

+

Version 10.0.15254

    +
  • DSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • PQGGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • PQGVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigGen:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • SigVer:
        • +
        • +
        • L = 2048, N = 256 SHA: SHA-256
          • +
        • L = 3072, N = 256 SHA: SHA-256
          • +
        • +
      • KeyPair:
        • +
        • +
        • L = 2048, N = 256
          • +
        • L = 3072, N = 256
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

+

Version 10.0.16299

FIPS186-4:

+

PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

+

PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

KeyPairGen:   [ (2048,256) ; (3072,256) ]

+

SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

+

SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val#3790

+

DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

+

Version 10.0.15063

FIPS186-4:
+PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SHS: Val# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

+

Version 7.00.2872

FIPS186-4:
+PQG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
+SHS: Val#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

+

Version 8.00.6246

FIPS186-4:
+PQG(gen)PARMS TESTED: [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 3347
+DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

+

Version 10.0.14393

FIPS186-4:
+PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
+KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 3047
+DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

+

Version 10.0.10586

FIPS186-4:
+PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 2886
+DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

+

Version 10.0.10240

FIPS186-4:
+PQG(gen)PARMS TESTED:   [
+(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED:   [ (2048,256)
+SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen:    [ (2048,256) ; (3072,256) ]
+SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

+

SHS: Val# 2373
+DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

+

Version 6.3.9600

FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1903
+DRBG: #258

+

FIPS186-4:
+PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
+SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
FIPS186-2:
+PQG(ver) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: #1902
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

Windows Server 2008 R2 and SP1 CNG algorithms #391

+

Windows 7 Ultimate and SP1 CNG algorithms #386

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 1081
+RNG: Val# 649
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

+

Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

Windows Server 2008 CNG algorithms #284

+

Windows Vista Ultimate SP1 CNG algorithms #283

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 753
+RNG: Val# 435
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

Windows Server 2008 Enhanced DSS (DSSENH) #282

+

Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

Windows Vista CNG algorithms #227

+

Windows Vista Enhanced DSS (DSSENH) #226

FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 784
+RNG: Val# 448
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
FIPS186-2:
+SIG(ver) MOD(1024);
+SHS: Val# 783
+RNG: Val# 447
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 611
+RNG: Val# 314		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 385		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
FIPS186-2:
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SIG(ver) MOD(1024);
+SHS: Val# 181
+
+		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
FIPS186-2:
+PQG(gen) MOD(1024);
+PQG(ver) MOD(1024);
+KEYGEN(Y) MOD(1024);
+SIG(gen) MOD(1024);
+SHS: SHA-1 (BYTE)
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE)

Windows 2000 DSSENH.DLL #29

+

Windows 2000 DSSBASE.DLL #28

+

Windows NT 4 SP6 DSSENH.DLL #26

+

Windows NT 4 SP6 DSSBASE.DLL #25

FIPS186-2: PRIME;
+FIPS186-2:

+

KEYGEN(Y):
+SHS: SHA-1 (BYTE)

+

SIG(gen):
+SIG(ver) MOD(1024);
+SHS: SHA-1 (BYTE)

Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
+ + +#### Elliptic Curve Digital Signature Algorithm (ECDSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #2373, DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

+

Version 6.3.9600

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384
          • +
        • Generation Methods: Testing Candidates
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #1253

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384
          • +
        • Generation Methods: Testing Candidates
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

+

Version 10.0.16299

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

+

Version 10.0.15063.674

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

+

Version 10.0.15254

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

+

Version 10.0.15254

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

+

Version 10.0.16299

    +
  • ECDSA:
    • +
    • +
    • 186-4:
      • +
      • +
      • Key Pair Generation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • Generation Methods: Extra Random Bits
          • +
        • +
      • Public Key Validation:
        • +
        • +
        • Curves: P-256, P-384, P-521
          • +
        • +
      • Signature Generation:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • Signature Verification:
        • +
        • +
        • P-256 SHA: SHA-256
          • +
        • P-384 SHA: SHA-384
          • +
        • P-521 SHA: SHA-512
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

+

Version 10.0.16299

FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

+

Version 10.0.15063

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val# 3649
+DRBG:Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

+

Version 7.00.2872

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
+SHS:Val#3648
+DRBG:Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

+

Version 8.00.6246

FIPS186-4:
+PKG: CURVES( P-256 P-384 TestingCandidates )
+PKV: CURVES( P-256 P-384 )
+SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

+

SHS: Val# 3347
+DRBG: Val# 1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

+

Version 10.0.14393

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+PKV: CURVES( P-256 P-384 P-521 )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 3347
+DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

+

Version 10.0.14393

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 3047
+DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

+

Version 10.0.10586

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val# 2886
+DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

+

Version 10.0.10240

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

+

SHS: Val#2373
+DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

+

Version 6.3.9600

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258
+SIG(ver):CURVES( P-256 P-384 P-521 )
+SHS: #1903
+DRBG: #258

+

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: #1903
+DRBG: #258
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1773
+DRBG: Val# 193

+

FIPS186-4:
+PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
+SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SHS: Val#1773
+DRBG: Val# 193
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#1081
+DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

Windows Server 2008 R2 and SP1 CNG algorithms #142

+

Windows 7 Ultimate and SP1 CNG algorithms #141

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

Windows Server 2008 CNG algorithms #83

+

Windows Vista Ultimate SP1 CNG algorithms #82

FIPS186-2:
+PKG: CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+SIG(ver): CURVES( P-256 P-384 P-521 )
+SHS: Val#618
+RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.		Windows Vista CNG algorithms #60
+ + +#### Keyed-Hash Message Authentication Code (HMAC) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4011

Microsoft Surface Hub Virtual TPM Implementations #3271

+

Version 10.0.15063.674

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

+

Version 10.0.16299

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4011

Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

+

Version 10.0.15063.674

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4010

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

+

Version 10.0.15254

    +
  • HMAC-SHA-1:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-256:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-384:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
  • HMAC-SHA2-512:
    • +
    • +
    • Key Sizes < Block Size
      • +
    • Key Sizes > Block Size
      • +
    • Key Sizes = Block Size
      • +
    • +
+

Prerequisite: SHS #4009

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

+

Version 10.0.16299

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

+

Version 10.0.15063

HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

+

Version 10.0.15063

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

+

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

+

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

+

Version 7.00.2872

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

+

Version 8.00.6246

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val# 3347

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3347

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

+

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

+

Version 10.0.14393

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHS Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

+

Version 10.0.10586

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHSVal# 2886

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHSVal# 2886

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+ SHSVal# 2886

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHSVal# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

+

Version 10.0.10240

HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

+

HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
+SHS Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

+

Version 6.3.9600

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

+

Version 5.2.29344

HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

+

HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

+

SHS#1903

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

+

Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

Windows Server 2008 R2 and SP1 CNG algorithms #686

+

Windows 7 and SP1 CNG algorithms #677

+

Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

+

Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

+

Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

+

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

Windows Server 2008 CNG algorithms #413

+

Windows Vista Ultimate SP1 CNG algorithms #412

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

Windows Vista Ultimate BitLocker Drive Encryption #386

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

Windows Vista CNG algorithms #298

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

+

HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

Windows Vista BitLocker Drive Encryption #199
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

+

Windows XP, vendor-affirmed

HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

+

HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
+ + +#### Key Agreement Scheme (KAS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Full Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #150

+

Version 10.0.15063.674

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Full Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

+

Version 10.0.16299

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DSA #1303, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

+

Version 10.0.15063.674

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DSA #1302, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

+

Version 10.0.15254

    +
  • KAS ECC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
      • +
    • Schemes:
      • +
      • +
      • Ephemeral Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • KDFs: Concatenation
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • One Pass DH:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • Static Unified:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • EC:
            • +
            • +
            • Curve: P-256
              • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • ED:
            • +
            • +
            • Curve: P-384
              • +
            • SHA: SHA-384
              • +
            • MAC: HMAC
              • +
            • +
          • EE:
            • +
            • +
            • Curve: P-521
              • +
            • SHA: SHA-512
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

+
    +
  • KAS FFC:
    • +
    • +
    • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
      • +
    • Schemes:
      • +
      • +
      • dhEphem:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhOneFlow:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • dhStatic:
        • +
        • +
        • Key Agreement Roles: Initiator, Responder
          • +
        • Parameter Sets:
          • +
          • +
          • FB:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • FC:
            • +
            • +
            • SHA: SHA-256
              • +
            • MAC: HMAC
              • +
            • +
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DSA #1301, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

+

Version 10.0.16299

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

+

SHS Val#3790
+DSA Val#1135
+DRBG Val#1556

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

+

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val#3790
+DSA Val#1223
+DRBG Val#1555

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3790
+ECDSA Val#1133
+DRBG Val#1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

+

Version 10.0.15063

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val# 3649
+DSA Val#1188
+DRBG Val#1430

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

+

Version 7.00.2872

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
+SHS Val#3648
+DSA Val#1187
+DRBG Val#1429

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS Val#3648
+ECDSA Val#1072
+DRBG Val#1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

+

Version 8.00.6246

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
+SCHEMES  [ FullUnified  ( No_KC  < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

+

SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

+

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
+SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 3347 DSA Val#1098 DRBG Val#1217

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

+

Version 10.0.14393

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 3047 DSA Val#1024 DRBG Val#955

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 3047 ECDSA Val#760 DRBG Val#955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

+

Version 10.0.10586

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val# 2886 DSA Val#983 DRBG Val#868

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val# 2886 ECDSA Val#706 DRBG Val#868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

+

Version 10.0.10240

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
+( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

+

SHS Val#2373 DSA Val#855 DRBG Val#489

+

ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
+[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

+

SHS Val#2373 ECDSA Val#505 DRBG Val#489

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

+

Version 6.3.9600

FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
+( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
+[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
+SHS #1903 DSA Val#687 DRBG #258

+

ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
+[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
+[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+SHS #1903 ECDSA Val#341 DRBG #258

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

KAS (SP 800–56A)

+

key agreement

+

key establishment methodology provides 80 to 256 bits of encryption strength

Windows 7 and SP1, vendor-affirmed

+

Windows Server 2008 R2 and SP1, vendor-affirmed

+ + +SP 800-108 Key-Based Key Derivation Functions (KBKDF) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • Counter:
    • +
    • +
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • +
    • +
+

MAC prerequisite: HMAC #3271

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: DRBG #1734, KAS #150

Microsoft Surface Hub Virtual TPM Implementations #161

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
      • +
    • +
+

MAC prerequisite: HMAC #3270

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: DRBG #1733, KAS #149

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

+

Version 10.0.16299

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4902, HMAC #3269

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
  • K prerequisite: KAS #148
    • +
+

Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

+

Version 10.0.15063.674

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4901, HMAC #3268

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: KAS #147

Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

+

Version 10.0.15254

    +
  • Counter:
    • +
    • +
    • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
      • +
    • +
+

MAC prerequisite: AES #4897, HMAC #3267

+
+
    +
  • Counter Location: Before Fixed Data
    • +
  • R Length: 32 (bits)
    • +
  • SPs used to generate K: SP 800-56A, SP 800-90A
    • +
+
+

K prerequisite: KAS #146

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

+

Version 10.0.16299

CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#128
+DRBG Val#1556
+MAC Val#3062

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

+

Version 10.0.15063

CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+
+KAS Val#127
+AES Val#4624
+DRBG Val#1555
+MAC Val#3061

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

+

Version 10.0.15063

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#93 DRBG Val#1222 MAC Val#2661

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

+

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

+

Version 10.0.14393

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

+

Version 10.0.10586

CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

+

Version 10.0.10240

CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

DRBG Val#489 MAC Val#1773

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

+

Version 6.3.9600

CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

+

DRBG #258 HMAC Val#1345

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
+ + +Random Number Generator (RNG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #

FIPS 186-2 General Purpose

+

[ (x-Original); (SHA-1) ]

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2
+[ (x-Original); (SHA-1) ]

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

+

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

+

Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

+

Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]

+

FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ]

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

+

Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

+

Windows Vista RNG implementation #321

FIPS 186-2 General Purpose
+[ (x-Change Notice); (SHA-1) ]

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

+

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

FIPS 186-2
+[ (x-Change Notice); (SHA-1) ]

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

+

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

+ + +#### RSA + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1734

Microsoft Surface Hub Virtual TPM Implementations #2677

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 240 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1733

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

+

Version 10.0.16299

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub RSA32 Algorithm Implementations #2675

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

+

Version 10.0.16299

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

+

Version 10.0.15254

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

+

Version 10.0.15063.674

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

+

Version 10.0.15254

RSA:

+
    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

+

Version 10.0.15254

    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Public Key Exponent: Fixed (10001)
        • +
      • Provable Primes with Conditions:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.3
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

+

Version 10.0.16299

    +
  • 186-4:
    • +
    • +
    • Key Generation:
      • +
      • +
      • Probable Random Primes:
        • +
        • +
        • Mod lengths: 2048, 3072 (bits)
          • +
        • Primality Tests: C.2
          • +
        • +
      • +
    • Signature Generation PKCS1.5:
      • +
      • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Generation PSS:
      • +
      • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • Signature Verification PKCS1.5:
      • +
      • +
      • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
        • +
      • +
    • Signature Verification PSS:
      • +
      • +
      • Mod 1024:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 496 (bits)
          • +
        • +
      • Mod 2048:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • Mod 3072:
        • +
        • +
        • SHA-1: Salt Length: 160 (bits)
          • +
        • SHA-256: Salt Length: 256 (bits)
          • +
        • SHA-384: Salt Length: 384 (bits)
          • +
        • SHA-512: Salt Length: 512 (bits)
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

+

Version 10.0.16299

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

+

Version 10.0.15063

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

+

Version 10.0.15063

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790
+DRBG: Val# 1555

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

+

Version 10.0.15063

FIPS186-4:
+186-4KEY(gen):
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+SHA Val#3790

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

+

Version 10.0.15063

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

+

FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3652

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

+

Version 7.00.2872

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

+

FIPS186-4:
+ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3651

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

+

Version 8.00.6246

FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

+

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val# 3649
+DRBG: Val# 1430

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

+

Version 7.00.2872

FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

+

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
+PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SHA Val#3648
+DRBG: Val# 1429

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

+

Version 8.00.6246

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

+

SHA Val# 3347

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

+

Version 10.0.14393

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

+

Version 10.0.14393

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#3346

soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

+

Version 10.0.14393

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

+

Version 10.0.14393

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 3347 DRBG: Val# 1217

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

+

Version 10.0.14393

FIPS186-4:
+186-4KEY(gen):  FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 3047 DRBG: Val# 955

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

+

Version 10.0.10586

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#3048

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

+

Version 10.0.10586

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

+

Version 10.0.10586

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 3047

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

+

Version 10.0.10586

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val# 2886 DRBG: Val# 868

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

+

Version 10.0.10240

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

+

Version 10.0.10240

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2871

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

+

Version 10.0.10240

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val# 2886

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

+

Version 10.0.10240

FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e ;
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

+

SHA Val#2373 DRBG: Val# 489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

+

SHA Val#2373

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

+

Version 6.3.9600

FIPS186-4:
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

+

SHA Val#2373

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

+

Version 6.3.9600

FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
+SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
+Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
+SHA #1903

+

Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+SHA #1903 DRBG: #258		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

Windows Server 2008 R2 and SP1 CNG algorithms #567

+

Windows 7 and SP1 CNG algorithms #560

FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
FIPS186-2:
+ALG[ANSIX9.31]:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

Windows Server 2008 CNG algorithms #358

+

Windows Vista SP1 CNG algorithms #357

FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

+

Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.		Windows Vista RSA key generation implementation #258
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.		Windows Vista CNG algorithms #257
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]:
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
FIPS186-2:
+ALG[ANSIX9.31]:
+SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
+Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

FIPS186-2:

+

– PKCS#1 v1.5, signature generation and verification

+

– Mod sizes: 1024, 1536, 2048, 3072, 4096

+

– SHS: SHA–1/256/384/512

Windows XP, vendor-affirmed

+

Windows 2000, vendor-affirmed

+ + +#### Secure Hash Standard (SHS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

+

Version 10.0.15063.674

    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

+

Version 10.0.15254

    +
  • SHA-1:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-256:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-384:
    • +
    • +
    • Supports Empty Message
      • +
    • +
  • SHA-512:
    • +
    • +
    • Supports Empty Message
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

+

Version 10.0.16299

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

+

Version 10.0.15063

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

+

Version 7.00.2872

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

+

Version 8.00.6246

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

+

Version 7.00.2872

SHA-1      (BYTE-only)
+SHA-256  (BYTE-only)
+SHA-384  (BYTE-only)
+SHA-512  (BYTE-only)

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

+

Version 8.00.6246

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
+Version 10.0.14393
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
+Version 10.0.14393
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
+Version 10.0.10586
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
+Version 10.0.10586
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
+Version 10.0.10240
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
+Version 10.0.10240
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
+Version 6.3.9600
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Version 6.3.9600

SHA-1 (BYTE-only)

+

SHA-256 (BYTE-only)

+

SHA-384 (BYTE-only)

+

SHA-512 (BYTE-only)

+

Implementation does not support zero-length (null) messages.

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

+

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

+

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

SHA-1 (BYTE-only)

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

+

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

+

Windows Vista Symmetric Algorithm Implementation #618

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)

Windows Vista BitLocker Drive Encryption #737

+

Windows Vista Beta 2 BitLocker Drive Encryption #495

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

SHA-1 (BYTE-only)

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

+

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

+

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

+

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

+

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

SHA-1 (BYTE-only)
+SHA-256 (BYTE-only)
+SHA-384 (BYTE-only)
+SHA-512 (BYTE-only)

Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

+

Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

+

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

SHA-1 (BYTE-only)

Windows XP Microsoft Enhanced Cryptographic Provider #83

+

Crypto Driver for Windows 2000 (fips.sys) #35

+

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

+

Windows 2000 RSAENH.DLL #24

+

Windows 2000 RSABASE.DLL #23

+

Windows NT 4 SP6 RSAENH.DLL #21

+

Windows NT 4 SP6 RSABASE.DLL #20

+ + +#### Triple DES + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Modes / States / Key SizesAlgorithm Implementation and Certificate #
    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

+

Version 10.0.15063.674

    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

+

Version 10.0.15254

    +
  • TDES-CBC:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB64:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-CFB8:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +
  • TDES-ECB:
    • +
    • +
    • Modes: Decrypt, Encrypt
      • +
    • Keying Option: 1
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

+

Version 10.0.16299

TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

+

Version 10.0.15063

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

CTR ( int only )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

+

Version 7.00.2872

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, )

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

+

Version 8.00.6246

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
+
+

+

Version 10.0.14393

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
+
+

+

Version 10.0.10586

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
+
+

+

Version 10.0.10240

TECB( KO 1 e/d, ) ;

+

TCBC( KO 1 e/d, ) ;

+

TCFB8( KO 1 e/d, ) ;

+

TCFB64( KO 1 e/d, )

Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

+

Version 6.3.9600

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 ) ;

+

TCFB64( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 ) ;

+

TCFB8( e/d; KO 1,2 )

Windows Vista Symmetric Algorithm Implementation #549
Triple DES MAC

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

+

Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

TECB( e/d; KO 1,2 ) ;

+

TCBC( e/d; KO 1,2 )

Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

+

Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

+

Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

+

Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

+

Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

+

Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

+

Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

+

Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

+

Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

+

Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

+

Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

+

Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

+

Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

+

Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

+

Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

+

Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

+

Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

+

Windows XP Microsoft Enhanced Cryptographic Provider #81

+

Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

+

Crypto Driver for Windows 2000 (fips.sys) #16

+ + +#### SP 800-132 Password Based Key Derivation Function (PBKDF) + + + + + + + + + + + + + + +
+ Modes / States / Key Sizes + + Algorithm Implementation and Certificate # +
+ PBKDF (vendor affirmed) +

 Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
(Software Version: 10.0.14393)

+

Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

+

Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
(Software Version: 10.0.14393)

+

Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
(Software Version: 10.0.14393)

+
+ PBKDF (vendor affirmed) +

Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
(Software Version: 10.0.14393)

+

Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

+
+ + +#### Component Validation List + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Publication / Component Validated / DescriptionImplementation and Certificate #
    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #489

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

+

Version 6.3.9600

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub Virtual TPM Implementations #1519

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

 Prerequisite: DRBG #1732

Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1732

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

+

Version 10.0.15063.674

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

+

Version 10.0.15063.674

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

+

Version 10.0.15063.674

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4011, HMAC #3269

Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

+

Version 10.0.15063.674

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

+

Version 10.0.15254

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

+

Version 10.0.15254

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

+

Version 10.0.15254

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4010, HMAC #3268

Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

+

Version 10.0.15254

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1731

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

+

Version 10.0.15254

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

+

Version 10.0.15254

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

+

Version 10.0.15254

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

+

Version 10.0.16299

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

+

Version 10.0.16299

    +
  • ECDSA SigGen:
    • +
    • +
    • P-256 SHA: SHA-256
      • +
    • P-384 SHA: SHA-384
      • +
    • P-521 SHA: SHA-512
      • +
    • +
+

Prerequisite: DRBG #1730

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

+

Version 10.0.16299

    +
  • RSADP:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

+

Version 10.0.16299

+

 

    +
  • RSASP1:
    • +
    • +
    • Modulus Size: 2048 (bits)
      • +
    • Padding Algorithms: PKCS 1.5
      • +
    • +

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

+

Version 10.0.16299

    +
  • IKEv1:
    • +
    • +
    • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
      • +
    • Pre-shared Key Length: 64-2048
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

+
    +
  • IKEv2:
    • +
    • +
    • Derived Keying Material length: 192-1792
      • +
    • Diffie-Hellman shared secrets:
      • +
      • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 2048 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 256 (bits)
          • +
        • SHA Functions: SHA-256
          • +
        • +
      • Diffie-Hellman shared secret:
        • +
        • +
        • Length: 384 (bits)
          • +
        • SHA Functions: SHA-384
          • +
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

+
    +
  • TLS:
    • +
    • +
    • Supports TLS 1.0/1.1
      • +
    • Supports TLS 1.2:
      • +
      • +
      • SHA Functions: SHA-256, SHA-384
        • +
      • +
    • +
+

Prerequisite: SHS #4009, HMAC #3267

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

+

Version 10.0.16299

FIPS186-4 ECDSA

+

Signature Generation of hash sized messages

+

ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
+Version 10.0. 15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
+Version 10.0. 15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
+Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
+Version 10.0.10586

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
+Version 6.3.9600

FIPS186-4 RSA; PKCS#1 v2.1

+

RSASP1 Signature Primitive

+

RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
+Version 10.0.15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
+Version  10.0.10240

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
+Version 6.3.9600

FIPS186-4 RSA; RSADP

+

RSADP Primitive

+

RSADP: (Mod2048)

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
+Version 10.0.15063

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
+Version 10.0.15063

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
+Version 10.0.14393

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
+Version  10.0.10240

SP800-135

+

Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

+

Version 10.0.16299

+

Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
+Version 10.0.15063

+

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
+Version 7.00.2872

+

Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
+Version 8.00.6246

+

Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
+Version 10.0.14393

+

Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
+Version 10.0.10586

+

Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
+Version  10.0.10240

+

Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
+Version 6.3.9600

+ + +## References + +\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules + +\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ + +\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) + +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths + +## Additional Microsoft References + +Enabling FIPS mode - + +Cipher Suites in Schannel - [https://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index fffb9de72c..edc1463dfc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -1,57 +1,57 @@ ---- -title: Overview of Configuration score in Microsoft Defender Security Center -ms.reviewer: -description: Expand your visibility into the overall security configuration posture of your organization -keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 04/11/2019 ---- -# Configuration score -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - ->[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. - -The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. - -Your configuration score widget shows the collective security configuration state of your machines across the following categories: -- Application -- Operating system -- Network -- Accounts -- Security controls - -## How it works - -What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: -- Compare collected configurations to the collected benchmarks to discover misconfigured assets -- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration -- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) -- Collect and monitor changes of security control configuration state from all assets - -From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. - -## Improve your configuration score -The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: -- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** -- **Remediation type** - **Configuration change** or **Software update** - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Overview of Configuration score in Microsoft Defender Security Center +ms.reviewer: +description: Expand your visibility into the overall security configuration posture of your organization +keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.date: 04/11/2019 +--- +# Configuration score +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as Configuration score. We’ll keep the secure score page available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection) page. + +The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over your organization's security posture based on security best practices. + +Your configuration score widget shows the collective security configuration state of your machines across the following categories: +- Application +- Operating system +- Network +- Accounts +- Security controls + +## How it works + +What you'll see in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously: +- Compare collected configurations to the collected benchmarks to discover misconfigured assets +- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration +- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams) +- Collect and monitor changes of security control configuration state from all assets + +From the widget, you'd be able to see which security aspect require attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can take action based on security benchmarks. + +## Improve your configuration score +The goal is to improve your configuration score by remediating the issues in the security recommendations list. You can filter the view based on: +- **Related component** - **Accounts**, **Application**, **Network**, **OS**, or **Security controls** +- **Remediation type** - **Configuration change** or **Software update** + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index d1a14f1f7d..0911a2d722 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -1,45 +1,45 @@ ---- -title: Configure Threat & Vulnerability Management in Microsoft Defender ATP -ms.reviewer: -description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. -keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM -search.product: Windows 10 -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- -# Configure Threat & Vulnerability Management -**Applies to:** -- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. - -### Before you begin -> [!IMPORTANT] -> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
- -Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). - ->[!WARNING] ->Only Intune and SCCM enrolled devices are supported in this scenario.
->Use any of the following options to enroll devices in Intune: ->- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) ->- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) ->- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Configure Threat & Vulnerability Management in Microsoft Defender ATP +ms.reviewer: +description: Configure your Threat & Vulnerability Management to allow security administrators and IT administrators to collaborate seamlessly to remediate issues via Microsoft intune and Microsoft System Center Configuration Manager (SCCM) integrations. +keywords: RBAC, Threat & Vulnerability Management configuration, Threat & Vulnerability Management integrations, Microsft Intune integration with TVM, SCCM integration with TVM +search.product: Windows 10 +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- +# Configure Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +This section guides you through the steps you need to take to configure Threat & Vulnerability Management's integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM) for a seamless collaboration of issue remediation. + +### Before you begin +> [!IMPORTANT] +> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
+ +Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft System Center Configuration Manager (SCCM). + +>[!WARNING] +>Only Intune and SCCM enrolled devices are supported in this scenario.
+>Use any of the following options to enroll devices in Intune: +>- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) +>- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) +>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 149999abec..c431ecb195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -1,212 +1,212 @@ ---- -title: Live response command examples -description: Learn about common commands and see examples on how it's used -keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Live response command examples - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - -Learn about common commands used in live response and see examples on how they are typically used. - -Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md). - - -## analyze - -``` -# Analyze the file malware.txt -analyze file c:\Users\user\Desktop\malware.txt -``` - -``` -# Analyze the process by PID -analyze process 1234 -``` - -## connections - -``` -# List active connections in json format using parameter name -connections -output json -``` - -``` -# List active connections in json format without parameter name -connections json -``` - -## dir - -``` -# List files and sub-folders in the current folder -dir -``` - -``` -# List files and sub-folders in a specific folder -dir C:\Users\user\Desktop\ -``` - -``` -# List files and subfolders in the current folder in json format -dir -output json -``` - -## fileinfo - -``` -# Display information about a file -fileinfo C:\Windows\notepad.exe -``` - -## findfile - -``` -# Find file by name -findfile test.txt -``` - -## getfile - -``` -# Download a file from a machine -getfile c:\Users\user\Desktop\work.txt -``` - -``` -# Download a file from a machine, automatically run prerequisite commands -getfile c:\Users\user\Desktop\work.txt -auto -``` - -## processes -``` -# Show all processes -processes -``` - -``` -# Get process by pid -processes 123 -``` - -``` -# Get process by pid with argument name -processes -pid 123 -``` - -``` -# Get process by name -processes -name notepad.exe -``` - -## putfile - -``` -# Upload file from library -putfile get-process-by-name.ps1 -``` - -``` -# Upload file from library, overwrite file if it exists -putfile get-process-by-name.ps1 -overwrite -``` - -``` -# Upload file from library, keep it on the machine after a restart -putfile get-process-by-name.ps1 -keep -``` - -## registry - -``` -# Show information about the values in a registry key -registry HKEY_CURRENT_USER\Console -``` - -``` -# Show information about a specific registry value -registry HKEY_CURRENT_USER\Console\\ScreenBufferSize -``` - - -## remediate - -``` -# Remediate file in specific path -remediate file c:\Users\user\Desktop\malware.exe -``` - -``` -# Remediate process with specific PID -remediate process 7960 -``` - -``` -# See list of all remediated entities -remediate list -``` - -## run - -``` -# Run PowerShell script from the library without arguments -run script.ps1 -``` - -``` -# Run PowerShell script from the library with arguments -run get-process-by-name.ps1 -parameters "-processName Registry" -``` - -## scheduledtask - -``` -# Get all scheduled tasks -scheduledtasks -``` - -``` -# Get specific scheduled task by location and name -scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition -``` - -``` -# Get specific scheduled task by location and name with spacing -scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" -``` - - -## undo - -``` -# Restore remediated registry -undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize -``` - -``` -# Restore remediated scheduledtask -undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition -``` - -``` -# Restore remediated file -undo file c:\Users\user\Desktop\malware.exe -``` - +--- +title: Live response command examples +description: Learn about common commands and see examples on how it's used +keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Live response command examples + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +Learn about common commands used in live response and see examples on how they are typically used. + +Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md). + + +## analyze + +``` +# Analyze the file malware.txt +analyze file c:\Users\user\Desktop\malware.txt +``` + +``` +# Analyze the process by PID +analyze process 1234 +``` + +## connections + +``` +# List active connections in json format using parameter name +connections -output json +``` + +``` +# List active connections in json format without parameter name +connections json +``` + +## dir + +``` +# List files and sub-folders in the current folder +dir +``` + +``` +# List files and sub-folders in a specific folder +dir C:\Users\user\Desktop\ +``` + +``` +# List files and subfolders in the current folder in json format +dir -output json +``` + +## fileinfo + +``` +# Display information about a file +fileinfo C:\Windows\notepad.exe +``` + +## findfile + +``` +# Find file by name +findfile test.txt +``` + +## getfile + +``` +# Download a file from a machine +getfile c:\Users\user\Desktop\work.txt +``` + +``` +# Download a file from a machine, automatically run prerequisite commands +getfile c:\Users\user\Desktop\work.txt -auto +``` + +## processes +``` +# Show all processes +processes +``` + +``` +# Get process by pid +processes 123 +``` + +``` +# Get process by pid with argument name +processes -pid 123 +``` + +``` +# Get process by name +processes -name notepad.exe +``` + +## putfile + +``` +# Upload file from library +putfile get-process-by-name.ps1 +``` + +``` +# Upload file from library, overwrite file if it exists +putfile get-process-by-name.ps1 -overwrite +``` + +``` +# Upload file from library, keep it on the machine after a restart +putfile get-process-by-name.ps1 -keep +``` + +## registry + +``` +# Show information about the values in a registry key +registry HKEY_CURRENT_USER\Console +``` + +``` +# Show information about a specific registry value +registry HKEY_CURRENT_USER\Console\\ScreenBufferSize +``` + + +## remediate + +``` +# Remediate file in specific path +remediate file c:\Users\user\Desktop\malware.exe +``` + +``` +# Remediate process with specific PID +remediate process 7960 +``` + +``` +# See list of all remediated entities +remediate list +``` + +## run + +``` +# Run PowerShell script from the library without arguments +run script.ps1 +``` + +``` +# Run PowerShell script from the library with arguments +run get-process-by-name.ps1 -parameters "-processName Registry" +``` + +## scheduledtask + +``` +# Get all scheduled tasks +scheduledtasks +``` + +``` +# Get specific scheduled task by location and name +scheduledtasks Microsoft\Windows\Subscription\LicenseAcquisition +``` + +``` +# Get specific scheduled task by location and name with spacing +scheduledtasks "Microsoft\Configuration Manager\Configuration Manager Health Evaluation" +``` + + +## undo + +``` +# Restore remediated registry +undo registry HKEY_CURRENT_USER\Console\ScreenBufferSize +``` + +``` +# Restore remediated scheduledtask +undo scheduledtask Microsoft\Windows\Subscription\LicenseAcquisition +``` + +``` +# Restore remediated file +undo file c:\Users\user\Desktop\malware.exe +``` + diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index d629bea4c6..d3ed3224e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,255 +1,255 @@ ---- -title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. -keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Investigate entities on machines using live response - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - - -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. - -Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. - -With live response, analysts will have the ability to: -- Run basic and advanced commands to do investigative work -- Download files such as malware samples and outcomes of PowerShell scripts -- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level -- Take or undo remediation actions - - -## Before you begin -Before you can initiate a session on a machine, make sure you fulfill the following requirements: - -- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. - -- **Enable live response from the settings page**
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. - - >[!NOTE] - >Only users with manage security or global admin roles can edit these settings. - -- **Enable live response unsigned script execution** (optional)
- - >[!WARNING] - >Allowing the use of unsigned scripts may increase your exposure to threats. - - Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - -- **Ensure that you have the appropriate permissions**
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). - - Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. - -## Live response dashboard overview -When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: - -- Who created the session -- When the session started -- The duration of the session - -The dashboard also gives you access to: -- Disconnect session -- Upload files to the library -- Command console -- Command log - - -## Initiate a live response session on a machine - -1. Log in to Microsoft Defender Security Center. -2. Navigate to the machines list page and select a machine to investigate. The machine page opens. - - >[!NOTE] - >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. - -2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. -3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). -4. After completing your investigation, select **Disconnect session**, then select **Confirm**. - - - -## Live response commands -Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). - -### Basic commands -The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). - -Command | Description -:---|:---|:--- -cd | Changes the current directory. -cls | Clears the console screen. -connect | Initiates a live response session to the machine. -connections | Shows all the active connections. -dir | Shows a list of files and subdirectories in a directory -drivers | Shows all drivers installed on the machine. -fileinfo | Get information about a file. -findfile | Locates files by a given name on the machine. -help | Provides help information for live response commands. -persistence | Shows all known persistence methods on the machine. -processes | Shows all processes running on the machine. -registry | Shows registry values. -scheduledtasks| Shows all scheduled tasks on the machine. -services | Shows all services on the machine. -trace | Sets the terminal's logging mode to debug. - - -### Advanced commands -The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). - -Command | Description -:---|:--- -analyze | Analyses the entity with various incrimination engines to reach a verdict. -getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. -run | Runs a PowerShell script from the library on the machine. -library | Lists files that were uploaded to the live response library. -putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. -remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. -undo | Restores an entity that was remediated. - - -## Use live response commands -The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). - -The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. - -### Get a file from the machine -For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. - ->[!NOTE] ->There is a file size limit of 750mb. - -### Put a file in the library -Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. - -Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. - -You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. - -**To upload a file in the library:** -1. Click **Upload file to library**. -2. Click **Browse** and select the file. -3. Provide a brief description. -4. Specify if you'd like to overwrite a file with the same name. -5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. -6. Click **Confirm**. -7. (Optional) To verify that the file was uploaded to the library, run the `library` command. - - -### Cancel a command -Anytime during a session, you can cancel a command by pressing CTRL + C. - ->[!WARNING] ->Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. - - - -### Automatically run prerequisite commands -Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. - -You can use the auto flag to automatically run prerequisite commands, for example: - -``` -getfile c:\Users\user\Desktop\work.txt -auto -``` - - -## Run a PowerShell script -Before you can run a PowerShell script, you must first upload it to the library. - -After uploading the script to the library, use the `run` command to run the script. - -If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. - ->[!WARNING] ->Allowing the use of unsigned scripts may increase your exposure to threats. - - - -## Apply command parameters -- View the console help to learn about command parameters. To learn about an individual command, run: - - `help ` - -- When applying parameters to commands, note that parameters are handled based on a fixed order: - - ` param1 param2` - -- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value: - - ` -param2_name param2` - -- When using commands that have prerequisite commands, you can use flags: - - ` -type file -id - auto` or `remediate file - auto`. - - - -## Supported output types -Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: - -- `-output json` -- `-output table` - ->[!NOTE] ->Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. - - -## Supported output pipes -Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. - -Example: - -``` -processes > output.txt -``` - - - -## View the command log -Select the **Command log** tab to see the commands used on the machine during a session. -Each command is tracked with full details such as: -- ID -- Command line -- Duration -- Status and input or output side bar - - - - -## Limitations -- Live response sessions are limited to 10 live response sessions at a time -- Large scale command execution is not supported -- A user can only initiate one session at a time -- A machine can only be in one session at a time -- There is a file size limit of 750mb when downloading files from a machine - -## Related topic -- [Live response command examples](live-response-command-examples.md) - - - - - - - - - +--- +title: Investigate entities on machines using live response in Microsoft Defender ATP +description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real-time. +keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Investigate entities on machines using live response + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + + +Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. + +Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. + +With live response, analysts will have the ability to: +- Run basic and advanced commands to do investigative work +- Download files such as malware samples and outcomes of PowerShell scripts +- Upload a PowerShell script or executable to the library and run it on the machine from a tenant level +- Take or undo remediation actions + + +## Before you begin +Before you can initiate a session on a machine, make sure you fulfill the following requirements: + +- Machines must be Windows 10, version 18323 (also known as Windows 10 19H1) or later. + +- **Enable live response from the settings page**
+You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. + + >[!NOTE] + >Only users with manage security or global admin roles can edit these settings. + +- **Enable live response unsigned script execution** (optional)
+ + >[!WARNING] + >Allowing the use of unsigned scripts may increase your exposure to threats. + + Running unsigned scripts is generally not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + +- **Ensure that you have the appropriate permissions**
+ Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. + +## Live response dashboard overview +When you initiate a live response session on a machine, a dashboard opens. The dashboard provides information about the session such as: + +- Who created the session +- When the session started +- The duration of the session + +The dashboard also gives you access to: +- Disconnect session +- Upload files to the library +- Command console +- Command log + + +## Initiate a live response session on a machine + +1. Log in to Microsoft Defender Security Center. +2. Navigate to the machines list page and select a machine to investigate. The machine page opens. + + >[!NOTE] + >Machines must be on Windows 10, version 18323 (also known as Windows 10 19H1) or later. + +2. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the machine. +3. Use the built-in commands to do investigative work. For more information see, [Live response commands](#live-response-commands). +4. After completing your investigation, select **Disconnect session**, then select **Confirm**. + + + +## Live response commands +Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments see, [Create and manage roles](user-roles.md). + +### Basic commands +The following commands are available for user roles that's been granted the ability to run **basic** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Command | Description +:---|:---|:--- +cd | Changes the current directory. +cls | Clears the console screen. +connect | Initiates a live response session to the machine. +connections | Shows all the active connections. +dir | Shows a list of files and subdirectories in a directory +drivers | Shows all drivers installed on the machine. +fileinfo | Get information about a file. +findfile | Locates files by a given name on the machine. +help | Provides help information for live response commands. +persistence | Shows all known persistence methods on the machine. +processes | Shows all processes running on the machine. +registry | Shows registry values. +scheduledtasks| Shows all scheduled tasks on the machine. +services | Shows all services on the machine. +trace | Sets the terminal's logging mode to debug. + + +### Advanced commands +The following commands are available for user roles that's been granted the ability to run **advanced** live response commands. For more information on role assignments see, [Create and manage roles](user-roles.md). + +Command | Description +:---|:--- +analyze | Analyses the entity with various incrimination engines to reach a verdict. +getfile | Gets a file from the machine.
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `getfile` to automatically run the prerequisite command. +run | Runs a PowerShell script from the library on the machine. +library | Lists files that were uploaded to the live response library. +putfile | Puts a file from the library to the machine. Files are saved in a working folder and are deleted when the machine restarts by default. +remediate | Remediates an entity on the machine. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjuction with `remediate` to automatically run the prerequisite command. +undo | Restores an entity that was remediated. + + +## Use live response commands +The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c). + +The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the machine, and take remediation actions on an entity. + +### Get a file from the machine +For scenarios when you'd like get a file from a machine you're investigating, you can use the `getfile` command. This allows you to save the file from the machine for further investigation. + +>[!NOTE] +>There is a file size limit of 750mb. + +### Put a file in the library +Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level. + +Live response allows PowerShell scripts to run, however you must first put the files into the library before you can run them. + +You can have a collection of PowerShell scripts that can run on machines that you initiate live response sessions with. + +**To upload a file in the library:** +1. Click **Upload file to library**. +2. Click **Browse** and select the file. +3. Provide a brief description. +4. Specify if you'd like to overwrite a file with the same name. +5. If you'd like to be know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description. +6. Click **Confirm**. +7. (Optional) To verify that the file was uploaded to the library, run the `library` command. + + +### Cancel a command +Anytime during a session, you can cancel a command by pressing CTRL + C. + +>[!WARNING] +>Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled. + + + +### Automatically run prerequisite commands +Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error. + +You can use the auto flag to automatically run prerequisite commands, for example: + +``` +getfile c:\Users\user\Desktop\work.txt -auto +``` + + +## Run a PowerShell script +Before you can run a PowerShell script, you must first upload it to the library. + +After uploading the script to the library, use the `run` command to run the script. + +If you plan to use an unsigned script in the session, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page. + +>[!WARNING] +>Allowing the use of unsigned scripts may increase your exposure to threats. + + + +## Apply command parameters +- View the console help to learn about command parameters. To learn about an individual command, run: + + `help ` + +- When applying parameters to commands, note that parameters are handled based on a fixed order: + + ` param1 param2` + +- When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value: + + ` -param2_name param2` + +- When using commands that have prerequisite commands, you can use flags: + + ` -type file -id - auto` or `remediate file - auto`. + + + +## Supported output types +Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands: + +- `-output json` +- `-output table` + +>[!NOTE] +>Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown. + + +## Supported output pipes +Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt. + +Example: + +``` +processes > output.txt +``` + + + +## View the command log +Select the **Command log** tab to see the commands used on the machine during a session. +Each command is tracked with full details such as: +- ID +- Command line +- Duration +- Status and input or output side bar + + + + +## Limitations +- Live response sessions are limited to 10 live response sessions at a time +- Large scale command execution is not supported +- A user can only initiate one session at a time +- A machine can only be in one session at a time +- There is a file size limit of 750mb when downloading files from a machine + +## Related topic +- [Live response command examples](live-response-command-examples.md) + + + + + + + + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 666ab6abfe..070ec84568 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,68 +1,68 @@ ---- -title: Next-generation Threat & Vulnerability Management -ms.reviewer: -description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Threat & Vulnerability Management -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. - -It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. - -## Next-generation capabilities -Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. - -It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. ->[!Note] -> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. - -It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager - -### Real-time discovery - -To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: -- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. -- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. -- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. - -### Intelligence-driven prioritization - -Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: -- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. -- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. - -### Seamless remediation - -Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. -- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. -- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. - -## Related topics -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: Next-generation Threat & Vulnerability Management +ms.reviewer: +description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. +keywords: threat and vulnerability management, MDATP-TVM, vulnerability management, threat and vulnerability scanning +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Threat & Vulnerability Management +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat & Vulnerability Management serves as an infrustructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. + +It helps organizations discover vulnerabilities and misconfigurations in real-time, based on sensors, without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context. + +## Next-generation capabilities +Threat & Vulnerability Management is built-in, real-time, cloud-powered, fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledgebase. + +It is the first solution in the industry to automate the remediation process through integration with Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) for patching, configuration changes, or upgrades. +>[!Note] +> Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager + +### Real-time discovery + +To discover endpoint vulnerabilities and misconfiguration, Threat & Vulnerability Management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead, and provides: +- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- Visibility into software and vulnerabilities. Optics into the organization’s software inventory, as well as software changes like installations, uninstallations, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- Application runtime context. Constant visibility into application usage patterns for better prioritization and decision-making. Critical dependencies, such as vulnerable runtime libraries being loaded by other applications, are made visible. +- Configuration posture. Visibility into organizational security configuration, surfacing issues like disabled antivirus, enabled SMBv1, or misconfigurations that could allow escalation of privileges. Issues are reported in the dashboard with actionable security recommendations. + +### Intelligence-driven prioritization + +Threat & Vulnerability Management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, Threat & Vulnerability Management in Microsoft Defender ATP highlights the most critical weaknesses that need attention by fusing its security recommendations with dynamic threat and business context: +- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. +- Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. +- Protecting high-value assets. Microsoft Defender ATP’s integration with Azure Information Protection allows Threat & Vulnerability Management to call attention to exposed machines with business-critical applications, confidential data, or high-value users. + +### Seamless remediation + +Microsoft Defender ATP’s Threat & Vulnerability Management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +- One-click remediation requests to IT. Through Microsoft Defender ATP’s integration with Microsoft Intune and System Center Configuration Manager (SCCM), security administrators can create a remediation task in Microsoft Intune with one click. We plan to expand this capability to other IT security management platforms. +- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. + +## Related topics +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index 52e4081b29..504baecd76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -1,108 +1,108 @@ ---- -title: Threat & Vulnerability Management scenarios -ms.reviewer: -description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. -keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Threat & Vulnerability Management scenarios -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - -## Before you begin -Ensure that your machines: -- Are onboarded to Microsoft Defender Advanced Threat Protection -- Running with Windows 10 1709 (Fall Creators Update) or later -- Have the following mandatory updates installed: -- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) -- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) -- Have at least one security recommendation that can be viewed in the machine page -- Are tagged or marked as co-managed - - -## Reduce your threat and vulnerability exposure -Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. - -The exposure score is continuously calculated on each device in the organization and influenced by the following factors: -- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device -- External and internal threats such as public exploit code and security alerts -- Likelihood of the device getting breached given its current security posture -- Value of the device to the organization given its role and content - -The exposure score is broken down into the following levels: -- 0 to 29: low exposure score -- 30 to 69: medium exposure score -- 70 to 100: high exposure score - -You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. - -To lower down your threat and vulnerability exposure: - -1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. - - >>![top security recommendations](images/tvm_security_recommendations.png) - - >[!NOTE] - > There are two types of recommendations: - > - Security update which refers to recommendations that require a package installation - > - Configuration change which refers to recommendations that require a registry or GPO modification - > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon. - -2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png) - -3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page](images/tvm_software_page_details.png) - -4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png) - -5. Allow a few hours for the changes to propagate in the system. - -6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. - -## Improve your security configuration ->[!NOTE] -> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. - -Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. - -1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. - - >>![configuration score widget](images/tvm_config_score.png) - -2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. - ![security controls related security recommendations](images/tvm_security_controls.png) - -3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. - - > >![request remediation](images/tvm_request_remediation.png). - > - > You will see a confirmation message that the remediation task has been created. - > ![remediation task creation confirmation](images/tvm_remediation_task_created.png) - -4. Save your CSV file. - ![save csv file](images/tvm_save_csv_file.png) - -5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. - -6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. - - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) -- [Configuration score](configuration-score.md) - +--- +title: Threat & Vulnerability Management scenarios +ms.reviewer: +description: Learn how to use Threat & Vulnerability Management in the context of scenarios that Security Administrators encounter when collaborating with IT Administrators and SecOps while protecting their organization from cybersecurity threats. +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: mjcaparas +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Threat & Vulnerability Management scenarios +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +## Before you begin +Ensure that your machines: +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Running with Windows 10 1709 (Fall Creators Update) or later +- Have the following mandatory updates installed: +- (1) RS3 customers | [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441) +- (2) RS4 customers | [KB4493464](https://support.microsoft.com/en-us/help/4493464) +- Have at least one security recommendation that can be viewed in the machine page +- Are tagged or marked as co-managed + + +## Reduce your threat and vulnerability exposure +Threat & Vulnerability Management introduces a new exposure score metric which visually represents how exposed your machines are to imminent threats. + +The exposure score is continuously calculated on each device in the organization and influenced by the following factors: +- Weaknesses, such as vulnerabilities and misconfigurations discovered on the device +- External and internal threats such as public exploit code and security alerts +- Likelihood of the device getting breached given its current security posture +- Value of the device to the organization given its role and content + +The exposure score is broken down into the following levels: +- 0 to 29: low exposure score +- 30 to 69: medium exposure score +- 70 to 100: high exposure score + +You can reduce the exposure score by remediating issues based on prioritized security recommendations. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. + +To lower down your threat and vulnerability exposure: + +1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. This opens the **Security recommendation** page. + + >>![top security recommendations](images/tvm_security_recommendations.png) + + >[!NOTE] + > There are two types of recommendations: + > - Security update which refers to recommendations that require a package installation + > - Configuration change which refers to recommendations that require a registry or GPO modification + > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon. + +2. In the **Security recommendations** page, you will see the description of what needs to be done and why. It shows the vulnerability details, such as the associated exploits affecting what machines and its business impact. Click **Open software page** option from the flyout menu. ![details in security recommendations page](images/tvm_security_recommendations_page.png) + +3. Click **Installed machines** and select the affected machine from the list to open the flyout page with the relevant machine details, exposure and risk levels, alert and incident activities. ![details in software page](images/tvm_software_page_details.png) + +4. Click **Open machine page** to connect to the machine and apply the selected recommendation. ![details in machine page](images/tvm_machine_page_details.png) + +5. Allow a few hours for the changes to propagate in the system. + +6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate won't be listed there anymore, and the exposure score should decrease. + +## Improve your security configuration +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). We’ll keep the secure score page available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page. + +Remediating issues in the security recommendations list will improve your configuration. As you do so, your configuration score improves, which means building your organization's resilience against cybersecurity threats and vulnerabilities stronger. + +1. From the Configuration score widget, select **Security controls**. This opens the **Security recommendations** page showing the list of issues related to security controls. + + >>![configuration score widget](images/tvm_config_score.png) + +2. Select the first item on the list. This opens the flyout menu with the description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**. + ![security controls related security recommendations](images/tvm_security_controls.png) + +3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up. + + > >![request remediation](images/tvm_request_remediation.png). + > + > You will see a confirmation message that the remediation task has been created. + > ![remediation task creation confirmation](images/tvm_remediation_task_created.png) + +4. Save your CSV file. + ![save csv file](images/tvm_save_csv_file.png) + +5. Send a follow up email to your IT Administrator and allow the time that you have alloted for the remediation to propagate in the system. + +6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase. + + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Configuration score](configuration-score.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index cccb23ec60..2f3d53c781 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,77 +1,77 @@ ---- -title: What's in the dashboard and what it means for my organization's security posture -ms.reviewer: -description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: eADQiWindows 10XVcnh -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: ellevin -author: levinec -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- -# Threat & Vulnerability Management dashboard overview - -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](prerelease.md)] - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) - -Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Invaluable machine vulnerability context during incident investigations -- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) - - >[!NOTE] - > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. - -You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: -- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines -- Correlate EDR insights with endpoint vulnerabilities and process them -- Select remediation options, triage and track the remediation tasks - -## Threat & Vulnerability Management in Microsoft Defender Security Center -When you open the portal, you’ll see the main areas of the capability: - - ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) - - ![Threat & Vulnerability Management menu](images/tvm_menu.png) - -- (1) Menu in the navigation pane -- (2) Threat & Vulnerability Management icon -- (3) Threat & Vulnerability Management dashboard - -You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. - -Area | Description -:---|:--- -(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. -(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. -**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. -**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. -**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. -**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. -(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. -**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. -**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. -**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. -**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. -**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. -**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. -**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. - -See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. - -## Related topics -- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) -- [Configuration score](configuration-score.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) +--- +title: What's in the dashboard and what it means for my organization's security posture +ms.reviewer: +description: What's in the Threat & Vulnerability Management dashboard and how it can help SecOps and Security Administrators arrive at informed decisions in addressing cybersecurity threat vulnerabilities and building their organization's security resilience. +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: eADQiWindows 10XVcnh +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- +# Threat & Vulnerability Management dashboard overview + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +[!include[Prerelease information](prerelease.md)] + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: +- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities +- Invaluable machine vulnerability context during incident investigations +- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) + + >[!NOTE] + > Microsoft Intune and Microsoft System Center Configuration Manager (SCCM) integration will be available in the coming weeks. + +You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: +- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines +- Correlate EDR insights with endpoint vulnerabilities and process them +- Select remediation options, triage and track the remediation tasks + +## Threat & Vulnerability Management in Microsoft Defender Security Center +When you open the portal, you’ll see the main areas of the capability: + + ![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png) + + ![Threat & Vulnerability Management menu](images/tvm_menu.png) + +- (1) Menu in the navigation pane +- (2) Threat & Vulnerability Management icon +- (3) Threat & Vulnerability Management dashboard + +You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. + +Area | Description +:---|:--- +(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities. +(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, and **Software inventory**. +**Dashboards** | Get a high-level view of the organization exposure score, MDATP configuration score, top remediation activities, top security recommendations, top vulnerable software, and top exposed machines data. +**Security recommendations** | See the list of security recommendations, their related components, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list and it will open a flyout pane where you will see vulnerability details, and have the option to open the software page, and see the remediation options. +**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV. +**Software inventory** | See the list of applications, versions, weaknesses, whether there’s an exploit found on the application, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the vulnerabilities and misconfigurations associated and its machine and version distribution details. +(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, **Top exposed machines**, and **Threat campaigns**. +**Organization Exposure score** | See the current state of your organization’s device exposure to threats and vulnerabilities. Several factors affect your organization’s exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower down your organization’s exposure score to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. +**MDATP Configuration score** | See the security posture of your organization’s operating system, applications, network, accounts and security controls. The goal is to increase your configuration score by remediating the related security configuration issues. You can click the bars and it will take you to the **Security recommendation** page for details. +**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it will take you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, OS platform, its health state, when it was last seen, and its tags. +**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization’s risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![possible active alert](images/tvm_alert_icon.png), associated public exploits ![threat insight](images/tvm_bug_icon.png), and recommendation insights ![recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list. +**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your network’s devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page. +**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities. +**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list. + +See [Microsoft Defender ATP icons](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection#windows-defender-atp-icons) for more information on the icons used throughout the portal. + +## Related topics +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Configuration score](configuration-score.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 2023523f4a..c074504ddd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,58 +1,58 @@ ---- -title: Prevent security settings changes with Tamper Protection -ms.reviewer: -manager: dansimp -description: Use tamper protection to prevent malicious apps from changing important security settings. -keywords: malware, defender, antivirus, tamper protection -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp ---- - -# Prevent security settings changes with tamper protection - -**Applies to:** - -- Windows 10 - -Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: - -- Real-time protection -- Cloud-delivered protection -- IOfficeAntivirus (IOAV) -- Behavior monitoring -- Removing security intelligence updates - -With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: - -- Mobile device management (MDM) apps like Intune -- Enterprise configuration management apps like System Center Configuration Manager (SCCM) -- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures -- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) -- Group Policy -- Other Windows Management Instrumentation (WMI) apps - -The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. - -On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. - -Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**. - -## Configure tamper protection - -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. -2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. -3. Set **Tamper Protection** to **On** or **Off**. - ->[!NOTE] ->Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. -> ->To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. -> ->Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. +--- +title: Prevent security settings changes with Tamper Protection +ms.reviewer: +manager: dansimp +description: Use tamper protection to prevent malicious apps from changing important security settings. +keywords: malware, defender, antivirus, tamper protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dansimp +ms.author: dansimp +--- + +# Prevent security settings changes with tamper protection + +**Applies to:** + +- Windows 10 + +Tamper Protection helps prevent malicious apps from changing important security settings. These settings include: + +- Real-time protection +- Cloud-delivered protection +- IOfficeAntivirus (IOAV) +- Behavior monitoring +- Removing security intelligence updates + +With Tamper Protection set to **On**, you can still change these settings in the Windows Security app. The following apps and methods can't change these settings: + +- Mobile device management (MDM) apps like Intune +- Enterprise configuration management apps like System Center Configuration Manager (SCCM) +- Command line instruction MpCmdRun.exe -removedefinitions -dynamicsignatures +- Windows System Image Manager (Windows SIM) settings DisableAntiSpyware and DisableAntiMalware (used in Windows unattended setup) +- Group Policy +- Other Windows Management Instrumentation (WMI) apps + +The Tamper Protection setting doesn't affect how third party antivirus apps register with the Windows Security app. + +On computers running Windows 10 Enterprise E5, users can't change the Tamper Protection setting. + +Tamper Protection is set to **On** by default. If you set Tamper Protection to **Off**, you will see a yellow warning in the Windows Security app under **Virus & Threat Protection**. + +## Configure tamper protection + +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +2. Select **Virus & threat protection**, then select **Virus & threat protection settings**. +3. Set **Tamper Protection** to **On** or **Off**. + +>[!NOTE] +>Tamper Protection blocks attempts to modify Windows Defender Antivirus settings through the registry. +> +>To help ensure that Tamper Protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. +> +>Once you’ve made this update, Tamper Protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors. diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index f5a711db65..d9cd25a523 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -1,177 +1,177 @@ ---- -title: Common Criteria Certifications -description: This topic details how Microsoft supports the Common Criteria certification program. -ms.prod: w10 -audience: ITPro -author: dulcemontemayor -ms.author: dolmont -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 3/20/2019 -ms.reviewer: ---- - -# Common Criteria Certifications - -Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. - -## Common Criteria Security Targets - -### Information for Systems Integrators and Accreditors - -The Security Target describes security functionality and assurance measures used to evaluate Windows. - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) - - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) - - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) - - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) - - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - -## Common Criteria Deployment and Administration - -### Information for IT Administrators - -These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. - -**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** - - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) - - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) - - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) - - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) - -**Windows 8.1 and Windows Phone 8.1** - - - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - -**Windows 8, Windows RT, and Windows Server 2012** - - - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - -**Windows 7 and Windows Server 2008 R2** - - - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) - -**Windows Vista and Windows Server 2008** - - - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - -**Windows Server 2003 SP2 including R2, x64, and Itanium** - - - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) - - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) - -**Windows Server 2003 SP1(x86), x64, and IA64** - - - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) - - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) - -**Windows Server 2003 SP1** - - - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) - - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) - -**Windows XP Professional SP2 (x86) and x64 Edition** - - - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) - - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) - - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) - - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) - - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) - - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) - -**Windows XP Professional SP2, and XP Embedded SP2** - - - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) - - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) - - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) - -**Windows Server 2003 Certificate Server** - - - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) - - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) - - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) - -## Common Criteria Evaluation Technical Reports and Certification / Validation Reports - -### Information for Systems Integrators and Accreditors - -An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) - - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) - - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) - - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) - - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) - - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) - - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) - - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) - - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) - - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -## Other Common Criteria Related Documents - - - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) - +--- +title: Common Criteria Certifications +description: This topic details how Microsoft supports the Common Criteria certification program. +ms.prod: w10 +audience: ITPro +author: dulcemontemayor +ms.author: dolmont +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.date: 3/20/2019 +ms.reviewer: +--- + +# Common Criteria Certifications + +Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. + +## Common Criteria Security Targets + +### Information for Systems Integrators and Accreditors + +The Security Target describes security functionality and assurance measures used to evaluate Windows. + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) + - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) + - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) + - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) + - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) + - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) + - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) + - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) + - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) + +## Common Criteria Deployment and Administration + +### Information for IT Administrators + +These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. + +**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** + + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) + - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) + - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) + - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) + +**Windows 8.1 and Windows Phone 8.1** + + - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) + - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) + +**Windows 8, Windows RT, and Windows Server 2012** + + - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) + - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) + - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) + +**Windows 7 and Windows Server 2008 R2** + + - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) + - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) + +**Windows Vista and Windows Server 2008** + + - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) + - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) + +**Windows Server 2003 SP2 including R2, x64, and Itanium** + + - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) + - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) + +**Windows Server 2003 SP1(x86), x64, and IA64** + + - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) + - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) + +**Windows Server 2003 SP1** + + - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) + - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) + +**Windows XP Professional SP2 (x86) and x64 Edition** + + - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) + - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) + - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) + - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) + - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) + - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) + +**Windows XP Professional SP2, and XP Embedded SP2** + + - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) + - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) + - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) + +**Windows Server 2003 Certificate Server** + + - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) + - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) + - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) + +## Common Criteria Evaluation Technical Reports and Certification / Validation Reports + +### Information for Systems Integrators and Accreditors + +An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. + + - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) + - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) + - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) + - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) + - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) + - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) + - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) + - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) + - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) + - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) + - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) + +## Other Common Criteria Related Documents + + - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) +