> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
> The default behavior for older releases is to revert to **User Credential**.
> **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2
ms.reviewer:
ms.reviewer: pesmith
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 11/01/2017
ms.date: 10/30/2020
---
# VPNv2 CSP
@ -30,8 +30,8 @@ Here are the requirements for this CSP:
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
- C:\\Windows\\schemas\\EAPHost
- C:\\Windows\\schemas\\EAPMethods
- `C:\\Windows\\schemas\\EAPHost`
- `C:\\Windows\\schemas\\EAPMethods`
The following diagram shows the VPNv2 configuration service provider in tree format.
@ -45,7 +45,8 @@ Unique alpha numeric identifier for the profile. The profile name must not inclu
Supported operations include Get, Add, and Delete.
> **Note**If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
> [!NOTE]
> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
@ -138,9 +139,8 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
> **Note**Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
> [!NOTE]
> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
@ -205,18 +204,16 @@ Value type is int. Supported operations include Get, Add, Replace, and Delete.
Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following:
- Outbound - The rule applies to all outbound traffic
- nbound - The rule applies to all inbound traffic
If no inbound filter is provided, then by default all unsolicated inbound traffic will be blocked.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
@ -255,13 +262,14 @@ Supported operations include Get, Add, Replace, and Delete.
An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
> **Note**Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
> [!NOTE]
> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
Preserving user Always On preference
Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
@ -450,7 +458,8 @@ Required for native profiles. Type of tunneling protocol used. This value can be
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
> **Note**The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable.
> [!NOTE]
> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable.
@ -125,7 +125,7 @@ The following list shows the supported values:
- 1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
> [!NOTE]
> This policy setting is no longer supported in the new Microsoft Edge browser.
> This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release.
title: Federal Information Processing Standard (FIPS) 140 Validation
description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
ms.prod: w10
audience: ITPro
author: dulcemontemayor
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/05/2019
ms.reviewer:
---
@ -28,9 +27,9 @@ Microsoft maintains an active commitment to meeting the requirements of the FIPS
## Using Windows in a FIPS 140-2 approved mode of operation
Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.” When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2approved mode of operationwill not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms.For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory.
While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.
Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below.
### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
@ -43,7 +42,7 @@ Each of the cryptographic modules has a defined security policy that must be met
### Step 3: Enable the FIPS security policy
Windows provides the security policy setting, “System cryptography: Use FIPScompliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPScompliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
Windows provides the security policy setting, “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
### Step 4: Ensure only FIPS validated cryptographic algorithms are used
@ -73,7 +72,7 @@ This caveat identifies required configuration and security rules that must be fo
### What is the relationship between FIPS 140-2 and Common Criteria?
These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
### How does FIPS 140 relate to Suite B?
@ -89,6 +88,76 @@ The following tables identify the cryptographic modules used in an operating sys
<td>See Security Policy and Certificate page for algorithm information</td>
</tr>
</tbody>
</table>
##### Windows Server (Version 1803)
Validated Editions: Standard, Datacenter
@ -2165,7 +2304,7 @@ The following tables are organized by cryptographic algorithms with their modes,
<li>Key Lengths: 128, 192, 256 (bits)</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4903">#4903</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4903">#4903</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -2484,7 +2623,7 @@ The following tables are organized by cryptographic algorithms with their modes,
</ul></li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897">#4897</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4897">#4897</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -2520,7 +2659,7 @@ The following tables are organized by cryptographic algorithms with their modes,
<li>Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)</li>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4898">#4898</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4898">#4898</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -2559,7 +2698,7 @@ The following tables are organized by cryptographic algorithms with their modes,
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4894">#4894</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4894">#4894</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -2630,7 +2769,7 @@ The following tables are organized by cryptographic algorithms with their modes,
<p><b>CFB128</b> (e/d; 128, 192, 256);</p>
<p><b>OFB</b> (e/d; 128, 192, 256);</p>
<p><b>CTR</b> (int only; 128, 192, 256)</p></td>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4074">#4074</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4074">#4074</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733">#1733</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733">#1733</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -2930,7 +3069,7 @@ Deterministic Random Bit Generator (DRBG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730">#1730</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1730">#1730</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -2965,7 +3104,7 @@ Deterministic Random Bit Generator (DRBG)
</tr>
<trclass="odd">
<td><b>CTR_DRBG:</b>[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/aes#4074">Val#4074</a>)]</td>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222">#1222</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222">#1222</a></p>
<p>Version 10.0.14393</p></td>
</tr>
<trclass="even">
@ -3133,7 +3272,7 @@ Deterministic Random Bit Generator (DRBG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1301">#1301</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/dsa#1301">#1301</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1252">#1252</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1252">#1252</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1247">#1247</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1247">#1247</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1246">#1246</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#1246">#1246</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#920">#920</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/ecdsa#920">#920</a></p>
<p>Version 10.0.14393</p></td>
</tr>
<trclass="odd">
@ -3886,7 +4025,7 @@ Some of the previously validated components for this validation have been remove
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3270">#3270</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3270">#3270</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -3979,7 +4118,7 @@ Some of the previously validated components for this validation have been remove
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267">#3267</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#3267">#3267</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2661">#2661</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2661">#2661</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#149">#149</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#149">#149</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#146">#146</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#146">#146</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#93">#93</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#93">#93</a></p>
<p>K prerequisite: DRBG <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1733">#1733</a>, KAS <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#149">#149</a></p></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#160">#160</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#160">#160</a></p>
<p>K prerequisite: KAS <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#146">#146</a></p></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#157">#157</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#157">#157</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -5042,7 +5181,7 @@ MAC <a href="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-p
<p>KAS <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kas#93">Val#93</a> DRBG <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/drbg#1222">Val#1222</a> MAC <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/hmac#2661">Val#2661</a></p></td>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#102">#102</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/kdf#102">#102</a></p>
<p>Version 10.0.14393</p></td>
</tr>
<trclass="even">
@ -5228,7 +5367,7 @@ Random Number Generator (RNG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2676">#2676</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2676">#2676</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -5263,7 +5402,7 @@ Random Number Generator (RNG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2674">#2674</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2674">#2674</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -5637,7 +5776,7 @@ Random Number Generator (RNG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2668">#2668</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2668">#2668</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -5707,7 +5846,7 @@ Random Number Generator (RNG)
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2667">#2667</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2667">#2667</a></p>
<b>[RSASSA-PSS]:</b> Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.<br/>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2206">#2206</a></p>
<td><p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/rsa#2206">#2206</a></p>
<p>Version 10.0.14393</p></td>
</tr>
<trclass="even">
@ -6209,7 +6348,7 @@ Some of the previously validated components for this validation have been remove
<li>Supports Empty Message</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009">#4009</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/shs#4009">#4009</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -6495,7 +6634,7 @@ Version 6.3.9600</td>
<li>Keying Option: 1</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2556">#2556</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/tdes#2556">#2556</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -6707,7 +6846,7 @@ Version 6.3.9600</td>
<li>Padding Algorithms: PKCS 1.5</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1518">#1518</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1518">#1518</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1503">#1503</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1503">#1503</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -6998,7 +7137,7 @@ Version 6.3.9600</td>
<li>Modulus Size: 2048 (bits)</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1502">#1502</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1502">#1502</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -7009,7 +7148,7 @@ Version 6.3.9600</td>
<li>Padding Algorithms: PKCS 1.5</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1501">#1501</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1501">#1501</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1499">#1499</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1499">#1499</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="odd">
@ -7032,7 +7171,7 @@ Version 6.3.9600</td>
<li>Modulus Size: 2048 (bits)</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1498">#1498</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1498">#1498</a></p>
<p>Version 10.0.16299</p>
<p></p></td>
</tr>
@ -7044,7 +7183,7 @@ Version 6.3.9600</td>
<li>Padding Algorithms: PKCS 1.5</li>
</ul></li>
</ul></td>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1497">#1497</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1497">#1497</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496">#1496</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496">#1496</a></p>
<p>Version 10.0.16299</p></td>
</tr>
<trclass="even">
@ -7123,7 +7262,7 @@ Version 10.0. 15063</p>
Version 10.0. 15063</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#922">#922</a><br/>
Version 10.0.14393</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#894">#894</a><br/>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#894">#894</a><br/>
Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#666">#666</a><br/>
Version 10.0.10586</p>
<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#288">#288</a><br/>
@ -7139,7 +7278,7 @@ Version 10.0.15063</p>
Version 10.0.15063</p>
<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1280">#1280</a><br/>
Version 10.0.15063</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#893">#893</a><br/>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#893">#893</a><br/>
Version 10.0.14393</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#888">#888</a><br/>
Version 10.0.14393</p>
@ -7158,7 +7297,7 @@ Version 6.3.9600</p></td>
Version 10.0.15063</p>
<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1281">#1281</a><br/>
Version 10.0.15063</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#895">#895</a><br/>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#895">#895</a><br/>
Version 10.0.14393</p>
<p>Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#887">#887</a><br/>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496">#1496</a></p>
<td><p>Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1496">#1496</a></p>
<p>Version 10.0.16299</p>
<p>Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#1278">#1278</a><br/>
Version 10.0.15063</p>
@ -7184,7 +7323,7 @@ Version 10.0.14393</p>
Version 10.0.10586</p>
<p>Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#575">#575</a><br/>
Version 10.0.10240</p>
<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#323">#323</a><br/>
<p>Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp <ahref="https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/validation/validation-list/component#323">#323</a><br/>
@ -43,7 +43,7 @@ We've seen macro malware download threats from the following families:
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
@ -157,7 +157,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- `%systemroot%\Sysvol\*\Nntfrs_cmp*\`
- `%systemroot%\Sysvol\*\Ntfrs_cmp*\`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
@ -23,10 +23,9 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
### Can I enable Application Guard on machines equipped with 4 GB RAM?
We recommend 8 GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
@ -34,7 +33,7 @@ We recommend 8GB RAM for optimal performance but you may use the following regis
### Can employees download documents from the Application Guard Edge session onto host devices?
In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.
In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
@ -44,20 +43,16 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
### Are extensions supported in the Application Guard?
### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@ -76,7 +71,7 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.
This feature is currently experimentalonly and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
### What is the WDAGUtilityAccount local account?
@ -92,12 +87,75 @@ When using Windows Pro or Windows Enterprise, you will have access to using Appl
### Is there a size limit to the domain lists that I need to configure?
Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
### Why do the Network Isolation policies in Group Policy and CSP look different?
There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
1. Program path: %SystemRoot%\System32\svchost.exe
2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
3. Program path: **%SystemRoot%\System32\svchost.exe**.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
7. All profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
### How can I have ICS in enabled state yet still use Application Guard?
This is a two-step process.
Step 1:
Enable Internet Connection sharing by changing the Group Policy setting *Prohibit use of Internet Connection Sharing on your DNS domain network*, which is part of the MS Security baseline from Enabled to Disabled.
@ -59,7 +59,7 @@ The following image shows an example of an alert that was triggered by behaviora
- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
@ -43,7 +43,7 @@ Microsoft Defender ATP currently supports the following specific SIEM solution t
- IBM QRadar
- Micro Focus ArcSight
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
To use either of these supported SIEM tools you'll need to:
@ -39,7 +39,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode":::
> [!NOTE]
> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
> To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**.
## What happens when something is detected?
@ -70,10 +70,10 @@ The following image shows an instance of unwanted software that was detected and
|---------|---------|
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server 2016 or later |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. <br/><br/>See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. <br/>In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/>In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. <br/> In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
# Privacy information - Microsoft Defender ATP for iOS
> [!NOTE]
> Microsoft Defender ATP for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. Microsoft or your organization, does not see your browsing activity.
> Microsoft Defender ATP for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.**
Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP. The information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected, and to support the service.
For more details about data storage, see [Microsoft Defender ATP data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy).
## Required data
Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
@ -77,9 +79,7 @@ Optional diagnostic data includes:
- App, CPU, and network usage for Microsoft Defender ATP.
- Features configured by the admin.
- Basic information about the browsers on the device.
- Features configured by the admin for Microsoft Defender ATP.
Feedback Data is collected through in-app feedback provided by the user.
@ -94,4 +94,3 @@ For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatem
@ -110,7 +110,7 @@ The package contains the following folders:
| System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards. |
| Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system. </br></br> This can help to track suspicious files that an attacker may have dropped on the system. </br></br><divclass="alert"><b>NOTE:</b> If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.</div> |
| Users and Groups| Provides a list of files that each represent a group and its members. |
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab </br></br><divclass="alert"><b>NOTE:</b> This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed:</br> Win10 1709 (RS3) Build 16299.1717 : [KB4537816](https://support.microsoft.com/en-us/help/4537816/windows-10-update-kb4537816) </br> Win10 1803 (RS4) Build 17134.1345 : [KB4537795](https://support.microsoft.com/en-us/help/4537795/windows-10-update-kb4537795) </br> Win10 1809 (RS5) Build 17763.1075 : [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818) </br> Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693 : [KB4535996](https://support.microsoft.com/en-us/help/4535996/windows-10-update-kb4535996) </div> |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
## Run Microsoft Defender Antivirus scan on devices
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
@ -51,13 +52,13 @@ There are two columns:
Each device is counted only once according to the most severe vulnerability found on that device.
## Exploit availability graphs
Each device is counted only once based on the highest level of known exploit.
## Vulnerability age graphs
@ -81,5 +82,3 @@ The number of devices on each Windows 10 version that are exposed due to vulnera
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
@ -112,12 +112,12 @@ View related weaknesses information in the device page.
1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
2. In the **Devices list** page, select the device name that you want to investigate.
3. The device page will open with details and response options for the device you want to investigate.
4. Select **Discovered vulnerabilities**.
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
@ -143,4 +143,5 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform
- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Manika Dhiman
GitHub