diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index c27ad32063..9d150d9583 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -51,13 +51,13 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a | Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | | Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | | Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | | Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | | Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | | Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | @@ -77,10 +77,10 @@ Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, a | Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | | Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | | Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 476d73c694..2d6a0b7bda 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -171,6 +171,11 @@ #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) +#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) +#### [ADMX_AppCompat](policy-csp-admx-appcompat.md) +#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md) +#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 828700b85a..816b5c188b 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_ProxyEntries CSP -description: Configure proxy connections on mobile devices using CM\_ProxyEntries CSP. +description: Learn how the CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device. ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 05add93e6a..17b165ed51 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -1,6 +1,6 @@ --- title: CustomDeviceUI CSP -description: CustomDeviceUI CSP +description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 12b590ef8c..7623b155f2 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -1,6 +1,6 @@ --- title: CustomDeviceUI DDF -description: CustomDeviceUI DDF +description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index cb96fa1fb1..da9959c0a2 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -1,6 +1,6 @@ --- title: Defender CSP -description: See how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. +description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 508d2f5d0d..a63f4dec92 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -1,6 +1,6 @@ --- title: Defender DDF file -description: See how the OMA DM device description framework (DDF) for the **Defender** configuration service provider is used. +description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used. ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 285d96ddf8..11ab51bf9e 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -1,6 +1,6 @@ --- title: DevDetail CSP -description: DevDetail CSP +description: Learn how the DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 0ab07220b6..25be11c21b 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -1,6 +1,6 @@ --- title: DevDetail DDF file -description: DevDetail DDF file +description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider. ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 09d6af05e4..f24564545c 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -1,6 +1,6 @@ --- title: DeviceInstanceService CSP -description: DeviceInstanceService CSP +description: Learn how the DeviceInstanceService configuration service provider (CSP) provides some device inventory information that could be useful for an enterprise. ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index 246408076e..cef65071ec 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -1,6 +1,6 @@ --- title: DeviceLock CSP -description: DeviceLock CSP +description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index 545ebcdb9b..eb63ef11fe 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -1,6 +1,6 @@ --- title: DeviceLock DDF file -description: DeviceLock DDF file +description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index b81a21b82e..aec2b4cc91 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -1,6 +1,6 @@ --- title: DevInfo DDF file -description: DevInfo DDF file +description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP). ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2f00912ad8..2c49067d90 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -1,6 +1,6 @@ --- title: DiagnosticLog CSP -description: DiagnosticLog CSP +description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area. ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 8bedac1205..f635ed44c6 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -1,6 +1,6 @@ --- title: DiagnosticLog DDF -description: DiagnosticLog DDF +description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP). ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index aa61f9d50b..4a45bf4eb2 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -1,6 +1,6 @@ --- title: DMAcc CSP -description: DMAcc CSP +description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 232f5672cd..b10dcad38a 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -1,6 +1,6 @@ --- title: DMAcc DDF file -description: DMAcc DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP). ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 44ff431b60..c5ba87da90 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -1,6 +1,6 @@ --- title: DMClient DDF file -description: DMClient DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP). ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index 2e1b590d91..b9ed5780d0 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -1,6 +1,6 @@ --- title: DMProcessConfigXMLFiltered function -description: Configures phone settings by using OMA Client Provisioning XML. +description: Learn how the DMProcessConfigXMLFiltered function configures phone settings by using OMA Client Provisioning XML. Search.Refinement.TopicID: 184 ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F ms.reviewer: diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index b395c7c3ba..65aeb1a961 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,6 +1,6 @@ --- title: DMSessionActions CSP -description: DMSessionActions CSP +description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index aef1210842..61b4b4754a 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -1,6 +1,6 @@ --- title: DMSessionActions DDF file -description: DMSessionActions DDF file +description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index e7d55aedc0..b6fe50d931 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -1,6 +1,6 @@ --- title: DynamicManagement CSP -description: DynamicManagement CSP +description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index 3439bf646a..2690fa4e23 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: DynamicManagement DDF file -description: DynamicManagement DDF file +description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index ddb14a8d3f..844fc1be39 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -1,6 +1,6 @@ --- title: EMAIL2 CSP -description: EMAIL2 CSP +description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index f24a64e3e3..4f11b5b64d 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -1,6 +1,6 @@ --- title: EMAIL2 DDF file -description: EMAIL2 DDF file +description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP). ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 1f420a71c4..805f9ee481 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,6 +1,6 @@ --- title: Enable ADMX-backed policies in MDM -description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM. +description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index f45e20d377..349687ed6c 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,6 +1,6 @@ --- title: Enroll a Windows 10 device automatically using Group Policy -description: Enroll a Windows 10 device automatically using Group Policy +description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index e70eed0ce5..98739efcb1 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -1,6 +1,6 @@ --- title: EnrollmentStatusTracking DDF -description: View the OMA DM device description framework (DDF) for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. +description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index 319356f336..5e7af9b60d 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseAPN DDF -description: EnterpriseAPN DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 22445122ec..272f60f44f 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppVManagement CSP -description: Examine the tree format for EnterpriseAppVManagement configuration service provider (CSP) to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions). +description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 PCs.(Enterprise and Education editions). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 626981e0ff..8cf951cf55 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseAppVManagement DDF file -description: EnterpriseAppVManagement DDF file +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 2df97c9bf4..45d11904d5 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseAssignedAccess CSP -description: Use the EnterpriseAssignedAccess CSP to configure custom layouts on a device. +description: Use the EnterpriseAssignedAccess configuration service provider (CSP) to configure custom layouts on a device. ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 782bc735ed..24cadf3270 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseExt CSP -description: EnterpriseExt CSP +description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior. ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md index e30ceeb37f..4b3d4b0afd 100644 --- a/windows/client-management/mdm/enterpriseext-ddf.md +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseExt DDF -description: EnterpriseExt DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP). ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md index 997493aee9..7efb54af20 100644 --- a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseExtFileSystem DDF -description: EnterpriseExtFileSystem DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP). ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 5384ce0168..77b6e72ff9 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement CSP -description: EnterpriseModernAppManagement CSP +description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index aa2cdb680b..237000b2f0 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement DDF -description: EnterpriseModernAppManagement DDF +description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP). ms.assetid: ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index f7544b10a4..f8b15504cc 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement XSD -description: Use the EnterpriseModernAppManagement XSD for set application parameters. +description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters. ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 9251f6a755..79545b45cc 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -1,6 +1,6 @@ --- title: eSIM Enterprise Management -description: Managing eSIM devices in an enterprise +description: Learn how Mobile Device Management (MDM) Providers support the eSIM Profile Management Solution on Windows. keywords: eSIM enterprise management ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 43626310a0..1f42e3e43d 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -1,6 +1,6 @@ --- title: eUICCs CSP -description: eUICCs CSP +description: Learn how the eUICCs CSP is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 3f3e71df8d..38bb8e5f6f 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -1,6 +1,6 @@ --- title: eUICCs DDF file -description: eUICCs DDF file +description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP). ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md index 653b03b527..9bad3fe712 100644 --- a/windows/client-management/mdm/filesystem-csp.md +++ b/windows/client-management/mdm/filesystem-csp.md @@ -1,6 +1,6 @@ --- title: FileSystem CSP -description: FileSystem CSP +description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index e24210c9e0..0124df555f 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -1,6 +1,6 @@ --- title: Device HealthAttestation CSP -description: Device HealthAttestation CSP +description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 21934f6452..d7209b1cf2 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -1,6 +1,6 @@ --- title: HealthAttestation DDF -description: HealthAttestation DDF +description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider. ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 7b8e606d40..1c9ca9aba5 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -1,6 +1,6 @@ --- title: MDM enrollment of Windows 10-based devices -description: MDM enrollment of Windows 10-based devices +description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md index cc739605f3..e9383e871f 100644 --- a/windows/client-management/mdm/messaging-csp.md +++ b/windows/client-management/mdm/messaging-csp.md @@ -1,6 +1,6 @@ --- title: Messaging CSP -description: Use the Messaging CSP to configure the ability to get text messages audited on a mobile device. +description: Use the Messaging configuration service provider (CSP) to configure the ability to get text messages audited on a mobile device. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index 7d719b40aa..3597ffa5fe 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -1,6 +1,6 @@ --- title: MultiSIM CSP -description: MultiSIM CSP allows the enterprise to manage devices with dual SIM single active configuration. +description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index c4dbd6410a..dcaef76767 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -1,6 +1,6 @@ --- title: NAP CSP -description: NAP CSP +description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 80a87e53d1..1b5f5ecdd4 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -1,6 +1,6 @@ --- title: NAPDEF CSP -description: NAPDEF CSP +description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index c82e246263..43aff61d37 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -1,6 +1,6 @@ --- title: NetworkProxy CSP -description: NetworkProxy CSP +description: Learn how the NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index 7535a3ce20..c2d3ea4a5e 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -1,6 +1,6 @@ --- title: NetworkQoSPolicy DDF -description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML +description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 7d58ebbea3..06a74f2979 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -1,6 +1,6 @@ --- title: NodeCache DDF file -description: NodeCache DDF file +description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP). ms.assetid: d7605098-12aa-4423-89ae-59624fa31236 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index eef4903c8c..5a9ac5cc69 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,6 +1,6 @@ --- title: Personalization DDF file -description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider. +description: Learn how to set the OMA DM device description framework (DDF) for the Personalization configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1e5be59bdc..7986a6fae0 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1,6 +1,6 @@ --- title: Policy CSP -description: Policy CSP +description: Learn how the Policy configuration service provider (CSP) enables the enterprise to configure policies on Windows 10. ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F ms.reviewer: manager: dansimp @@ -168,6 +168,165 @@ The following diagram shows the Policy configuration service provider in tree fo +### ADMX_AddRemovePrograms policies +
+
+ ADMX_AddRemovePrograms/DefaultCategory +
+
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy +
+
+ ADMX_AddRemovePrograms/NoAddFromInternet +
+
+ ADMX_AddRemovePrograms/NoAddFromNetwork +
+
+ ADMX_AddRemovePrograms/NoAddPage +
+
+ ADMX_AddRemovePrograms/NoAddRemovePrograms +
+
+ ADMX_AddRemovePrograms/NoChooseProgramsPage +
+
+ ADMX_AddRemovePrograms/NoRemovePage +
+
+ ADMX_AddRemovePrograms/NoServices +
+
+ ADMX_AddRemovePrograms/NoSupportInfo +
+
+ ADMX_AddRemovePrograms/NoWindowsSetupPage +
+
+ +### ADMX_AppCompat policies + +
+
+ ADMX_AppCompat/AppCompatPrevent16BitMach +
+
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage +
+
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry +
+
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack +
+
+ ADMX_AppCompat/AppCompatTurnOffEngine +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 +
+
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory +
+
+ +### ADMX_AuditSettings policies + +
+
+ ADMX_AuditSettings/IncludeCmdLine +
+
+ +### ADMX_DnsClient policies + +
+
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries +
+
+ ADMX_DnsClient/DNS_AppendToMultiLabelName +
+
+ ADMX_DnsClient/DNS_Domain +
+
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel +
+
+ ADMX_DnsClient/DNS_IdnEncoding +
+
+ ADMX_DnsClient/DNS_IdnMapping +
+
+ ADMX_DnsClient/DNS_NameServer +
+
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns +
+
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix +
+
+ ADMX_DnsClient/DNS_RegisterAdapterName +
+
+ ADMX_DnsClient/DNS_RegisterReverseLookup +
+
+ ADMX_DnsClient/DNS_RegistrationEnabled +
+
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict +
+
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval +
+
+ ADMX_DnsClient/DNS_RegistrationTtl +
+
+ ADMX_DnsClient/DNS_SearchList +
+
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution +
+
+ ADMX_DnsClient/DNS_SmartProtocolReorder +
+
+ ADMX_DnsClient/DNS_UpdateSecurityLevel +
+
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones +
+
+ ADMX_DnsClient/DNS_UseDomainNameDevolution +
+
+ ADMX_DnsClient/Turn_Off_Multicast +
+
+ +### ADMX_EventForwarding policies + +
+
+ ADMX_EventForwarding/ForwarderResourceUsage +
+
+ ADMX_EventForwarding/SubscriptionManager +
+
+ ### ApplicationDefaults policies
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index ebc28b415c..23c1bb8142 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AboveLock -description: Learn the various AboveLock Policy CSP for Windows editions of Home, Pro, Business, and more. +description: Learn the various AboveLock Policy configuration service provider (CSP) for Windows editions of Home, Pro, Business, and more. ms.author: dansimp ms.localizationpriority: medium ms.topic: article diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index fad4a74ad7..4367ed3ed6 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Accounts -description: Policy CSP - Accounts +description: Learn about the Policy configuration service provider (CSP). This articles describes account policies. ms.author: dansimp ms.localizationpriority: medium ms.topic: article diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 9c2b674cee..d760021b1e 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ActiveXControls -description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10. +description: Learn about various Policy configuration service provider (CSP) - ActiveXControls settings, including SyncML, for Windows 10. ms.author: dansimp ms.localizationpriority: medium ms.topic: article diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md new file mode 100644 index 0000000000..37cf49d46f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -0,0 +1,954 @@ +--- +title: Policy CSP - ADMX_AddRemovePrograms +description: Policy CSP - ADMX_AddRemovePrograms +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AddRemovePrograms + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## Policy CSP - ADMX_AddRemovePrograms + +
+
+ ADMX_AddRemovePrograms/DefaultCategory +
+
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy +
+
+ ADMX_AddRemovePrograms/NoAddFromInternet +
+
+ ADMX_AddRemovePrograms/NoAddFromNetwork +
+
+ ADMX_AddRemovePrograms/NoAddPage +
+
+ ADMX_AddRemovePrograms/NoAddRemovePrograms +
+
+ ADMX_AddRemovePrograms/NoChooseProgramsPage +
+
+ ADMX_AddRemovePrograms/NoRemovePage +
+
+ ADMX_AddRemovePrograms/NoServices +
+
+ ADMX_AddRemovePrograms/NoSupportInfo +
+
+ ADMX_AddRemovePrograms/NoWindowsSetupPage +
+
+ + +
+ + +**ADMX_AddRemovePrograms/DefaultCategory** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. + +To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. + +If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need. + +> [!NOTE] +> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify default category for Add New Programs* +- GP name: *DefaultCategory* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromCDorFloppy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. + +If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option* +- GP name: *NoAddFromCDorFloppy* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromInternet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. + +If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add programs from Microsoft" option* +- GP name: *NoAddFromInternet* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. + +If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If you disable this setting or do not configure it, "Add programs from your network" is available to all users. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add programs from your network" option* +- GP name: *NoAddFromNetwork* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. + +If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Add New Programs page* +- GP name: *NoAddPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddRemovePrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. + +If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Add or Remove Programs* +- GP name: *NoAddRemovePrograms* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoChooseProgramsPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the Set Program Access and Defaults page* +- GP name: *NoChooseProgramsPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoRemovePage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. + +If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Change or Remove Programs page* +- GP name: *NoRemovePage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoServices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. + +If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. + +> [!NOTE] +> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Go directly to Components Wizard* +- GP name: *NoServices* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoSupportInfo** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. + +If you disable this setting or do not configure it, the Support Info hyperlink appears. + +> [!NOTE] +> Not all programs provide a support information hyperlink. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Support Information* +- GP name: *NoSupportInfo* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoWindowsSetupPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. + +If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Add/Remove Windows Components page* +- GP name: *NoWindowsSetupPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md new file mode 100644 index 0000000000..527d07b981 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -0,0 +1,744 @@ +--- +title: Policy CSP - ADMX_AppCompat +description: Policy CSP - ADMX_AppCompat +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 08/20/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppCompat + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## Policy CSP - ADMX_AppCompat + +
+
+ ADMX_AppCompat/AppCompatPrevent16BitMach + +
+
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage + +
+
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry + +
+
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack + +
+
+ ADMX_AppCompat/AppCompatTurnOffEngine + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 + +
+
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory + +
+
+ + +
+ + +**ADMX_AppCompat/AppCompatPrevent16BitMach** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. + +You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. + +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. + +If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. + +If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. + +> [!NOTE] +> This setting appears only in Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent access to 16-bit applications* +- GP name: *AppCompatPrevent16BitMach* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. + +The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. + +Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Program Compatibility Property Page* +- GP name: *AppCompatRemoveProgramCompatPropPage* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system. + +Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. + +Turning Application Telemetry off by selecting "enable" will stop the collection of usage data. + +If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set. + +Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Application Telemetry* +- GP name: *AppCompatTurnOffApplicationImpactTelemetry* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffSwitchBack** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system. + +Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. + +Switchback is on by default. + +If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. + +If you disable or do not configure this policy setting, the Switchback will be turned on. + +Reboot the system after changing the setting to ensure that your system accurately reflects those changes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off SwitchBack Compatibility Engine* +- GP name: *AppCompatTurnOffSwitchBack* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffEngine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system. + +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. + +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed. + +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. + +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. + +> [!NOTE] +> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Application Compatibility Engine* +- GP name: *AppCompatTurnOffEngine* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Program Compatibility Assistant* +- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. + +If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. + +If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. + +> [!NOTE] +> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Program Compatibility Assistant* +- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffUserActionRecord** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder. + +Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. + +If you enable this policy setting, Steps Recorder will be disabled. + +If you disable or do not configure this policy setting, Steps Recorder will be enabled. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Steps Recorder* +- GP name: *AppCompatTurnOffUserActionRecord* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramInventory** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector. + +The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. + +If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. + +If you disable or do not configure this policy setting, the Inventory Collector will be turned on. + +> [!NOTE] +> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Inventory Collector* +- GP name: *AppCompatTurnOffProgramInventory* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md new file mode 100644 index 0000000000..2f91449316 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_AuditSettings +description: Policy CSP - ADMX_AuditSettings +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AuditSettings +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AuditSettings policies + +
+
+ ADMX_AuditSettings/IncludeCmdLine +
+
+ + +
+ + +**ADMX_AuditSettings/IncludeCmdLine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. + +If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. + +If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. + +Default is Not configured. + +> [!NOTE] +> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Include command line in process creation events* +- GP name: *IncludeCmdLine* +- GP path: *System/Audit Process Creation* +- GP ADMX file name: *AuditSettings.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md new file mode 100644 index 0000000000..e3fef30269 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -0,0 +1,1725 @@ +--- +title: Policy CSP - ADMX_DnsClient +description: Policy CSP - ADMX_DnsClient +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DnsClient + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DnsClient policies + +
+
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries +
+
+ ADMX_DnsClient/DNS_AppendToMultiLabelName +
+
+ ADMX_DnsClient/DNS_Domain +
+
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel +
+
+ ADMX_DnsClient/DNS_IdnEncoding +
+
+ ADMX_DnsClient/DNS_IdnMapping +
+
+ ADMX_DnsClient/DNS_NameServer +
+
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns +
+
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix +
+
+ ADMX_DnsClient/DNS_RegisterAdapterName +
+
+ ADMX_DnsClient/DNS_RegisterReverseLookup +
+
+ ADMX_DnsClient/DNS_RegistrationEnabled +
+
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict +
+
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval +
+
+ ADMX_DnsClient/DNS_RegistrationTtl +
+
+ ADMX_DnsClient/DNS_SearchList +
+
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution +
+
+ ADMX_DnsClient/DNS_SmartProtocolReorder +
+
+ ADMX_DnsClient/DNS_UpdateSecurityLevel +
+
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones +
+
+ ADMX_DnsClient/DNS_UseDomainNameDevolution +
+
+ ADMX_DnsClient/Turn_Off_Multicast +
+
+ + +
+ + +**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. + +If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. + +If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow NetBT queries for fully qualified domain names* +- GP name: *DNS_AllowFQDNNetBiosQueries* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + +
+ + +**ADMX_DnsClient/DNS_AppendToMultiLabelName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. + +A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. + +For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. + +If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. + +If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. + +If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. + +If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow DNS suffix appending to unqualified multi-label name queries* +- GP name: *DNS_AppendToMultiLabelName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_Domain** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. + +If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Connection-specific DNS suffix* +- GP name: *DNS_Domain* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. +- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. + +If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. + +If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix devolution level* +- GP name: *DNS_DomainNameDevolutionLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnEncoding** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. + +If this policy setting is enabled, IDNs are not converted to Punycode. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off IDN encoding* +- GP name: *DNS_IdnEncoding* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnMapping** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. + +If this policy setting is enabled, IDNs are converted to the Nameprep form. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *IDN mapping* +- GP name: *DNS_IdnMapping* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_NameServer** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. + +If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *DNS servers* +- GP name: *DNS_NameServer* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. + +If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prefer link local responses over DNS when received over a network with higher precedence* +- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + + +
+ + +**ADMX_DnsClient/DNS_PrimaryDnsSuffix** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. + +To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. + +> [!IMPORTANT] +> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. + +If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. + +You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. + +If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix* +- GP name: *DNS_PrimaryDnsSuffix* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterAdapterName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. + +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. + +If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. + +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. + +Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. + +If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Register DNS records with connection-specific DNS suffix* +- GP name: *DNS_RegisterAdapterName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterReverseLookup** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records. + +By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. + +If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. + +To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: + +- Do not register: Computers will not attempt to register PTR resource records +- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. +- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Register PTR records* +- GP name: *DNS_RegisterReverseLookup* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. + +If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. + +If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Dynamic update* +- GP name: *DNS_RegistrationEnabled* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. + +This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. + +During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. + +If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. + +If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Replace addresses in conflicts* +- GP name: *DNS_RegistrationOverwritesInConflict* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationRefreshInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. + +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. + +> [!WARNING] +> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. + +To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. + +If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Registration refresh interval* +- GP name: *DNS_RegistrationRefreshInterval* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationTtl** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. + +To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). + +If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *TTL value for A and PTR records* +- GP name: *DNS_RegistrationTtl* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SearchList** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. + +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." + +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. + +If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. + +If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *DNS suffix search list* +- GP name: *DNS_SearchList* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. + +If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. + +If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off smart multi-homed name resolution* +- GP name: *DNS_SmartMultiHomedNameResolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartProtocolReorder** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. + +If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off smart protocol reordering* +- GP name: *DNS_SmartProtocolReorder* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateSecurityLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates. + +To use this policy setting, click Enabled and then select one of the following values: + +- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. +- Only unsecure - computers send only nonsecure dynamic updates. +- Only secure - computers send only secure dynamic updates. + +If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Update security level* +- GP name: *DNS_UpdateSecurityLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." + +By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. + +If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. + +If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Update top level domain zones* +- GP name: *DNS_UpdateTopLevelDomainZones* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UseDomainNameDevolution** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +The primary DNS suffix, as specified on the Computer Name tab of the System control panel. + +Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. + +If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + +If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix devolution* +- GP name: *DNS_UseDomainNameDevolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/Turn_Off_Multicast** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. + +If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. + +If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off multicast name resolution* +- GP name: *Turn_Off_Multicast* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md new file mode 100644 index 0000000000..b964fbde10 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -0,0 +1,200 @@ +--- +title: Policy CSP - ADMX_EventForwarding +description: Policy CSP - ADMX_EventForwarding +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EventForwarding + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_EventForwarding policies + +
+
+ ADMX_EventForwarding/ForwarderResourceUsage +
+
+ ADMX_EventForwarding/SubscriptionManager +
+
+ + +
+ + +**ADMX_EventForwarding/ForwarderResourceUsage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. + +If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. + +If you disable or do not configure this policy setting, forwarder resource usage is not specified. + +This setting applies across all subscriptions for the forwarder (source computer). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure forwarder resource usage* +- GP name: *MaxForwardingRate* +- GP path: *Windows Components/Event Forwarding* +- GP ADMX file name: *EventForwarding.admx* + + + +
+ +
+ + +**ADMX_EventForwarding/SubscriptionManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. + +If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. + +Use the following syntax when using the HTTPS protocol: + +``` syntax + +Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. +``` + +When using the HTTP protocol, use port 5985. + +If you disable or do not configure this policy setting, the Event Collector computer will not be specified. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure target Subscription Manager* +- GP name: *SubscriptionManager* +- GP path: *Windows Components/Event Forwarding* +- GP ADMX file name: *EventForwarding.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index ccc641c6a3..eb4a7086d1 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationDefaults -description: Policy CSP - ApplicationDefaults +description: Learn about various Policy configuration service provider (CSP) - ApplicationDefaults, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 6b55aa34e3..1f128f9b64 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ApplicationManagement -description: Policy CSP - ApplicationManagement +description: Learn about various Policy configuration service provider (CSP) - ApplicationManagement, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 6e15e10e88..2a224f8bfe 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AppRuntime -description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime. +description: Learn how the Policy CSP - AppRuntime setting controls whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 29788ea127..63cdb4036d 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AppVirtualization -description: Policy CSP - AppVirtualization +description: Learn how the Policy CSP - AppVirtualization setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index cb2130e778..e808f11e13 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AttachmentManager -description: Manage Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). +description: Manage Windows marks file attachments with information about their zone of origin, such as restricted, internet, intranet, local. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index ffd4519182..7d0997f275 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Audit -description: Policy CSP - Audit +description: Learn how the Policy CSP - Audit setting causes an audit event to be generated when an account can't log on to a computer because the account is locked out. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 96f9787790..51f56ffbbb 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Authentication -description: Policy CSP - Authentication +description: The Policy CSP - Authentication setting allows the Azure AD tenant administrators to enable self service password reset feature on the Windows sign in screen. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 36a05de8df..15b769497e 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Autoplay -description: Policy CSP - Autoplay +description: Learn how the Policy CSP - Autoplay setting disallows AutoPlay for MTP devices like cameras or phones. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 28123a7dc0..6426fba5e8 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Bluetooth -description: Policy CSP - Bluetooth +description: Learn how the Policy CSP - Bluetooth setting specifies whether the device can send out Bluetooth advertisements. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 206e99f3db..d2c9190e0b 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Browser -description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier. +description: Learn how to use the Policy CSP - Browser settings so you can configure Microsoft Edge browser, version 45 and earlier. ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 0def6900f0..93e5c5d6cf 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Camera -description: Policy CSP - Camera +description: Learn how to use the Policy CSP - Camera setting so that you can configure it to disable or enable the camera. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 3d156b1c89..ccd0ab26c1 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Cellular -description: Policy CSP - Cellular +description: Learn how to use the Policy CSP - Cellular setting so you can specify whether Windows apps can access cellular data. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index ee83ad3d00..503ee130bc 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Connectivity -description: Policy CSP - Connectivity +description: Learn how to use the Policy CSP - Connectivity setting to allow the user to enable Bluetooth or restrict access. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index a822c7a831..9a867b0778 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ControlPolicyConflict -description: Policy CSP - ControlPolicyConflict +description: Use the Policy CSP - ControlPolicyConflict setting to control which policy is used whenever both the MDM policy and its equivalent Group Policy are set on the device. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 425fcf361a..89e4817ce7 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -1,6 +1,6 @@ --- title: Policy CSP - CredentialProviders -description: Learn the policy CSP for credential provider set up, sign in, PIN requests and so on. +description: Learn how to use the policy CSP for credential provider so you can control whether a domain user can sign in using a convenience PIN. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index c8416c3bb9..71447f45ab 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -1,6 +1,6 @@ --- title: Policy CSP - CredentialsDelegation -description: Policy CSP - CredentialsDelegation +description: Learn how to use the Policy CSP - CredentialsDelegation setting so that remote host can allow delegation of non-exportable credentials. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 349800035d..5ccf34a12e 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -1,6 +1,6 @@ --- title: Policy CSP - CredentialsUI -description: Policy CSP - CredentialsUI +description: Learn how to use the Policy CSP - CredentialsUI setting to configure the display of the password reveal button in password entry user experiences. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 55ceb74581..b141d4387b 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Cryptography -description: Policy CSP - Cryptography +description: Learn how to use the Policy CSP - Cryptography setting to allow or disallow the Federal Information Processing Standard (FIPS) policy. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 4c71a876a5..9da8c6ce2c 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DataProtection -description: Policy CSP - DataProtection +description: Use the Policy CSP - DataProtection setting to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 28f919ead9..cb540b3415 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DataUsage -description: Policy CSP - DataUsage +description: Learn how to use the Policy CSP - DataUsage setting to configure the cost of 4G connections on the local machine. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index c2fb83fe51..79fe896cdf 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Defender -description: Policy CSP - Defender +description: Learn how to use the Policy CSP - Defender setting so you can allow or disallow scanning of archives. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index bdf3985bb6..4061074c76 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DeliveryOptimization -description: Policy CSP - DeliveryOptimization +description: Learn how to use the Policy CSP - DeliveryOptimization setting to configure one or more Microsoft Connected Cache servers to be used by Delivery Optimization. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 0ade992a1d..dfbed26745 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Desktop -description: Policy CSP - Desktop +description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 163655f59f..9512ffde73 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DeviceGuard -description: Policy CSP - DeviceGuard +description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 8277ae0425..60d4832fae 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -1,6 +1,6 @@ --- title: Policy CSP - DeviceHealthMonitoring -description: Learn which DeviceHealthMonitoring policies are supported for your edition of Windows. +description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 9787467c21..ce84398393 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - TaskManager -description: Policy CSP - TaskManager +description: Learn how to use the Policy CSP - TaskManager setting to determine whether non-administrators can use Task Manager to end tasks. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 44a8f08bdd..ab6ec4d46c 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -1,6 +1,6 @@ --- title: Policy CSP - TaskScheduler -description: Policy CSP - TaskScheduler +description: Learn how to use the Policy CSP - TaskScheduler setting to determine whether the specific task is enabled (1) or disabled (0). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index e1799a0c16..99360d692b 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1,6 +1,6 @@ --- title: Policy CSP - TextInput -description: Policy CSP - TextInput +description: The Policy CSP - TextInput setting allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index d029929145..8ef9349148 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -1,6 +1,6 @@ --- title: Policy CSP - TimeLanguageSettings -description: Learn which TimeLanguageSettings policies are supported for your edition of Windows. +description: Learn to use the Policy CSP - TimeLanguageSettings setting to specify the time zone to be applied to the device. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index 881b9b3a43..c7862d0866 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Troubleshooting -description: Policy CSP - Troubleshooting +description: The Policy CSP - Troubleshooting setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d9187a1854..38e9dd4066 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Update -description: Manage a range of active hours for when update reboots are not scheduled. +description: The Policy CSP - Update allows the IT admin, when used with Update/ActiveHoursStart, to manage a range of active hours where update reboots aren't scheduled. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 73f3dfd843..df12efd32b 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1,6 +1,6 @@ --- title: Policy CSP - UserRights -description: Policy CSP - UserRights +description: Learn how user rights are assigned for user accounts or groups, and how the name of the policy defines the user right in question. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 770316e0bc..db63da7a5a 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Wifi -description: Policy CSP - Wifi +description: Learn how the Policy CSP - Wifi setting allows or disallows the device to automatically connect to Wi-Fi hotspots. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index 4cbed0f5f3..4f89b78bcf 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WindowsConnectionManager -description: Policy CSP - WindowsConnectionManager +description: The Policy CSP - WindowsConnectionManager setting prevents computers from connecting to a domain based network and a non-domain based network simultaneously. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index d2c74ba941..a4cd3536f0 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WindowsDefenderSecurityCenter -description: Policy CSP - WindowsDefenderSecurityCenter +description: Learn how to use the Policy CSP - WindowsDefenderSecurityCenter setting to display the Account protection area in Windows Defender Security Center. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index bc97e2e774..e60269d795 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WindowsInkWorkspace -description: Policy CSP - WindowsInkWorkspace +description: Learn to use the Policy CSP - WindowsInkWorkspace setting to specify whether to allow the user to access the ink workspace. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index d3793a4bb7..c7ccb54106 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WindowsLogon -description: Policy CSP - WindowsLogon +description: Use the Policy CSP - WindowsLogon setting to control whether a device automatically signs in and locks the last interactive user after the system restarts. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index cc4f87b917..b60def1361 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WindowsPowerShell -description: Policy CSP - WindowsPowerShell +description: Use the Policy CSP - WindowsPowerShell setting to enable logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index eb74f99772..3aff9aac6c 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -1,6 +1,6 @@ --- title: Policy CSP - WirelessDisplay -description: Policy CSP - WirelessDisplay +description: Use the Policy CSP - WirelessDisplay setting to turn off the Wireless Display multicast DNS service advertisement from a Wireless Display receiver. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md index 0dada7486c..6e3d43c649 100644 --- a/windows/client-management/mdm/policy-csps-admx-backed.md +++ b/windows/client-management/mdm/policy-csps-admx-backed.md @@ -21,6 +21,51 @@ ms.date: 08/18/2020 > - [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory) +- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy) +- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet) +- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork) +- [ADMX_AddRemovePrograms/NoAddPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddpage) +- [ADMX_AddRemovePrograms/NoAddRemovePrograms](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddremoveprograms) +- [ADMX_AddRemovePrograms/NoChooseProgramsPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nochooseprogramspage) +- [ADMX_AddRemovePrograms/NoRemovePage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noremovepage) +- [ADMX_AddRemovePrograms/NoServices](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noservices) +- [ADMX_AddRemovePrograms/NoSupportInfo](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nosupportinfo) +- [ADMX_AddRemovePrograms/NoWindowsSetupPage](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-nowindowssetuppage) +- [ADMX_AppCompat/AppCompatPrevent16BitMach](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatprevent16bitmach) +- [ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatremoveprogramcompatproppage) +- [ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffapplicationimpacttelemetry) +- [ADMX_AppCompat/AppCompatTurnOffSwitchBack](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffswitchback) +- [ADMX_AppCompat/AppCompatTurnOffEngine](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffengine) +- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_1) +- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2) +- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord) +- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory) +- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline) +- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries) +- [ADMX_DnsClient/DNS_AppendToMultiLabelName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-appendtomultilabelname) +- [ADMX_DnsClient/DNS_Domain](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domain) +- [ADMX_DnsClient/DNS_DomainNameDevolutionLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-domainnamedevolutionlevel) +- [ADMX_DnsClient/DNS_IdnEncoding](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnencoding) +- [ADMX_DnsClient/DNS_IdnMapping](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-idnmapping) +- [ADMX_DnsClient/DNS_NameServer](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-nameserver) +- [ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-preferlocalresponsesoverlowerorderdns) +- [ADMX_DnsClient/DNS_PrimaryDnsSuffix](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-primarydnssuffix) +- [ADMX_DnsClient/DNS_RegisterAdapterName](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registeradaptername) +- [ADMX_DnsClient/DNS_RegisterReverseLookup](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registerreverselookup) +- [ADMX_DnsClient/DNS_RegistrationEnabled](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationenabled) +- [ADMX_DnsClient/DNS_RegistrationOverwritesInConflict](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationoverwritesinconflict) +- [ADMX_DnsClient/DNS_RegistrationRefreshInterval](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationrefreshinterval) +- [ADMX_DnsClient/DNS_RegistrationTtl](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-registrationttl) +- [ADMX_DnsClient/DNS_SearchList](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-searchlist) +- [ADMX_DnsClient/DNS_SmartMultiHomedNameResolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartmultihomednameresolution) +- [ADMX_DnsClient/DNS_SmartProtocolReorder](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-smartprotocolreorder) +- [ADMX_DnsClient/DNS_UpdateSecurityLevel](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatesecuritylevel) +- [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones) +- [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution) +- [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast) +- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage) +- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager) - [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) - [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) - [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index 7a522ee312..27c1aceaf0 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1,6 +1,6 @@ --- title: Policy DDF file -description: Policy DDF file +description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index ad4bb24be7..656e292b4e 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -1,6 +1,6 @@ --- title: PolicyManager CSP -description: PolicyManager CSP +description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP. ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md index cced09bc2b..c1d9034fe8 100644 --- a/windows/client-management/mdm/proxy-csp.md +++ b/windows/client-management/mdm/proxy-csp.md @@ -1,6 +1,6 @@ --- title: PROXY CSP -description: PROXY CSP +description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections. ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index e7cb92b9c4..d906bca3da 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -1,6 +1,6 @@ --- title: Reboot CSP -description: Reboot CSP +description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings. ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md index 38bd56ba6d..4978cc70e0 100644 --- a/windows/client-management/mdm/registry-csp.md +++ b/windows/client-management/mdm/registry-csp.md @@ -1,6 +1,6 @@ --- title: Registry CSP -description: Registry CSP +description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings. ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md index 164f8d4a66..6b6bc9c191 100644 --- a/windows/client-management/mdm/registry-ddf-file.md +++ b/windows/client-management/mdm/registry-ddf-file.md @@ -1,6 +1,6 @@ --- title: Registry DDF file -description: Registry DDF file +description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP). ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15 ms.reviewer: manager: dansimp diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 035bdf4010..5b464073a9 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -1,6 +1,6 @@ --- title: Create a provisioning package (Windows 10) -description: Learn how to create a provisioning package for Windows 10. Provisioning packages let you quickly configure a device without having to install a new image. +description: Learn how to create a provisioning package for Windows 10, which lets you quickly configure a device without having to install a new image. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -21,44 +21,46 @@ manager: dansimp - Windows 10 - Windows 10 Mobile -You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. +You can use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings, and then apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. >[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) ->[!TIP] ->We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. +> [!TIP] +> We recommend creating a local admin account when you develop and test your provisioning package. We also recommend using a *least privileged* domain user account to join devices to the Active Directory domain. ## Start a new project 1. Open Windows Configuration Designer: - - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + - From either the Start screen or Start menu search, type **Windows Configuration Designer**, and then select the **Windows Configuration Designer** shortcut. or - - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then select **ICD.exe**. 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: ![Configuration Designer wizards](../images/icd-create-options-1703.png) - - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). + - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) + + Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizards](provisioning-packages.md#configuration-designer-wizards). - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* + - The **Advanced provisioning** option opens a new project with all the runtime settings available. (The rest of this procedure uses advanced provisioning.) >[!TIP] > You can start a project in the simple wizard editor and then switch the project to the advanced editor. > > ![Switch to advanced editor](../images/icd-switch.png) -3. Enter a name for your project, and then click **Next**. +3. Enter a name for your project, and then select **Next**. -4. Select the settings you want to configure, based on the type of device, and then click **Next**. The following table describes the options. +4. Select the settings you want to configure, based on the type of device, and then select **Next**. The following table describes the options. | Windows edition | Settings available for customization | Provisioning package can apply to | @@ -71,12 +73,12 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) | Common to Windows 10 Team edition | Common settings and settings specific to Windows 10 Team | [Microsoft Surface Hub](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) | -5. On the **Import a provisioning package (optional)** page, you can click **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then click **Finish**. +5. On the **Import a provisioning package (optional)** page, you can select **Finish** to create your project, or browse to and select an existing provisioning package to import to your project, and then select **Finish**. >[!TIP] ->**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. +>**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages that you create so you don't have to reconfigure those common settings repeatedly. -After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. +6. In the **Available customizations** pane, you can now configure settings for the package. @@ -94,7 +96,7 @@ The process for configuring settings is similar for all settings. The following - +
step one
Expand a category.		Expand Certificates category
step two
Select a setting.		Select ClientCertificates
step three
Enter a value for the setting. Click Add if the button is displayed.		Enter a name for the certificate
step three
Enter a value for the setting. Select Add if the button is displayed.		Enter a name for the certificate
step four
Some settings, such as this example, require additional information. In Available customizations, select the value you just created, and additional settings are displayed.		Additional settings for client certificate
step five
When the setting is configured, it is displayed in the Selected customizations pane.		Selected customizations pane
@@ -106,39 +108,39 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Build package -1. After you're done configuring your customizations, click **Export** and select **Provisioning Package**. +1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**. ![Export on top bar](../images/icd-export-menu.png) -2. In the **Describe the provisioning package** window, enter the following information, and then click **Next**: +2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**: - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field. - - **Version (in Major.Minor format** - - Optional. You can change the default package version by specifying a new value in the **Version** field. + - **Version (in Major.Minor format** - Optional. You can change the default package version by specifying a new value in the **Version** field. - **Owner** - Select **IT Admin**. For more information, see [Precedence for provisioning packages](provisioning-how-it-works.md#precedence-for-provisioning-packages). - **Rank (between 0-99)** - Optional. You can select a value between 0 and 99, inclusive. The default package rank is 0. -3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate. Both selections are optional. Click **Next** after you make your selections. +3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional: - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen. - - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. + - **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package. >[!NOTE] - >You should only configure provisioning package security when the package is used for device provisioning and the package has contents with sensitive security data such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. + >You should only configure provisioning package security when the package is used for device provisioning and when the package has content with sensitive security data, such as certificates or credentials that should be prevented from being compromised. When applying an encrypted and/or signed provisioning package, either during OOBE or through the setting UI, the package can be decrypted, and if signed, be trusted without explicit user consent. An IT administrator can set policy on a user device to restrict the removal of required packages from the device, or the provisioning of potentially harmful packages on the device. > >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then select **Next**. By default, Windows Configuration Designer uses the project folder as the output location. -5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. +5. In the **Build the provisioning package** window, select **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - If you need to cancel the build, click Cancel. This cancels the current build process, closes the wizard, and takes you back to the Customizations Page. + If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations** page. -6. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. +6. If your build fails, an error message will appear that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build. -7. When you are done, click **Finish** to close the wizard and go back to the Customizations page. +7. When you are done, select **Finish** to close the wizard and go back to the **Customizations** page. **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 27f6ebfdc9..b558969815 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -44,7 +44,7 @@ - name: Define your servicing strategy href: update/plan-define-strategy.md - name: Delivery Optimization for Windows 10 updates - href: update/waas-delivery-optimization-reference.md + href: update/waas-delivery-optimization.md - name: Best practices for feature updates on mission-critical devices href: update/feature-update-mission-critical.md - name: Windows 10 deployment considerations diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md index 92f03d2111..ba34b2d47b 100644 --- a/windows/privacy/manage-windows-1909-endpoints.md +++ b/windows/privacy/manage-windows-1909-endpoints.md @@ -96,6 +96,7 @@ The following methodology was used to derive these network endpoints: |||TLS v1.2|*g.live.com| |||HTTPS|oneclient.sfx.ms| |||HTTPS| logincdn.msauth.net| +|||HTTP| windows.policies.live.net| |Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| |||TLS v1.2|settings-win.data.microsoft.com| |Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| @@ -117,6 +118,7 @@ The following methodology was used to derive these network endpoints: |||HTTP|*.windowsupdate.com| ||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTP|*.delivery.mp.microsoft.com| |||HTTPS/TLS v1.2|*.update.microsoft.com| +||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com| ||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|HTTPS/TLS v1.2|tsfe.trafficshaping.dsp.mp.microsoft.com| ## Other Windows 10 editions diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md index dabc7f749b..2ae163cea6 100644 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ b/windows/security/identity-protection/access-control/active-directory-accounts.md @@ -470,7 +470,7 @@ Each default local account in Active Directory has a number of account settings

Account is trusted for delegation

-

Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.

+

Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.

Account is sensitive and cannot be delegated

@@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings

Use DES encryption types for this account

Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).

-Note

DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.

+Note

DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see Hunting down DES in order to securely deploy Kerberos.

@@ -656,8 +656,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s -

Windows Update Setting

-

Configuration

+

Windows Update Setting

+

Configuration

Allow Automatic Updates immediate installation

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 7e7c2236cd..56e4f2edf2 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -297,9 +297,9 @@ The following table shows the Group Policy and registry settings that are used t -

No.

-

Setting

-

Detailed Description

+

No.

+

Setting

+

Detailed Description

@@ -334,7 +334,7 @@ The following table shows the Group Policy and registry settings that are used t

3

Registry key

-

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

+

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

@@ -444,9 +444,9 @@ The following table shows the Group Policy settings that are used to deny networ -

No.

-

Setting

-

Detailed Description

+

No.

+

Setting

+

Detailed Description

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 7f5c4ffe62..25d125585e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -98,7 +98,7 @@ The following tables describe baseline protections, plus protections for improve | Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. @@ -133,5 +133,5 @@ The following table lists qualifications for Windows 10, version 1703, which are | Protections for Improved Security | Description | Security Benefits |---|---|---| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
    - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features. | • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md index ae96f09ed1..e609c9469d 100644 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md @@ -657,7 +657,7 @@ function PrintHardwareReq { LogAndConsole "###########################################################################" LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home" + LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT" LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" LogAndConsole "########################################################################### `n" @@ -735,7 +735,7 @@ function CheckOSSKU $osname = $((gwmi win32_operatingsystem).Name).ToLower() $_SKUSupported = 0 Log "OSNAME:$osname" - $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") + $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") $HLKAllowed = @("microsoft windows 10 pro") foreach ($SKUent in $SKUarray) { diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 33a9c450e1..7a92ed864a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -84,7 +84,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 1. In the **Custom OMA-URI Settings** blade, Click **Add**. 1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2. 1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list. -1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. +1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile. #### Assign the PIN Reset Device configuration profile using Microsoft Intune diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index f220db21f6..0fb161ccb5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -17,7 +17,7 @@ ms.reviewer: --- # Windows Hello for Business Provisioning -Applies to: +Applies to: - Windows 10 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index ae11903279..8df0ef33bb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -187,7 +187,7 @@ The web server is ready to host the CRL distribution point. Now, configure the 1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**. 2. In the navigation pane, right-click the name of the certificate authority and click **Properties** 3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list. -4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). +4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash). ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png) 5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. 6. Type **.crl** at the end of the text in **Location**. Click **OK**. @@ -225,7 +225,7 @@ The web server is ready to host the CRL distribution point. Now, configure the Validate your new CRL distribution point is working. -1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. +1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL. ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png) ### Reissue domain controller certificates diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 4e95da0531..373339ebcd 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security | **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server | | **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.

For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). | | **Helps prevent**                    |      N/A          |
  • Pass-the-Hash
  • Use of a credential after disconnection
|
  • Pass-the-Hash
  • Use of domain identity during connection
| -| **Credentials supported from the remote desktop client device** |
  • Signed on credentials
  • Supplied credentials
  • Saved credentials
|
  • Signed on credentials only |
    • Signed on credentials
    • Supplied credentials
    • Saved credentials
    | +| **Credentials supported from the remote desktop client device** |
    • Signed on credentials
    • Supplied credentials
    • Saved credentials
    |
    • Signed on credentials only |
      • Signed on credentials
      • Supplied credentials
      • Saved credentials
      | | **Access** | **Users allowed**, that is, members of Remote Desktop Users group of remote host. | **Users allowed**, that is, members of Remote Desktop Users of remote host. | **Administrators only**, that is, only members of Administrators group of remote host. | | **Network identity** | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as signed-in user**. | Remote Desktop session **connects to other resources as remote host’s identity**. | | **Multi-hop** | From the remote desktop, **you can connect through Remote Desktop to another computer** | From the remote desktop, you **can connect through Remote Desktop to another computer**. | Not allowed for user as the session is running as a local host account | diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 4a92507705..560f4b240c 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -270,7 +270,7 @@ To better understand each component, review the table below: -The slider will never turn UAC completely off. If you set it to Never notify, it will: +The slider will never turn UAC completely off. If you set it to Never notify, it will: - Keep the UAC service running. - Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 96fc9bd8c2..405ffb126f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -252,11 +252,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us -

      Name

      -

      Parameters

      +

      Name

      +

      Parameters

      -

      Add-BitLockerKeyProtector

      +

      Add-BitLockerKeyProtector

      -ADAccountOrGroup

      -ADAccountOrGroupProtector

      -Confirm

      @@ -278,26 +278,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

      -WhatIf

      -

      Backup-BitLockerKeyProtector

      +

      Backup-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Disable-BitLocker

      +

      Disable-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Disable-BitLockerAutoUnlock

      +

      Disable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Enable-BitLocker

      +

      Enable-BitLocker

      -AdAccountOrGroup

      -AdAccountOrGroupProtector

      -Confirm

      @@ -322,44 +322,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us

      -WhatIf

      -

      Enable-BitLockerAutoUnlock

      +

      Enable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Get-BitLockerVolume

      +

      Get-BitLockerVolume

      -MountPoint

      -

      Lock-BitLocker

      +

      Lock-BitLocker

      -Confirm

      -ForceDismount

      -MountPoint

      -WhatIf

      -

      Remove-BitLockerKeyProtector

      +

      Remove-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Resume-BitLocker

      +

      Resume-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Suspend-BitLocker

      +

      Suspend-BitLocker

      -Confirm

      -MountPoint

      -RebootCount

      -WhatIf

      -

      Unlock-BitLocker

      +

      Unlock-BitLocker

      -AdAccountOrGroup

      -Confirm

      -MountPoint

      @@ -374,7 +374,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. +Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. > **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 436ef15fe7..be8ab9ed7b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -106,39 +106,39 @@ This policy setting allows users on devices that are compliant with Modern Stand -

      Policy description

      +

      Policy description

      With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.

      -

      Introduced

      +

      Introduced

      Windows 10, version 1703

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware.

      -

      When enabled

      +

      When enabled

      Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The options of the Require additional authentication at startup policy apply.

      -Reference +Reference The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN. @@ -156,37 +156,37 @@ This policy is used in addition to the BitLocker Drive Encryption Network Unlock -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Clients cannot create and use Network Key Protectors

      -Reference +Reference To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. You can use the Group Policy setting **Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate** on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create network key protectors to automatically unlock by using Network Unlock. @@ -205,39 +205,39 @@ This policy setting is used to control which unlock options are available for op -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      If one authentication method is required, the other methods cannot be allowed.

      -

      Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When enabled

      +

      When enabled

      Users can configure advanced startup options in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users can configure only basic options on computers with a TPM.

      Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.

      -Reference +Reference If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. @@ -282,31 +282,31 @@ This policy setting permits the use of enhanced PINs when you use an unlock meth -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Enhanced PINs will not be used.

      @@ -330,37 +330,37 @@ This policy setting is used to set a minimum PIN length when you use an unlock m -

      Policy description

      +

      Policy description

      With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users can configure a startup PIN of any length between 6 and 20 digits.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. @@ -413,31 +413,31 @@ This policy setting allows you to configure whether standard users are allowed t -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Standard users are not allowed to change BitLocker PINs or passwords.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Standard users are permitted to change BitLocker PINs or passwords.

      @@ -459,37 +459,37 @@ This policy controls how non-TPM based systems utilize the password protector. U -

      Policy description

      +

      Policy description

      With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      Passwords cannot be used if FIPS-compliance is enabled.

      -Note

      The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

      +Note

      The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.

      @@ -522,37 +522,37 @@ This policy setting is used to control what unlock options are available for com -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives (Windows Server 2008 and Windows Vista)

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      If you choose to require an additional authentication method, other authentication methods cannot be allowed.

      -

      When enabled

      +

      When enabled

      The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.

      -Reference +Reference On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN. @@ -586,41 +586,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      +

      Conflicts

      +

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      -

      When enabled

      -

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

      +

      When enabled

      +

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box.

      -

      When disabled

      +

      When disabled

      Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives.

      -

      When not configured

      +

      When not configured

      Smart cards can be used to authenticate user access to a BitLocker-protected drive.

      -Reference +Reference >**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive. @@ -635,41 +635,41 @@ This policy setting is used to require, allow, or deny the use of passwords with -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

      +

      Conflicts

      +

      To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity.

      -

      When disabled

      +

      When disabled

      The user is not allowed to use a password.

      -

      When not configured

      +

      When not configured

      Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

      -Reference +Reference When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled. @@ -699,41 +699,41 @@ This policy setting is used to require, allow, or deny the use of smart cards wi -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      +

      Conflicts

      +

      To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates.

      -

      When enabled

      -

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

      +

      When enabled

      +

      Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.

      -

      When not configured

      +

      When not configured

      Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.

      -Reference +Reference >**Note:** These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. @@ -748,41 +748,41 @@ This policy setting is used to require, allow, or deny the use of passwords with -

      Policy description

      +

      Policy description

      With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

      +

      Conflicts

      +

      To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled.

      -

      When enabled

      -

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

      +

      When enabled

      +

      Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity.

      -

      When disabled

      +

      When disabled

      The user is not allowed to use a password.

      -

      When not configured

      +

      When not configured

      Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters.

      -Reference +Reference If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. @@ -812,37 +812,37 @@ This policy setting is used to determine what certificate to use with BitLocker. -

      Policy description

      +

      Policy description

      With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed and removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      -

      The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.

      +

      When enabled

      +

      The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default object identifier is used.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -863,37 +863,37 @@ This policy setting allows users to enable authentication options that require u -

      Policy description

      +

      Policy description

      With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Devices must have an alternative means of preboot input (such as an attached USB keyboard).

      -

      When disabled or not configured

      +

      When disabled or not configured

      The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.

      -Reference +Reference The Windows touch keyboard (such as used by tablets) is not available in the preboot environment where BitLocker requires additional information, such as a PIN or password. @@ -918,37 +918,37 @@ This policy setting is used to require encryption of fixed drives prior to grant -

      Policy description

      +

      Policy description

      With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      See the Reference section for a description of conflicts.

      -

      When enabled

      +

      When enabled

      All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

      -

      When disabled or not configured

      +

      When disabled or not configured

      All fixed data drives on the computer are mounted with Read and Write access.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -973,37 +973,37 @@ This policy setting is used to require that removable drives are encrypted prior -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      See the Reference section for a description of conflicts.

      -

      When enabled

      +

      When enabled

      All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access.

      -

      When disabled or not configured

      +

      When disabled or not configured

      All removable data drives on the computer are mounted with Read and Write access.

      -Reference +Reference If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it is checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting. @@ -1026,41 +1026,41 @@ This policy setting is used to prevent users from turning BitLocker on or off on -

      Policy description

      +

      Policy description

      With this policy setting, you can control the use of BitLocker on removable data drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can select property settings that control how users can configure BitLocker.

      -

      When disabled

      +

      When disabled

      Users cannot use BitLocker on removable data drives.

      -

      When not configured

      +

      When not configured

      Users can use BitLocker on removable data drives.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1082,37 +1082,37 @@ This policy setting is used to control the encryption method and cipher strength -

      Policy description

      +

      Policy description

      With this policy setting, you can control the encryption method and strength for drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.

      -Reference +Reference The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). @@ -1138,42 +1138,42 @@ This policy controls how BitLocker reacts to systems that are equipped with encr -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference >**Note:** The **Choose drive encryption method and cipher strength** policy setting does not apply to hardware-based encryption. @@ -1193,41 +1193,41 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference If hardware-based encryption is not available, BitLocker software-based encryption is used instead. @@ -1249,41 +1249,41 @@ This policy controls how BitLocker reacts to encrypted drives when they are used -

      Policy description

      +

      Policy description

      With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Removable data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.

      -

      When disabled

      +

      When disabled

      BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.

      -

      When not configured

      +

      When not configured

      BitLocker software-based encryption is used irrespective of hardware-based encryption ability.

      -Reference +Reference If hardware-based encryption is not available, BitLocker software-based encryption is used instead. @@ -1305,37 +1305,37 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Fixed data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1354,37 +1354,37 @@ This policy controls whether operating system drives utilize Full encryption or -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1403,37 +1403,37 @@ This policy controls whether fixed data drives utilize Full encryption or Used S -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the encryption type that is used by BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Removable data drive

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. @@ -1452,38 +1452,38 @@ This policy setting is used to configure recovery methods for operating system d -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1513,37 +1513,37 @@ This policy setting is used to configure recovery methods for BitLocker-protecte -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      -

      This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

      +

      Conflicts

      +

      This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error.

      -

      When enabled

      +

      When enabled

      You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard presents users with ways to store recovery options.

      -Reference +Reference This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. @@ -1567,37 +1567,37 @@ This policy setting is used to configure the storage of BitLocker recovery infor -

      Policy description

      +

      Policy description

      With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker recovery information is not backed up to AD DS.

      -Reference +Reference This policy is only applicable to computers running Windows Server 2008 or Windows Vista. @@ -1625,37 +1625,37 @@ This policy setting is used to configure the default folder for recovery passwor -

      Policy description

      +

      Policy description

      With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password.

      -

      Introduced

      +

      Introduced

      Windows Vista

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1672,38 +1672,38 @@ This policy setting is used to configure recovery methods for fixed data drives. -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1733,38 +1733,38 @@ This policy setting is used to configure recovery methods for removable data dri -

      Policy description

      +

      Policy description

      With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      -

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      -

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      +

      Conflicts

      +

      You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled.

      +

      When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting.

      -

      When enabled

      +

      When enabled

      You can control the methods that are available to users to recover data from BitLocker-protected removable data drives.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. @@ -1791,37 +1791,37 @@ This policy setting is used to configure the entire recovery message and to repl -

      Policy description

      +

      Policy description

      With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.

      -

      Introduced

      +

      Introduced

      Windows 10

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      -

      The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.

      +

      When enabled

      +

      The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option.

      -

      When disabled or not configured

      +

      When disabled or not configured

      If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.

      -Reference +Reference Enabling the **Configure the pre-boot recovery message and URL** policy setting allows you to customize the default recovery screen message and URL to assist customers in recovering their key. @@ -1846,38 +1846,38 @@ This policy controls how BitLocker-enabled system volumes are handled in conjunc -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

      +

      Conflicts

      +

      If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.

      For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

      -

      When enabled or not configured

      +

      When enabled or not configured

      BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.

      -

      When disabled

      +

      When disabled

      BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.

      -Reference +Reference Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. @@ -1895,37 +1895,37 @@ This policy setting is used to establish an identifier that is applied to all dr -

      Policy description

      +

      Policy description

      With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer.

      -

      When enabled

      +

      When enabled

      You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The identification field is not required.

      -Reference +Reference These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line tool. @@ -1952,37 +1952,37 @@ This policy setting is used to control whether the computer's memory will be ove -

      Policy description

      +

      Policy description

      With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets.

      -

      Introduced

      +

      Introduced

      Windows Vista

      -

      Drive type

      +

      Drive type

      All drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker secrets are removed from memory when the computer restarts.

      -Reference +Reference This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled. @@ -1997,37 +1997,37 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. @@ -2072,37 +2072,37 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 and Windows Vista

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -2147,39 +2147,39 @@ This policy setting determines what values the TPM measures when it validates ea -

      Policy description

      +

      Policy description

      With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

      +

      Conflicts

      +

      Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.

      If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.

      For more information about PCR 7, see Platform Configuration Register (PCR) in this topic.

      -

      When enabled

      +

      When enabled

      Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.

      -

      When disabled or not configured

      +

      When disabled or not configured

      BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.

      -Reference +Reference This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. @@ -2222,41 +2222,41 @@ This policy setting determines if you want platform validation data to refresh w -

      Policy description

      +

      Policy description

      With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled

      +

      When enabled

      Platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -

      When disabled

      +

      When disabled

      Platform validation data is not refreshed when Windows is started following a BitLocker recovery.

      -

      When not configured

      +

      When not configured

      Platform validation data is refreshed when Windows is started following a BitLocker recovery.

      -Reference +Reference For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md). @@ -2271,41 +2271,41 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t -

      Policy description

      +

      Policy description

      With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation.

      -

      Introduced

      +

      Introduced

      Windows Server 2012 and Windows 8

      -

      Drive type

      +

      Drive type

      Operating system drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

      -

      Conflicts

      -

      When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).

      +

      Conflicts

      +

      When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting).

      -

      When enabled

      +

      When enabled

      You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings.

      -

      When disabled

      +

      When disabled

      The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.

      -

      When not configured

      +

      When not configured

      The computer verifies the default BCD settings in Windows.

      -Reference +Reference >**Note:** The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it is included in the inclusion or the exclusion list. @@ -2320,37 +2320,37 @@ This policy setting is used to control whether access to drives is allowed by us -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Fixed data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled and When not configured

      +

      When enabled and When not configured

      Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

      -

      When disabled

      +

      When disabled

      Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

      -Reference +Reference >**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. @@ -2367,37 +2367,37 @@ This policy setting controls access to removable data drives that are using the -

      Policy description

      +

      Policy description

      With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.

      -

      Introduced

      +

      Introduced

      Windows Server 2008 R2 and Windows 7

      -

      Drive type

      +

      Drive type

      Removable data drives

      -

      Policy path

      +

      Policy path

      Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

      -

      Conflicts

      +

      Conflicts

      None

      -

      When enabled and When not configured

      +

      When enabled and When not configured

      Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.

      -

      When disabled

      +

      When disabled

      Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed.

      -Reference +Reference >**Note:** This policy setting does not apply to drives that are formatted with the NTFS file system. @@ -2414,37 +2414,37 @@ You can configure the Federal Information Processing Standard (FIPS) setting for -

      Policy description

      +

      Policy description

      Notes

      -

      Introduced

      +

      Introduced

      Windows Server 2003 with SP1

      -

      Drive type

      +

      Drive type

      System-wide

      -

      Policy path

      -

      Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

      +

      Policy path

      +

      Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

      -

      Conflicts

      +

      Conflicts

      Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems.

      -

      When enabled

      +

      When enabled

      Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.

      -

      When disabled or not configured

      +

      When disabled or not configured

      No BitLocker encryption key is generated

      -Reference +Reference This policy needs to be enabled before any encryption key is generated for BitLocker. Note that when this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead. diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md index e8bd11f12b..275443414a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md @@ -24,7 +24,7 @@ ms.date: 07/10/2018 ## What is BitLocker To Go? -BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. +BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index e4e1a3ffcd..220bed5038 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -126,11 +126,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work -

      Name

      -

      Parameters

      +

      Name

      +

      Parameters

      -

      Add-BitLockerKeyProtector

      +

      Add-BitLockerKeyProtector

      -ADAccountOrGroup

      -ADAccountOrGroupProtector

      -Confirm

      @@ -152,26 +152,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work

      -WhatIf

      -

      Backup-BitLockerKeyProtector

      +

      Backup-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Disable-BitLocker

      +

      Disable-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Disable-BitLockerAutoUnlock

      +

      Disable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Enable-BitLocker

      +

      Enable-BitLocker

      -AdAccountOrGroup

      -AdAccountOrGroupProtector

      -Confirm

      @@ -196,44 +196,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work

      -WhatIf

      -

      Enable-BitLockerAutoUnlock

      +

      Enable-BitLockerAutoUnlock

      -Confirm

      -MountPoint

      -WhatIf

      -

      Get-BitLockerVolume

      +

      Get-BitLockerVolume

      -MountPoint

      -

      Lock-BitLocker

      +

      Lock-BitLocker

      -Confirm

      -ForceDismount

      -MountPoint

      -WhatIf

      -

      Remove-BitLockerKeyProtector

      +

      Remove-BitLockerKeyProtector

      -Confirm

      -KeyProtectorId

      -MountPoint

      -WhatIf

      -

      Resume-BitLocker

      +

      Resume-BitLocker

      -Confirm

      -MountPoint

      -WhatIf

      -

      Suspend-BitLocker

      +

      Suspend-BitLocker

      -Confirm

      -MountPoint

      -RebootCount

      -WhatIf

      -

      Unlock-BitLocker

      +

      Unlock-BitLocker

      -AdAccountOrGroup

      -Confirm

      -MountPoint

      diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 1473dadc79..d6b97d2ac5 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -168,91 +168,91 @@ The following table contains information about both Physical Disk Resources (i.e -

      Action

      -

      On owner node of failover volume

      -

      On Metadata Server (MDS) of CSV

      -

      On (Data Server) DS of CSV

      -

      Maintenance Mode

      +

      Action

      +

      On owner node of failover volume

      +

      On Metadata Server (MDS) of CSV

      +

      On (Data Server) DS of CSV

      +

      Maintenance Mode

      -

      Manage-bde –on

      +

      Manage-bde –on

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Manage-bde –off

      +

      Manage-bde –off

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Manage-bde Pause/Resume

      +

      Manage-bde Pause/Resume

      Blocked

      -

      Blocked

      +

      Blocked

      Blocked

      Allowed

      -

      Manage-bde –lock

      +

      Manage-bde –lock

      Blocked

      Blocked

      Blocked

      Allowed

      -

      manage-bde –wipe

      +

      manage-bde –wipe

      Blocked

      Blocked

      Blocked

      Allowed

      -

      Unlock

      +

      Unlock

      Automatic via cluster service

      Automatic via cluster service

      Automatic via cluster service

      Allowed

      -

      manage-bde –protector –add

      +

      manage-bde –protector –add

      Allowed

      Allowed

      Blocked

      Allowed

      -

      manage-bde -protector -delete

      +

      manage-bde -protector -delete

      Allowed

      Allowed

      Blocked

      Allowed

      -

      manage-bde –autounlock

      +

      manage-bde –autounlock

      Allowed (not recommended)

      Allowed (not recommended)

      Blocked

      Allowed (not recommended)

      -

      Manage-bde -upgrade

      +

      Manage-bde -upgrade

      Allowed

      Allowed

      Blocked

      Allowed

      -

      Shrink

      +

      Shrink

      Allowed

      Allowed

      Blocked

      Allowed

      -

      Extend

      +

      Extend

      Allowed

      Allowed

      Blocked

      @@ -261,7 +261,7 @@ The following table contains information about both Physical Disk Resources (i.e ->      Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node +>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process. diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 23f23e50da..97733a4dd7 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -53,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you Name-based policies, using the /*AppCompat*/ string or proxy-based policies - Not required. App connects to enterprise cloud resources directly, using an IP address. + Not required. App connects to enterprise cloud resources directly, using an IP address.
      • App is entirely blocked from both personal and enterprise cloud resources.
        • @@ -70,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you - Not required. App connects to enterprise cloud resources, using a hostname. + Not required. App connects to enterprise cloud resources, using a hostname.
        • App is blocked from accessing enterprise cloud resources, but can access other network resources.
          • @@ -80,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you - Allow. App connects to enterprise cloud resources, using an IP address or a hostname. + Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
          • App can access both personal and enterprise cloud resources.
            • @@ -90,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you - Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. + Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
            • App can access both personal and enterprise cloud resources.
              • @@ -110,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies - Not required. App connects to enterprise cloud resources, using an IP address or a hostname. + Not required. App connects to enterprise cloud resources, using an IP address or a hostname.
              • App is blocked from accessing enterprise cloud resources, but can access other network resources.
                • @@ -120,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your - Allow. App connects to enterprise cloud resources, using an IP address or a hostname. + Allow. App connects to enterprise cloud resources, using an IP address or a hostname.
                • App can access both personal and enterprise cloud resources.
                  • @@ -130,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your - Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. + Exempt. App connects to enterprise cloud resources, using an IP address or a hostname.
                  • App can access both personal and enterprise cloud resources.
                    • diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index a5baa19809..49a57283b7 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -190,27 +190,27 @@ For this example, we're going to add Internet Explorer, a desktop app, to the ** All files signed by any publisher. (Not recommended.) - Publisher selected + Publisher selected All files signed by the named publisher.

                    This might be useful if your company is the publisher and signer of internal line-of-business apps. - Publisher and Product Name selected + Publisher and Product Name selected All files for the specified product, signed by the named publisher. - Publisher, Product Name, and Binary name selected + Publisher, Product Name, and Binary name selected Any version of the named file or package for the specified product, signed by the named publisher. - Publisher, Product Name, Binary name, and File Version, and above, selected + Publisher, Product Name, Binary name, and File Version, and above, selected Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

                    This option is recommended for enlightened apps that weren't previously enlightened. - Publisher, Product Name, Binary name, and File Version, And below selected + Publisher, Product Name, Binary name, and File Version, And below selected Specified version or older releases of the named file or package for the specified product, signed by the named publisher. - Publisher, Product Name, Binary name, and File Version, Exactly selected + Publisher, Product Name, Binary name, and File Version, Exactly selected Specified version of the named file or package for the specified product, signed by the named publisher. @@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources - With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                    contoso.visualstudio.com,contoso.internalproxy2.com

                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

                    If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

                    Important
                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
                    contoso.visualstudio.com,contoso.internalproxy2.com

                    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

                    For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

                    If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

                    Important
                    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. Enterprise Network Domain Names (Required) @@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

                    This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

                    If you have multiple resources, you must separate them using the ";" delimiter.
                    Enterprise IPv4 Range (Required) - Starting IPv4 Address: 3.4.0.1
                    Ending IPv4 Address: 3.4.255.254
                    Custom URI: 3.4.0.1-3.4.255.254,
                    10.0.0.1-10.255.255.254 + Starting IPv4 Address: 3.4.0.1
                    Ending IPv4 Address: 3.4.255.254
                    Custom URI: 3.4.0.1-3.4.255.254,
                    10.0.0.1-10.255.255.254 Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

                    If you have multiple ranges, you must separate them using the "," delimiter. Enterprise IPv6 Range - Starting IPv6 Address: 2a01:110::
                    Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                    Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Starting IPv6 Address: 2a01:110::
                    Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
                    Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
                    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

                    If you have multiple ranges, you must separate them using the "," delimiter. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 8c01645295..a099742145 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Messaging
                    **App Type:** Universal app | | IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** iexplore.exe
                    **App Type:** Desktop app | | OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** onedrive.exe
                    **App Type:** Desktop app | -| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Microsoftskydrive
                    Product Version:Product version: 17.21.0.0 (and later)
                    **App Type:** Universal app | +| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Product Name:** Microsoft.Microsoftskydrive
                    Product Version:Product version: 17.21.0.0 (and later)
                    **App Type:** Universal app | | Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** notepad.exe
                    **App Type:** Desktop app | | Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** mspaint.exe
                    **App Type:** Desktop app | | Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
                    **Binary Name:** mstsc.exe
                    **App Type:** Desktop app | diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 340c9edb2a..c1cd7193c0 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

                    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

                    We strongly recommend educating employees about how to limit or eliminate the need for this decryption. Direct Access is incompatible with WIP. Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - We recommend that you use VPN for client access to your intranet resources.

                    Note
                    VPN is optional and isn’t required by WIP. + We recommend that you use VPN for client access to your intranet resources.

                    Note
                    VPN is optional and isn’t required by WIP. - NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. - The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. - If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. + NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. + The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. + If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. Cortana can potentially allow data leakage if it’s on the allowed apps list. @@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil

                    • Start the installer directly from the file share.

                      -OR-

                    • Decrypt the locally copied files needed by the installer.

                      -OR-

                      • -
                    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
                      • +
                    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
                    @@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil Redirected folders with Client Side Caching are not compatible with WIP. Apps might encounter access errors while attempting to read a cached, offline file. - Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                    Note
                    For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. + Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

                    Note
                    For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. -

                    Data copied from the WIP-managed device is marked as Work.

                    Data copied to the WIP-managed device is not marked as Work.

                    Local Work data copied to the WIP-managed device remains Work data.

                    Work data that is copied between two apps in the same session remains data. +

                    Data copied from the WIP-managed device is marked as Work.

                    Data copied to the WIP-managed device is not marked as Work.

                    Local Work data copied to the WIP-managed device remains Work data.

                    Work data that is copied between two apps in the same session remains data. Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. - A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. - Open File Explorer and change the file ownership to Personal before you upload. + A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. + Open File Explorer and change the file ownership to Personal before you upload. ActiveX controls should be used with caution. @@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil Format drive for NTFS, or use a different drive. - WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False: + WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:

                    • AppDataRoaming
                    • Desktop
                      • @@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
                    WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

                    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here.

                    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. @@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. - Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. + Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 961744bbf6..7353daae25 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc Encrypt and decrypt files using File Explorer. - For desktop:

                    + For desktop:

                      -
                    1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
                      Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
                      2. -
                    2. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
                      Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
                      3. +
                    3. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
                      Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
                      4. +
                    4. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
                      Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
                    - For mobile:

                    + For mobile:

                      -
                    1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
                      2. -
                    2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
                      Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
                      3. -
                    3. Select the same file, click File ownership from the drop down menu, and then click Personal.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                      4. +
                    4. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
                      5. +
                    5. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
                      Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
                      6. +
                    6. Select the same file, click File ownership from the drop down menu, and then click Personal.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                    Create work documents in enterprise-allowed apps. - For desktop:

                    + For desktop:

                    - For mobile:

                    + For mobile:

                      -
                    1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
                      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
                      2. +
                    2. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
                      Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
                    3. Open the same document and attempt to save it to a non-work-related location.
                      WIP should stop you from saving the file to this location.
                      4. -
                    4. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
                      5. +
                    5. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
                      Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.

                    @@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
                      The app shouldn't be able to access the file.
                      2. -
                    2. Try double-clicking or tapping on the work-encrypted file.
                      If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
                      3. +
                    3. Try double-clicking or tapping on the work-encrypted file.
                      If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
                    @@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc Copy and paste from enterprise apps to non-enterprise apps.
                      -
                    1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                      2. -
                    2. Click Keep at work.
                      The content isn't pasted into the non-enterprise app.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
                      The content is pasted into the non-enterprise app.
                      4. +
                    4. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
                      5. +
                    5. Click Keep at work.
                      The content isn't pasted into the non-enterprise app.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
                      The content is pasted into the non-enterprise app.
                    7. Try copying and pasting content between apps on your allowed apps list.
                      The content should copy and paste between apps without any warning messages.
                    @@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc Drag and drop from enterprise apps to non-enterprise apps.
                      -
                    1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      2. -
                    2. Click Keep at work.
                      The content isn't dropped into the non-enterprise app.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
                      The content is dropped into the non-enterprise app.
                      4. +
                    4. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      5. +
                    5. Click Keep at work.
                      The content isn't dropped into the non-enterprise app.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
                      The content is dropped into the non-enterprise app.
                    7. Try dragging and dropping content between apps on your allowed apps list.
                      The content should move between the apps without any warning messages.
                    @@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc Share between enterprise apps and non-enterprise apps.
                      -
                    1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      2. -
                    2. Click Keep at work.
                      The content isn't shared into Facebook.
                      3. -
                    3. Repeat Step 1, but this time click Change to personal, and try to share the content again.
                      The content is shared into Facebook.
                      4. +
                    4. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
                      You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
                      5. +
                    5. Click Keep at work.
                      The content isn't shared into Facebook.
                      6. +
                    6. Repeat Step 1, but this time click Change to personal, and try to share the content again.
                      The content is shared into Facebook.
                    7. Try sharing content between apps on your allowed apps list.
                      The content should share between the apps without any warning messages.
                    @@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
                      Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
                      2. -
                    2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
                      3. -
                    3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                      Note
                      Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

                      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                      4. +
                    4. Open File Explorer and make sure your modified files are appearing with a Lock icon.
                      5. +
                    5. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

                      Note
                      Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.

                      A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
                    @@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your shared files can use WIP.
                      -
                    1. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
                      2. +
                    2. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
                    3. Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
                    4. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
                      The app shouldn't be able to access the file share.
                    @@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
                    1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
                    2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
                      Both browsers should respect the enterprise and personal boundary.
                      3. -
                    3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                      IE11 shouldn't be able to access the sites.

                      Note
                      Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                      4. +
                    4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
                      IE11 shouldn't be able to access the sites.

                      Note
                      Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
                    @@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your Virtual Private Network (VPN) can be auto-triggered.
                      -
                    1. Set up your VPN network to start based on the WIPModeID setting.
                      For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
                      2. +
                    2. Set up your VPN network to start based on the WIPModeID setting.
                      For specific info about how to do this, see the Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune topic.
                    3. Start an app from your allowed apps list.
                      The VPN network should automatically start.
                    4. Disconnect from your network and then start an app that isn't on your allowed apps list.
                      The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
                    @@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc Unenroll client devices from WIP.
                      -
                    • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                      The device should be removed and all of the enterprise content for that managed account should be gone.

                      Important
                      On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                      • +
                    • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
                      The device should be removed and all of the enterprise content for that managed account should be gone.

                      Important
                      On desktop devices, the data isn't removed and can be recovered, so you must make sure the content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
                    diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index d0474f5941..4289b8d65a 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -157,7 +157,7 @@ This event generates on the computer to which the logon was performed (target co - “dadmin” – claim value. -**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed. +**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value. For computer accounts this field has device claims listed. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 45dcd000c9..bc6d20907b 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -274,5 +274,5 @@ For file system and registry objects, the following recommendations apply. - If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.** -- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. +- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers. For example, you could monitor the **ntds.dit** file on domain controllers. diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 1641acbc10..81b9fd94a0 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -22,7 +22,7 @@ ms.author: dansimp Event 4672 illustration
                    -Subcategory: Audit Special Logon +Subcategory: Audit Special Logon ***Event Description:*** diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index 1caa24d32d..dc2d0e52fe 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -135,40 +135,40 @@ Failure event generates when service call attempt fails. | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account.
                    This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
                    If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | +| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account.
                    This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs.
                    If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-------------------------------|------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTcbPrivilege:
                    Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | -| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
                    Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | +| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | SeTcbPrivilege:
                    Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. | +| Audit Sensitive Privilege Use | SeEnableDelegationPrivilege:
                    Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index b4146f681a..5781254277 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -157,42 +157,42 @@ Failure event generates when operation attempt fails. | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-----------------------------------|-----------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | -| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | -| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | -| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | -| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | -| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | -| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | -| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | -| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | -| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | -| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | -| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | -| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | -| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | -| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | -| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | -| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time.
                    With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | -| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | -| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | -| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | +| Audit Non Sensitive Privilege Use | SeChangeNotifyPrivilege:
                    Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
                    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | +| Audit Non Sensitive Privilege Use | SeCreateGlobalPrivilege:
                    Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | +| Audit Non Sensitive Privilege Use | SeCreatePagefilePrivilege:
                    Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | +| Audit Non Sensitive Privilege Use | SeCreatePermanentPrivilege:
                    Create permanent shared objects | Required to create a permanent object.
                    This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. | +| Audit Non Sensitive Privilege Use | SeCreateSymbolicLinkPrivilege:
                    Create symbolic links | Required to create a symbolic link. | +| Audit Non Sensitive Privilege Use | SeIncreaseBasePriorityPrivilege:
                    Increase scheduling priority | Required to increase the base priority of a process.
                    With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. | +| Audit Non Sensitive Privilege Use | SeIncreaseQuotaPrivilege:
                    Adjust memory quotas for a process | Required to increase the quota assigned to a process.
                    With this privilege, the user can change the maximum memory that can be consumed by a process. | +| Audit Non Sensitive Privilege Use | SeIncreaseWorkingSetPrivilege:
                    Increase a process working set | Required to allocate more memory for applications that run in the context of users. | +| Audit Non Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Non Sensitive Privilege Use | SeMachineAccountPrivilege:
                    Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. | +| Audit Non Sensitive Privilege Use | SeManageVolumePrivilege:
                    Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. | +| Audit Non Sensitive Privilege Use | SeProfileSingleProcessPrivilege:
                    Profile single process | Required to gather profiling information for a single process.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. | +| Audit Non Sensitive Privilege Use | SeRelabelPrivilege:
                    Modify an object label | Required to modify the mandatory integrity level of an object. | +| Audit Non Sensitive Privilege Use | SeRemoteShutdownPrivilege:
                    Force shutdown from a remote system | Required to shut down a system using a network request. | +| Audit Non Sensitive Privilege Use | SeShutdownPrivilege:
                    Shut down the system | Required to shut down a local system. | +| Audit Non Sensitive Privilege Use | SeSyncAgentPrivilege:
                    Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers.
                    With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. | +| Audit Non Sensitive Privilege Use | SeSystemProfilePrivilege:
                    Profile system performance | Required to gather profiling information for the entire system.
                    With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. | +| Audit Non Sensitive Privilege Use | SeSystemtimePrivilege:
                    Change the system time | Required to modify the system time.
                    With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. | +| Audit Non Sensitive Privilege Use | SeTimeZonePrivilege:
                    Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | +| Audit Non Sensitive Privilege Use | SeTrustedCredManAccessPrivilege:
                    Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | +| Audit Non Sensitive Privilege Use | SeUndockPrivilege:
                    Remove computer from docking station | Required to undock a laptop.
                    With this privilege, the user can undock a portable computer from its docking station without logging on. | | **Subcategory of event** | **Privilege Name:
                    User Right Group Policy Name** | **Description** | |-------------------------------|-----------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
                    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | -| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | SeBackupPrivilege:
                    Back up files and directories | - Required to perform backup operations.
                    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
                    The following access rights are granted if this privilege is held:
                    READ\_CONTROL
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_READ
                    FILE\_TRAVERSE | -| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
                    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account.
                    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
                    This user right provides complete access to sensitive and critical operating system components. | -| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | -| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver.
                    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | -| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | -| Audit Sensitive Privilege Use | SeRestorePrivilege:
                    Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                    WRITE\_DAC
                    WRITE\_OWNER
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_WRITE
                    FILE\_ADD\_FILE
                    FILE\_ADD\_SUBDIRECTORY
                    DELETE
                    With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | -| Audit Sensitive Privilege Use | SeSecurityPrivilege:
                    Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
                    With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | -| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | -| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
                    Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
                    With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | +| Audit Sensitive Privilege Use | SeAssignPrimaryTokenPrivilege:
                    Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
                    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | SeAuditPrivilege:
                    Generate security audits | With this privilege, the user can add entries to the security log. | +| Audit Sensitive Privilege Use | SeBackupPrivilege:
                    Back up files and directories | - Required to perform backup operations.
                    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
                    The following access rights are granted if this privilege is held:
                    READ\_CONTROL
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_READ
                    FILE\_TRAVERSE | +| Audit Sensitive Privilege Use | SeCreateTokenPrivilege:
                    Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
                    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | +| Audit Sensitive Privilege Use | SeDebugPrivilege:
                    Debug programs | Required to debug and adjust the memory of a process owned by another account.
                    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
                    This user right provides complete access to sensitive and critical operating system components. | +| Audit Sensitive Privilege Use | SeImpersonatePrivilege:
                    Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | +| Audit Sensitive Privilege Use | SeLoadDriverPrivilege:
                    Load and unload device drivers | Required to load or unload a device driver.
                    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | +| Audit Sensitive Privilege Use | SeLockMemoryPrivilege:
                    Lock pages in memory | Required to lock physical pages in memory.
                    With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). | +| Audit Sensitive Privilege Use | SeRestorePrivilege:
                    Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:
                    WRITE\_DAC
                    WRITE\_OWNER
                    ACCESS\_SYSTEM\_SECURITY
                    FILE\_GENERIC\_WRITE
                    FILE\_ADD\_FILE
                    FILE\_ADD\_SUBDIRECTORY
                    DELETE
                    With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. | +| Audit Sensitive Privilege Use | SeSecurityPrivilege:
                    Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.
                    With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. | +| Audit Sensitive Privilege Use | SeSystemEnvironmentPrivilege:
                    Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. | +| Audit Sensitive Privilege Use | SeTakeOwnershipPrivilege:
                    Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
                    With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 55ace9419d..e441a2501c 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -206,9 +206,9 @@ For 4688(S): A new process has been created. - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges. +- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn’t contain the $ symbol. This means that a user ran a program using administrative privileges. - You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index ef907d69b0..ddfd079946 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -242,7 +242,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT - **DNS Host Name** \[Type = UnicodeString\]: name of computer account as registered in DNS. The value of **dNSHostName** attribute of new computer object. For manually created computer account objects this field has value “**-**“. -- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation: +- **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. For new computer accounts it will typically contain HOST SPNs and RestrictedKrbHost SPNs. The value of **servicePrincipalName** attribute of new computer object. For manually created computer objects it is typically equals “**-**“. This is an example of **Service Principal Names** field for new domain joined workstation: HOST/Win81.contoso.local diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index b39135ee00..94fc78b48f 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -243,7 +243,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT - **Service Principal Names** \[Type = UnicodeString\]**:** The list of SPNs, registered for computer account. If the SPN list of a computer account changed, you will see the new SPN list in **Service Principal Names** field (note that you will see the new list instead of changes). If the value of **servicePrincipalName** attribute of computer object was changed, you will see the new value here. - Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots: + Here is an example of **Service Principal Names** field for new domain joined workstation in event 4742 on domain controller, after workstation reboots: HOST/Win81.contoso.local diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 34454c6d14..6610d670eb 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -285,5 +285,5 @@ For 4907(S): Auditing settings on object were changed. - If you have critical file or registry objects and you need to monitor all modifications (especially changes in SACL), monitor for specific “**Object\\Object Name”**. -- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers. +- If you have high-value computers for which you need to monitor all changes for all or specific file or registry objects, monitor for all [4907](event-4907.md) events on these computers. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index a4f705ba93..3d3d5152cc 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -145,7 +145,7 @@ For 5140(S, F): A network share object was accessed. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. +- If you have high-value computers for which you need to monitor all access to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor share **C$** on domain controllers. - Monitor this event if the **Network Information\\Source Address** is not from your internal IP range. diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index 858e4a608f..727a8f8576 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -104,7 +104,7 @@ For 5142(S): A network share object was added. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers. +- If you have high-value computers for which you need to monitor creation of new file shares, monitor this event. For example, you could monitor domain controllers. - We recommend checking “**Share Path**”, because it should not point to system directories, such as **C:\\Windows** or **C:\\**, or to critical local folders which contain private or high value information. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index c7f46521ae..7fd678a12b 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -259,5 +259,5 @@ For 5143(S): A network share object was modified. > **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). -- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers. +- If you have high-value computers for which you need to monitor all modifications to all shares or specific shares (“**Share Name**”), monitor this event. For example, you could monitor all changes to the SYSVOL share on domain controllers. diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 4c20a34092..c0cff03c22 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -106,5 +106,5 @@ For 5144(S): A network share object was deleted. - If you have critical network shares for which you need to monitor all changes (especially, the deletion of that share), monitor for specific “**Share Information\\Share Name”.** -- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers. +- If you have high-value computers for which you need to monitor all changes (especially, deletion of file shares), monitor for all [5144](event-5144.md) events on these computers. For example, you could monitor file shares on domain controllers. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 725e9d2023..d594900ce7 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                    Important:
                    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                    | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | +| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

                    Important:
                    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

                    | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                    • UEFI runtime service must meet these requirements:
                        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                            • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                    Notes:
                    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                    • This protection is applied by VBS on OS page tables.


                    Please also note the following:
                    • Do not use sections that are both writeable and executable
                    • Do not attempt to directly modify executable system memory
                    • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
                    • UEFI runtime service must meet these requirements:
                        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
                        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
                        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
                            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
                            • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

                    Notes:
                    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
                    • This protection is applied by VBS on OS page tables.


                    Please also note the following:
                    • Do not use sections that are both writeable and executable
                    • Do not attempt to directly modify executable system memory
                    • Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
                    • Reduces the attack surface to VBS from system firmware.
                    • Blocks additional security attacks against SMM. | diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 7bc3af8993..262058bf1d 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library @@ -166,10 +166,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library @@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -251,7 +251,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.15063 #3094

                    #3094

                    @@ -323,10 +323,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -338,7 +338,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 #2936

                    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
                    @@ -416,10 +416,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -431,7 +431,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10586 #2605

                    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
                    @@ -514,10 +514,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -529,7 +529,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface

                    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.10240 #2605

                    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
                    @@ -612,10 +612,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded -Cryptographic Module -Version (link to Security Policy) -FIPS Certificate # -Algorithms +Cryptographic Module +Version (link to Security Policy) +FIPS Certificate # +Algorithms Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) @@ -627,7 +627,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded

                    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

                    -Kernel Mode Cryptographic Primitives Library (cng.sys) +Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 #2356

                    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
                    @@ -689,10 +689,10 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone - - - - + + + + @@ -705,7 +705,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone - + - - - - + + + + @@ -915,10 +915,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -981,10 +981,10 @@ Validated Editions: Ultimate Edition
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 #1891 FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
                    @@ -791,10 +791,10 @@ Validated Editions: Windows 7, Windows 7 SP1
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    - - - - + + + + @@ -1033,10 +1033,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1074,10 +1074,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1108,10 +1108,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1135,10 +1135,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1162,10 +1162,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1199,10 +1199,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1240,10 +1240,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1270,10 +1270,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1297,10 +1297,10 @@ Validated Editions: Ultimate Edition - - - - + + + + @@ -1318,10 +1318,10 @@ Validated Editions: Ultimate Edition
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider (RSAENH)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    DSS/Diffie-Hellman Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Microsoft Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
                    - - - - + + + + @@ -1349,10 +1349,10 @@ Validated Editions: Standard, Datacenter - - - - + + + + @@ -1413,10 +1413,10 @@ Validated Editions: Standard, Datacenter - - - - + + + + @@ -1483,10 +1483,10 @@ Validated Editions: Standard, Datacenter, Storage Server - - - - + + + + @@ -1497,7 +1497,7 @@ Validated Editions: Standard, Datacenter, Storage Server Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Base Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 10.0.14393 2936 FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
                    @@ -1562,10 +1562,10 @@ Validated Editions: Server, Storage Server, - - - - + + + + @@ -1576,7 +1576,7 @@ Validated Editions: Server, Storage Server, Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.3.9600 6.3.9600.17042 2356 FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
                    @@ -1638,10 +1638,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1654,7 +1654,7 @@ Validated Editions: Server, Storage Server Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt) - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
                    Kernel Mode Cryptographic Primitives Library (cng.sys)Kernel Mode Cryptographic Primitives Library (cng.sys) 6.2.9200 1891 FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
                    @@ -1728,10 +1728,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1742,7 +1742,7 @@ Validated Editions: Server, Storage Server Other algorithms: MD5 - + - + - + - + - + - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    Winload OS Loader (winload.exe)Winload OS Loader (winload.exe) 6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675 1333 FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
                    @@ -1806,10 +1806,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1820,7 +1820,7 @@ Validated Editions: Server, Storage Server Other algorithms: N/A - + - - - - + + + + @@ -1925,10 +1925,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -1972,10 +1972,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2021,10 +2021,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2056,10 +2056,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2083,10 +2083,10 @@ Validated Editions: Server, Storage Server - - - - + + + + @@ -2113,8 +2113,8 @@ The following tables are organized by cryptographic algorithms with their modes, - - + + - + - - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - + - + - + - + - + - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - - - - - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - +

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    - - - - + - +

                    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
                    +GMAC_Supported

                    - - + - - - - - + - + - + - + - + - + - + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -3017,8 +3017,8 @@ Deterministic Random Bit Generator (DRBG) - - + + - - - - - - - - - - - @@ -3256,8 +3256,8 @@ Some of the previously validated components for this validation have been remove

                    Windows 7 Ultimate and SP1 CNG algorithms #386

                    - @@ -3265,16 +3265,16 @@ Some of the previously validated components for this validation have been remove

                    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

                    - - @@ -3282,8 +3282,8 @@ Some of the previously validated components for this validation have been remove

                    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

                    - @@ -3291,61 +3291,61 @@ Some of the previously validated components for this validation have been remove

                    Windows Vista Enhanced DSS (DSSENH) #226

                    - - - - - -

                    Windows NT 4 SP6 DSSBASE.DLL #25

                    - @@ -3375,8 +3375,8 @@ SHS: SHA-1 (BYTE)

                    - - + +

                    Version 10.0.16299

                    - - - - + - + - - - - @@ -3747,79 +3747,79 @@ DRBG: - - - - - - @@ -3836,8 +3836,8 @@ Some of the previously validated components for this validation have been remove - - + + - + - + - + - + - + - + - - + - - - - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -4257,8 +4257,8 @@ SHS - - + + @@ -4790,15 +4790,15 @@ DRBG - +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                     - - @@ -4858,11 +4858,11 @@ DRBG - @@ -4870,11 +4870,11 @@ DRBG - @@ -4882,11 +4882,11 @@ DRBG - @@ -4894,20 +4894,20 @@ DRBG - - - + - + - + - +
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Boot Manager (bootmgr)
                    Winload OS Loader (winload.exe)Winload OS Loader (winload.exe) 6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596 1005 FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
                    @@ -1884,10 +1884,10 @@ Validated Editions: Server, Storage Server
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Kernel Mode Cryptographic Module (FIPS.SYS)
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Enhanced Cryptographic Provider
                    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #AlgorithmsCryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
                    Outlook Cryptographic Provider (EXCHCSP)
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -2563,137 +2563,137 @@ The following tables are organized by cryptographic algorithms with their modes,

                      Version 10.0.16299

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    OFB ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    OFB ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

                    Version 10.0.15063

                    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    +

                    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    AES Val#4624

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

                    Version 10.0.15063

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#4624

                     

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

                    Version 10.0.15063

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

                    Version 10.0.15063

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

                    Version 7.00.2872

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

                    Version 8.00.6246

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

                    Version 7.00.2872

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

                    Version 8.00.6246

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    OFB ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    OFB ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

                    Version 10.0.14393

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

                    Version 10.0.14393

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
                    Version 10.0.14393

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

                    +

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

                    AES Val#4064

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

                    Version 10.0.14393

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#4064

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

                    Version 10.0.14393

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    +

                    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

                    AES Val#3629

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

                    Version 10.0.10586

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#3629

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

                    Version 10.0.10586

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
                    Version 10.0.10586

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

                    @@ -2706,141 +2706,141 @@ GMAC_Supported

                    Version 10.0.10240

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#3497

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    -

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    +

                    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
                    GMAC_Supported

                    -

                    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
                    Version 10.0.10240

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

                    Version 6.3.9600

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#2832

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

                    Version 6.3.9600

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    -

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    -

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    -

                    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
                    -OtherIVLen_Supported
                    -GMAC_Supported

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

                    +

                    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

                    +

                    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
                    +OtherIVLen_Supported
                    +GMAC_Supported

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

                    Version 6.3.9600

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    +

                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    AES Val#2197

                    -

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
                    +

                    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
                    AES Val#2197

                    -

                    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
                    -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
                    -GMAC_Supported

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    +

                    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

                    AES Val#2196

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    -

                    CFB128 ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    CFB128 ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    +                    		CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
                    AES Val#1168

                    Windows Server 2008 R2 and SP1 CNG algorithms #1187

                    Windows 7 Ultimate and SP1 CNG algorithms #1178
                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
                    +                    		CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
                    AES Val#1168                    		 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    +

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                     

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

                    GCM

                    -

                    GMAC

                    GCM

                    +

                    GMAC

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
                    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

                    Windows Server 2008 CNG algorithms #757

                    Windows Vista Ultimate SP1 CNG algorithms #756

                    CBC ( e/d; 128 , 256 );

                    -

                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

                    CBC ( e/d; 128 , 256 );

                    +

                    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

                    Windows Vista Ultimate BitLocker Drive Encryption #715

                    Windows Vista Ultimate BitLocker Drive Encryption #424

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CFB8 ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CFB8 ( e/d; 128 , 192 , 256 );

                    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

                    Windows Vista Symmetric Algorithm Implementation #553

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    -

                    CTR ( int only; 128 , 192 , 256 )

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    +

                    CTR ( int only; 128 , 192 , 256 )

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

                    ECB ( e/d; 128 , 192 , 256 );

                    -

                    CBC ( e/d; 128 , 192 , 256 );

                    ECB ( e/d; 128 , 192 , 256 );

                    +

                    CBC ( e/d; 128 , 192 , 256 );

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

                    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

                    @@ -2865,8 +2865,8 @@ Deterministic Random Bit Generator (DRBG)
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -2934,74 +2934,74 @@ Deterministic Random Bit Generator (DRBG)

                      Version 10.0.16299
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

                    Version 10.0.15063
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

                    Version 10.0.15063
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

                    Version 7.00.2872
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

                    Version 8.00.6246
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

                    Version 7.00.2872
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

                    Version 8.00.6246
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

                    Version 10.0.14393
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

                    Version 10.0.14393
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

                    Version 10.0.10586
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

                    Version 10.0.10240
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

                    Version 6.3.9600
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
                    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
                    DRBG (SP 800–90)DRBG (SP 800–90) Windows Vista Ultimate SP1, vendor-affirmed
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3137,118 +3137,118 @@ Deterministic Random Bit Generator (DRBG)

                      Version 10.0.16299

                    FIPS186-4:

                    -

                    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

                    -

                    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    -

                    KeyPairGen:   [ (2048,256) ; (3072,256) ]

                    -

                    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

                    -

                    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    FIPS186-4:

                    +

                    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    KeyPairGen:   [ (2048,256) ; (3072,256) ]

                    +

                    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

                    +

                    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val#3790

                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

                    Version 10.0.15063
                    FIPS186-4:
                    -PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    +                    		FIPS186-4:
                    +PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    SHS: Val# 3649

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

                    Version 7.00.2872
                    FIPS186-4:
                    -PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    +                    		FIPS186-4:
                    +PQG(ver)PARMS TESTED:                       [ (1024,160) SHA( 1 ); ]
                    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
                    SHS: Val#3648

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

                    Version 8.00.6246

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED: [
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED: [
                    (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256)
                    +SIG(gen)PARMS TESTED:   [ (2048,256)
                    SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 3347
                    DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

                    Version 10.0.14393

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
                    -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
                    +KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 3047
                    DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

                    Version 10.0.10586

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 2886
                    DRBG: Val# 868

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

                    Version 10.0.10240

                    FIPS186-4:
                    -PQG(gen)                    PARMS TESTED:   [
                    +

                    FIPS186-4:
                    +PQG(gen)                    PARMS TESTED:   [
                    (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED:   [ (2048,256)
                    +PQG(ver)PARMS TESTED:   [ (2048,256)
                    SHA( 256 ); (3072,256) SHA( 256 ) ]
                    KeyPairGen:    [ (2048,256) ; (3072,256) ]
                    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

                    SHS: Val# 2373
                    DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

                    Version 6.3.9600

                    FIPS186-2:
                    -PQG(ver) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +

                    FIPS186-2:
                    +PQG(ver) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: #1903
                    DRBG: #258

                    -

                    FIPS186-4:
                    -PQG(gen)PARMS TESTED                    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +

                    FIPS186-4:
                    +PQG(gen)PARMS TESTED                    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    +SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
                    +SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
                    SHS: #1903
                    DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
                    FIPS186-2:
                    -PQG(ver)                     MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(ver)                     MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: #1902
                    DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1773
                    DRBG: Val# 193
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1081
                    DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 1081
                    RNG: Val# 649
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

                    Windows Server 2008 CNG algorithms #284

                    Windows Vista Ultimate SP1 CNG algorithms #283
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 753
                    RNG: Val# 435
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 618
                    RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 784
                    RNG: Val# 448
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.                    		 Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
                    FIPS186-2:
                    -SIG(ver)                     MOD(1024);
                    +                    		FIPS186-2:
                    +SIG(ver)                     MOD(1024);
                    SHS: Val# 783
                    RNG: Val# 447
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 611
                    RNG: Val# 314                    		 Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 385                    		 Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
                    FIPS186-2:
                    -PQG(ver)                     MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    -SIG(ver) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(ver)                     MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: Val# 181

                    		 Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
                    FIPS186-2:
                    -PQG(gen)                     MOD(1024);
                    -PQG(ver) MOD(1024);
                    -KEYGEN(Y) MOD(1024);
                    -SIG(gen) MOD(1024);
                    +                    		FIPS186-2:
                    +PQG(gen)                     MOD(1024);
                    +PQG(ver) MOD(1024);
                    +KEYGEN(Y) MOD(1024);
                    +SIG(gen) MOD(1024);
                    SHS: SHA-1 (BYTE)
                    -SIG(ver) MOD(1024);
                    +SIG(ver) MOD(1024);
                    SHS: SHA-1 (BYTE)

                    Windows 2000 DSSENH.DLL #29

                    Windows 2000 DSSBASE.DLL #28

                    @@ -3353,12 +3353,12 @@ SHS: SHA-1 (BYTE)

                    FIPS186-2: PRIME;
                    -FIPS186-2:

                    -

                    KEYGEN(Y):
                    +

                    FIPS186-2: PRIME;
                    +FIPS186-2:

                    +

                    KEYGEN(Y):
                    SHS: SHA-1 (BYTE)

                    -

                    SIG(gen):
                    -SIG(ver)                     MOD(1024);
                    +

                    SIG(gen):
                    +SIG(ver)                     MOD(1024);
                    SHS: SHA-1 (BYTE)

                    		 Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3653,93 +3653,93 @@ SHS: SHA-1 (BYTE)
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    SHS: Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

                    Version 10.0.15063
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    -SHS:Val# 3649
                    -DRBG:Val# 1430                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    +SHS:Val# 3649
                    +DRBG:Val# 1430

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

                    Version 7.00.2872
                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    -SHS:Val#3648
                    -DRBG:Val# 1429                    		FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
                    +SHS:Val#3648
                    +DRBG:Val# 1429

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

                    Version 8.00.6246

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    -PKV: CURVES( P-256 P-384 )
                    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 TestingCandidates )
                    +PKV: CURVES( P-256 P-384 )
                    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

                    SHS: Val# 3347
                    DRBG: Val# 1222

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

                    Version 10.0.14393

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -PKV: CURVES( P-256 P-384 P-521 )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +PKV: CURVES( P-256 P-384 P-521 )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 3347
                    DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

                    Version 10.0.14393

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 3047
                    DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

                    Version 10.0.10586

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val# 2886
                    DRBG: Val# 868

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

                    SHS: Val#2373
                    DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

                    Version 6.3.9600

                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: #1903
                    -DRBG: #258
                    -SIG(ver):CURVES( P-256 P-384 P-521 )
                    -SHS: #1903
                    -DRBG: #258

                    -

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    -SHS: #1903
                    -DRBG: #258
                    +

                    FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: #1903
                    +DRBG: #258
                    +SIG(ver):CURVES( P-256 P-384 P-521 )
                    +SHS: #1903
                    +DRBG: #258

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +SHS: #1903
                    +DRBG: #258
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#1773
                    -DRBG: Val# 193
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#1773
                    -DRBG: Val# 193

                    -

                    FIPS186-4:
                    -PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    -SHS: Val#1773
                    -DRBG: Val# 193
                    +

                    FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#1773
                    +DRBG: Val# 193
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#1773
                    +DRBG: Val# 193

                    +

                    FIPS186-4:
                    +PKG: CURVES                    ( P-256 P-384 P-521 ExtraRandomBits )
                    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
                    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
                    +SHS: Val#1773
                    +DRBG: Val# 193
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#1081
                    -DRBG: Val# 23
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#1081
                    -DRBG: Val# 23
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#1081
                    +DRBG: Val# 23
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#1081
                    +DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

                    Windows Server 2008 R2 and SP1 CNG algorithms #142

                    Windows 7 Ultimate and SP1 CNG algorithms #141
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#753
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#753
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#753
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

                    Windows Server 2008 CNG algorithms #83

                    Windows Vista Ultimate SP1 CNG algorithms #82
                    FIPS186-2:
                    -PKG: CURVES                    ( P-256 P-384 P-521 )
                    -SHS: Val#618
                    -RNG: Val# 321
                    -SIG(ver): CURVES( P-256 P-384 P-521 )
                    -SHS: Val#618
                    -RNG: Val# 321
                    +                    		FIPS186-2:
                    +PKG: CURVES                    ( P-256 P-384 P-521 )
                    +SHS: Val#618
                    +RNG: Val# 321
                    +SIG(ver): CURVES( P-256 P-384 P-521 )
                    +SHS: Val#618
                    +RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.                    		 Windows Vista CNG algorithms #60
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -3983,265 +3983,265 @@ Some of the previously validated components for this validation have been remove

                      Version 10.0.16299

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

                    Version 10.0.15063

                    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

                    Version 10.0.15063

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

                    Version 7.00.2872

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

                    Version 8.00.6246

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

                    Version 7.00.2872

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

                    Version 8.00.6246

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val# 3347

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3347

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

                    Version 10.0.14393

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

                    Version 10.0.14393

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHS Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

                    Version 10.0.10586

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHSVal# 2886

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHSVal# 2886

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                     SHSVal# 2886

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHSVal# 2886

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

                    Version 10.0.10240

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    +

                    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    +

                    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
                    SHS Val#2373

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

                    Version 6.3.9600

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

                    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

                    Version 5.2.29344

                    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

                    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

                    -

                    SHS#1903

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

                    +

                    SHS#1903

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    -

                    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    +

                    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

                    		 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

                    		 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

                    Windows Server 2008 R2 and SP1 CNG algorithms #686

                    Windows 7 and SP1 CNG algorithms #677

                    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

                    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

                    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

                    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

                    		 Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

                    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

                    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    		 Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

                    Windows XP, vendor-affirmed

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

                    Windows Server 2008 CNG algorithms #413

                    Windows Vista Ultimate SP1 CNG algorithms #412

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

                    		 Windows Vista Ultimate BitLocker Drive Encryption #386

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

                    		 Windows Vista CNG algorithms #298

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

                    		 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

                    		 Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

                    		 Windows Vista BitLocker Drive Encryption #199
                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

                    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

                    Windows XP, vendor-affirmed

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    -

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    +

                    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

                    		 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -4782,7 +4782,7 @@ SHS -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

                    SHS Val#3790
                    DSA Val#1135
                    DRBG Val#1556

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val#3790
                    DSA Val#1223
                    DRBG Val#1555

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#3790
                    ECDSA Val#1133
                    @@ -4807,29 +4807,29 @@ DRBG -

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val# 3649
                    DSA Val#1188
                    DRBG Val#1430

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

                    Version 7.00.2872

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
                    SHS Val#3648
                    DSA Val#1187
                    DRBG Val#1429

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#3648
                    ECDSA Val#1072
                    @@ -4838,19 +4838,19 @@ DRBG -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
                    -SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
                    +SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

                    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

                    Version 10.0.14393

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
                    -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    -( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
                    +SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 3047 DSA Val#1024 DRBG Val#955

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val# 2886 DSA Val#983 DRBG Val#868

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
                    ( FB: SHA256 ) ( FC: SHA256 ) ]
                    [ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

                    SHS Val#2373 DSA Val#855 DRBG Val#489

                    -

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +

                    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    [ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
                    [ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS Val#2373 ECDSA Val#505 DRBG Val#489

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    -[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
                    +

                    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
                    +( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
                    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
                    SHS #1903 DSA Val#687 DRBG #258

                    -

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    -[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
                    -[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
                    +

                    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
                    +[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
                    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]

                    SHS #1903 ECDSA Val#341 DRBG #258

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

                    KAS (SP 800–56A)

                    +

                    KAS (SP 800–56A)

                    key agreement

                    key establishment methodology provides 80 to 256 bits of encryption strength

                    Windows 7 and SP1, vendor-affirmed

                    @@ -4922,8 +4922,8 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF) - - + + - - - - - - @@ -5087,34 +5087,34 @@ Random Number Generator (RNG) - - + + - + - + - + - + - + @@ -5140,8 +5140,8 @@ Random Number Generator (RNG) - - + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -6143,8 +6143,8 @@ Some of the previously validated components for this validation have been remove - - + + - + - + - + - + - + - + - + - + - + - + - + - + - + - - + - + - + - + - + - + - + - +

                    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

                    - + - + - - + +

                    Version 10.0.16299

                    - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -5021,7 +5021,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

                      Version 10.0.16299
                    CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
                    +                    		CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#128
                    DRBG Val#1556
                    @@ -5030,7 +5030,7 @@ MAC -                    		CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
                    +                    		CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#127
                    AES Val#4624
                    @@ -5040,37 +5040,37 @@ MAC -

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#93 DRBG Val#1222 MAC Val#2661

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

                    Version 10.0.14393

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

                    Version 10.0.14393

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

                    Version 10.0.10586

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

                    Version 10.0.10240

                    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    DRBG Val#489 MAC Val#1773

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

                    Version 6.3.9600

                    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    +

                    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

                    DRBG #258 HMAC Val#1345

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

                    FIPS 186-2 General Purpose

                    -

                    [ (x-Original); (SHA-1) ]

                    FIPS 186-2 General Purpose

                    +

                    [ (x-Original); (SHA-1) ]

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
                    FIPS 186-2
                    -[ (x-Original); (SHA-1) ]                    		FIPS 186-2
                    +[ (x-Original); (SHA-1) ]

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

                    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

                    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

                    Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

                    FIPS 186-2
                    -[ (x-Change Notice); (SHA-1) ]

                    -

                    FIPS 186-2 General Purpose
                    -[ (x-Change Notice); (SHA-1) ]

                    FIPS 186-2
                    +[ (x-Change Notice); (SHA-1) ]

                    +

                    FIPS 186-2 General Purpose
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

                    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

                    Windows Vista RNG implementation #321
                    FIPS 186-2 General Purpose
                    -[ (x-Change Notice); (SHA-1) ]                    		FIPS 186-2 General Purpose
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

                    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

                    @@ -5122,8 +5122,8 @@ Random Number Generator (RNG)

                    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313
                    FIPS 186-2
                    -[ (x-Change Notice); (SHA-1) ]                    		FIPS 186-2
                    +[ (x-Change Notice); (SHA-1) ]

                    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

                    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #

                    RSA:

                    @@ -5711,419 +5711,419 @@ Random Number Generator (RNG)

                    Version 10.0.16299
                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
                    +                    		FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

                    Version 10.0.15063
                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +                    		FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

                    Version 10.0.15063
                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +                    		FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    SHA Val#3790
                    DRBG: Val# 1555

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

                    Version 10.0.15063
                    FIPS186-4:
                    +                    		FIPS186-4:
                    186-4KEY(gen):
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +PGM(ProbRandom:                     ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    SHA Val#3790

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

                    Version 10.0.15063

                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +

                    FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

                    -

                    FIPS186-4:
                    -ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3652

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

                    Version 7.00.2872

                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +

                    FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

                    -

                    FIPS186-4:
                    -ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[ANSIX9.31]                     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +SIG(gen) with SHA-1 affirmed for use with protocols only.                     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3651

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

                    Version 8.00.6246

                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
                    +

                    FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

                    -

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val# 3649
                    DRBG: Val# 1430

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

                    Version 7.00.2872

                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
                    +

                    FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

                    -

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    -                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e (10001) ;
                    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
                    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
                    SHA Val#3648
                    DRBG: Val# 1429

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

                    Version 8.00.6246

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

                    SHA Val# 3347

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

                    Version 10.0.14393

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

                    Version 10.0.14393

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#3346

                    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

                    Version 10.0.14393

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

                    Version 10.0.14393

                    FIPS186-4:
                    -[RSASSA-PSS]: Sig(Gen):                     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    -

                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    FIPS186-4:
                    +[RSASSA-PSS]: Sig(Gen):                     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 3347 DRBG: Val# 1217

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

                    Version 10.0.14393

                    FIPS186-4:
                    -186-4KEY(gen)                    :  FIPS186-4_Fixed_e ( 10001 ) ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen)                    :  FIPS186-4_Fixed_e ( 10001 ) ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 3047 DRBG: Val# 955

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

                    Version 10.0.10586

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#3048

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

                    Version 10.0.10586

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

                    Version 10.0.10586

                    FIPS186-4:
                    -[RSASSA-PSS]: Sig(Gen)                    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    +

                    FIPS186-4:
                    +[RSASSA-PSS]: Sig(Gen)                    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 3047

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

                    Version 10.0.10586

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ( 10001 ) ;
                    PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val# 2886 DRBG: Val# 868

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

                    Version 10.0.10240

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2871

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

                    Version 10.0.10240

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2871

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

                    Version 10.0.10240

                    FIPS186-4:
                    -[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +

                    FIPS186-4:
                    +[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val# 2886

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

                    Version 10.0.10240

                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e ;
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    +

                    FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e ;
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

                    SHA Val#2373 DRBG: Val# 489

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2373

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5                    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5                    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

                    SHA Val#2373

                    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

                    Version 6.3.9600

                    FIPS186-4:
                    -[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    +

                    FIPS186-4:
                    +[RSASSA-PSS]:                     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
                    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

                    SHA Val#2373

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

                    Version 6.3.9600

                    FIPS186-4:
                    -ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
                    +

                    FIPS186-4:
                    +ALG[RSASSA-PKCS1_V1_5]                     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
                    SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
                    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
                    Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
                    SHA #1903

                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
                    FIPS186-4:
                    -186-4KEY(gen):                     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
                    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    +                    		FIPS186-4:
                    +186-4KEY(gen):                     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
                    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
                    SHA #1903 DRBG: #258                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.                    		 Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.                    		 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.                    		 Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

                    Windows Server 2008 R2 and SP1 CNG algorithms #567

                    Windows 7 and SP1 CNG algorithms #560
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.                    		 Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.                    		 Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
                    FIPS186-2:
                    +                    		FIPS186-2:
                    ALG[ANSIX9.31]:
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

                    Windows Server 2008 CNG algorithms #358

                    Windows Vista SP1 CNG algorithms #357
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

                    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

                    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.                    		 Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
                    FIPS186-2:
                    -ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:                     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.                    		 Windows Vista RSA key generation implementation #258
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.                    		 Windows Vista CNG algorithms #257
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:                     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.                    		 Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.                    		 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.                    		 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.                    		 Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
                    FIPS186-2:
                    -ALG[RSASSA-PKCS1_V1_5]:
                    +                    		FIPS186-2:
                    +ALG[RSASSA-PKCS1_V1_5]:
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.                    		 Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
                    FIPS186-2:
                    -ALG[ANSIX9.31]:
                    +                    		FIPS186-2:
                    +ALG[ANSIX9.31]:
                    SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
                    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
                    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.                    		 Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

                    FIPS186-2:

                    +

                    FIPS186-2:

                    – PKCS#1 v1.5, signature generation and verification

                    – Mod sizes: 1024, 1536, 2048, 3072, 4096

                    – SHS: SHA–1/256/384/512
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -6213,170 +6213,170 @@ Some of the previously validated components for this validation have been remove

                      Version 10.0.16299
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

                    Version 10.0.15063
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

                    Version 7.00.2872
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

                    Version 8.00.6246
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

                    Version 7.00.2872
                    SHA-1      (BYTE-only)
                    -SHA-256  (BYTE-only)
                    -SHA-384  (BYTE-only)
                    -SHA-512  (BYTE-only)                    		SHA-1      (BYTE-only)
                    +SHA-256  (BYTE-only)
                    +SHA-384  (BYTE-only)
                    +SHA-512  (BYTE-only)

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

                    Version 8.00.6246
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
                    Version 10.0.14393
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
                    Version 10.0.14393
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
                    Version 10.0.10586
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
                    Version 10.0.10586
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
                    Version 10.0.10240
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
                    Version 10.0.10240
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
                    Version 6.3.9600
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
                    Version 6.3.9600

                    SHA-1 (BYTE-only)

                    -

                    SHA-256 (BYTE-only)

                    -

                    SHA-384 (BYTE-only)

                    -

                    SHA-512 (BYTE-only)

                    +

                    SHA-1 (BYTE-only)

                    +

                    SHA-256 (BYTE-only)

                    +

                    SHA-384 (BYTE-only)

                    +

                    SHA-512 (BYTE-only)

                    Implementation does not support zero-length (null) messages.

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

                    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

                    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)                    		 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

                    Windows Vista Symmetric Algorithm Implementation #618
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)

                    Windows Vista BitLocker Drive Encryption #737

                    Windows Vista Beta 2 BitLocker Drive Encryption #495
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

                    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

                    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

                    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

                    @@ -6386,16 +6386,16 @@ Version 6.3.9600
                    SHA-1 (BYTE-only)
                    -SHA-256 (BYTE-only)
                    -SHA-384 (BYTE-only)
                    -SHA-512 (BYTE-only)                    		SHA-1 (BYTE-only)
                    +SHA-256 (BYTE-only)
                    +SHA-384 (BYTE-only)
                    +SHA-512 (BYTE-only)

                    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

                    Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

                    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305
                    SHA-1 (BYTE-only)SHA-1 (BYTE-only)

                    Windows XP Microsoft Enhanced Cryptographic Provider #83

                    Crypto Driver for Windows 2000 (fips.sys) #35

                    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

                    @@ -6417,8 +6417,8 @@ Version 6.3.9600
                    Modes / States / Key SizesAlgorithm Implementation and Certificate #Modes / States / Key SizesAlgorithm Implementation and Certificate #
                      @@ -6499,112 +6499,112 @@ Version 6.3.9600
                    TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

                    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

                    Version 10.0.15063

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    CTR ( int only )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    CTR ( int only )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

                    Version 7.00.2872

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, )

                    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

                    Version 8.00.6246

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

                    Version 10.0.14393

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

                    Version 10.0.10586

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

                    Version 10.0.10240

                    TECB( KO 1 e/d, ) ;

                    -

                    TCBC( KO 1 e/d, ) ;

                    -

                    TCFB8( KO 1 e/d, ) ;

                    -

                    TCFB64( KO 1 e/d, )

                    TECB( KO 1 e/d, ) ;

                    +

                    TCBC( KO 1 e/d, ) ;

                    +

                    TCFB8( KO 1 e/d, ) ;

                    +

                    TCFB64( KO 1 e/d, )

                    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

                    Version 6.3.9600

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 ) ;

                    -

                    TCFB64( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 ) ;

                    +

                    TCFB64( e/d; KO 1,2 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 ) ;

                    -

                    TCFB8( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 ) ;

                    +

                    TCFB8( e/d; KO 1,2 )

                    		 Windows Vista Symmetric Algorithm Implementation #549
                    Triple DES MACTriple DES MAC

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

                    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

                    TECB( e/d; KO 1,2 ) ;

                    -

                    TCBC( e/d; KO 1,2 )

                    TECB( e/d; KO 1,2 ) ;

                    +

                    TCBC( e/d; KO 1,2 )

                    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

                    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

                    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

                    @@ -6636,15 +6636,15 @@ Version 6.3.9600
                    + PBKDF (vendor affirmed) + PBKDF (vendor affirmed) - - + + - + @@ -113,7 +113,7 @@ The following steps assume that you have completed all the required steps in [Be - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 32e7e448f6..771c2b866b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -63,7 +63,7 @@ The following steps will guide you through onboarding VDI devices and will highl 1. Click **Download package** and save the .zip file. -2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. +2. Copy all the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`. >[!NOTE] >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 12436534f1..29b20bcf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.custom: - next-gen - edr -ms.collection: +ms.date: 08/21/2020 --- # Endpoint detection and response (EDR) in block mode @@ -26,10 +26,14 @@ ms.collection: ## What is EDR in block mode? -When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach. + +EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled. + +:::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode"::: > [!NOTE] -> EDR in block mode is currently in private preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? @@ -37,7 +41,7 @@ When EDR in block mode is turned on, and a malicious artifact is detected, block The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: -:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something"::: +:::image type="content" source="images/edr-in-block-mode-detection.png" alt-text="EDR in block mode detected something"::: ## Enable EDR in block mode @@ -83,7 +87,9 @@ Because Microsoft Defender Antivirus detects and remediates malicious items, it' Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. -## Related articles +## See also + +[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) [Behavioral blocking and containment](behavioral-blocking-containment.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 7f19406d2e..a856668804 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -108,15 +108,15 @@ See Onboard Windows 10 devices. - + diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png new file mode 100644 index 0000000000..2a5104b582 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode-detection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png new file mode 100644 index 0000000000..42273cd0d4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/edrblockmode-TVMrecommendation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 4b48c8771f..a76ef78405 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -38,6 +38,16 @@ ms.topic: conceptual > 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). > 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +## 101.05.17 + +> [!IMPORTANT] +> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax. +> +> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months. + +- Addressed a kernel panic that occurred sometimes when accessing SMB file shares +- Performance improvements & bug fixes + ## 101.05.16 - Improvements to quick scan logic to significantly reduce the number of scanned files diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 4f0891df0c..3956891c0c 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -33,29 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor - + - - - - + + + + - + - + - + @@ -90,11 +90,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -102,11 +102,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -114,11 +114,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -126,11 +126,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -138,11 +138,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C @@ -150,11 +150,11 @@ For Microsoft Defender SmartScreen Internet Explorer MDM policies, see [Policy C
                    - Modes / States / Key Sizes + Modes / States / Key Sizes - Algorithm Implementation and Certificate # + Algorithm Implementation and Certificate #
                    - PBKDF (vendor affirmed)

                     Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
                    (Software Version: 10.0.14393)

                    Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
                    (Software Version: 10.0.14393)

                    @@ -6654,7 +6654,7 @@ Version 6.3.9600
                    - PBKDF (vendor affirmed)

                    Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
                    (Software Version: 10.0.14393)

                    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

                    @@ -6672,8 +6672,8 @@ Version 6.3.9600
                    Publication / Component Validated / DescriptionImplementation and Certificate #Publication / Component Validated / DescriptionImplementation and Certificate #
                      diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 8544b43d61..5ecbd9a101 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -63,6 +63,6 @@ It is also important to keep the following in mind: Help Microsoft stop scammers, whether they claim to be from Microsoft or from another tech company, by reporting tech support scams: -www.microsoft.com/reportascam +www.microsoft.com/reportascam You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 2dc93956ba..ef4053bac6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -103,8 +103,8 @@ The following steps assume that you have completed all the required steps in [Be For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
                    Events URLDepending on the location of your datacenter, select either the EU or the US URL:

                    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    -
                    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

                    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME                    		Depending on the location of your datacenter, select either the EU or the US URL:

                    For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    +
                    For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME

                    For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
                    Authentication Type OAuth 2Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
                    Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

                    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

                    Get your refresh token using the restutil tool:
                    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

                    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

                    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

                    d. A refresh token is shown in the command prompt.

                    e. Copy and paste it into the Refresh Token field. +                     		You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

                    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

                    Get your refresh token using the restutil tool:
                    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

                    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

                    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

                    d. A refresh token is shown in the command prompt.

                    e. Copy and paste it into the Refresh Token field.
                    9 Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable.During onboarding: The device did not onboard correctly and will not be reporting to the portal.

                    During offboarding: Failed to change the service start type. The offboarding process continues.                     		During onboarding: The device did not onboard correctly and will not be reporting to the portal.

                    During offboarding: Failed to change the service start type. The offboarding process continues.                     		Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
                    See Onboard Windows 10 devices.
                    Description
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    -

                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    +

                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

                    		 At least Windows Server 2012, Windows 8 or Windows RT This policy setting turns on Microsoft Defender SmartScreen.

                    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

                    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

                    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

                    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

                    Important: Using a trustworthy browser helps ensure that these protections work as expected.

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control                    		Windows 10, version 1703This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

                    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

                    Important: Using a trustworthy browser helps ensure that these protections work as expected.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

                    Windows 10, Version 1607 and earlier:
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

                    		 Microsoft Edge on Windows 10 or later This policy setting turns on Microsoft Defender SmartScreen.

                    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

                    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

                    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

                    		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

                    If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

                    If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.
                    Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

                    		Windows 10, version 2004:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, version 1703:
                    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

                    Windows 10, Version 1511 and 1607:
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

                    		 Microsoft Edge on Windows 10, version 1511 or later This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

                    If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

                    If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.
                    Windows 10
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Microsoft Defender SmartScreen in Edge.
                        • -
                      • 1. Turns on Microsoft Defender SmartScreen in Edge.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Microsoft Defender SmartScreen in Edge.
                      • +
                    • 1. Turns on Microsoft Defender SmartScreen in Edge.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                        • -
                      • 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                      • +
                    • 1. Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                        • -
                      • 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                      • +
                    • 1. Turns on Microsoft Defender SmartScreen in Windows for app and file execution.
                    		•
                    Windows 10, version 1703
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.
                    		•
                    Windows 10, Version 1511 and later
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings.
                    		•
                    Windows 10, Version 1511 and later
                      -
                    • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                      • -
                    • Data type. Integer
                      • -
                    • Allowed values:
                        -
                      • 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
                        • -
                      • 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
                    +
                  • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                    • +
                  • Data type. Integer
                    • +
                  • Allowed values:
                      +
                    • 0 . Employees can ignore Microsoft Defender SmartScreen warnings for files.
                      • +
                    • 1. Employees can't ignore Microsoft Defender SmartScreen warnings for files.
                    		•
                    @@ -170,19 +170,19 @@ To better help you protect your organization, we recommend turning on and using
                    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Microsoft Defender SmartScreen.Enable. Turns on Microsoft Defender SmartScreen.
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.Enable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
                    Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.Enable. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
                    Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.Enable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    @@ -193,23 +193,23 @@ To better help you protect your organization, we recommend turning on and using

                    Browser/AllowSmartScreen1. Turns on Microsoft Defender SmartScreen.1. Turns on Microsoft Defender SmartScreen.
                    Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
                    Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.1. Stops employees from ignoring warning messages and continuing to download potentially malicious files.
                    SmartScreen/EnableSmartScreenInShell1. Turns on Microsoft Defender SmartScreen in Windows.

                    Requires at least Windows 10, version 1703.

                    		1. Turns on Microsoft Defender SmartScreen in Windows.

                    Requires at least Windows 10, version 1703.
                    SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    Requires at least Windows 10, version 1703.

                    		1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                    Requires at least Windows 10, version 1703.
                    diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 15bf8bc91c..eaef387dbf 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -311,9 +311,9 @@ The following table lists EMET features in relation to Windows 10 features. - - + + diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index d726f7ff56..905bf8c06a 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -351,7 +351,7 @@ The following table details the hardware requirements for both virtualization-ba - + - + @@ -87,30 +87,30 @@ You can perform this task by using the Group Policy Management Console for an Ap - - + + - + - + - + - - + +
                    Specific EMET featuresHow these EMET features map
                    -to Windows 10 features                    		Specific EMET featuresHow these EMET features map
                    +to Windows 10 features

                    Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled

                    Required to support virtualization-based security.

                    -Note

                    Device Guard can be enabled without using virtualization-based security.

                    +Note

                    Device Guard can be enabled without using virtualization-based security.

                    @@ -533,7 +533,7 @@ If the TPM ownership is not known but the EK exists, the client library will pro As part of the provisioning process, Windows 10 will create an AIK with the TPM. When this operation is performed, the resulting AIK public portion is stored in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\WindowsAIKPub** -> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net +> **Note:** For provisioning AIK certificates and filtering Internet access, you must authorize the following wildcard URL: https://\*.microsoftaik.azure.net ### Windows 10 Health Attestation CSP diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index df59384aa5..c93ec93b11 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -90,9 +90,9 @@ In other words, the hotfix in each KB article provides the necessary code and fu | |Default SDDL |Translated SDDL| Comments |---|---|---|---| -|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.| +|Windows Server 2016 (or later) domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.| |Earlier domain controller |-|-|No access check is performed by default.| -|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                    Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                    DACL:
                    • Revision: 0x02
                    • Size: 0x0020
                    • Ace Count: 0x001
                    • Ace[00]-------------------------
                      AceType:0x00
                      (ACCESS\_ALLOWED_ACE_TYPE)
                      AceSize:0x0018
                      InheritFlags:0x00
                      Access Mask:0x00020000
                      AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

                      SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | +|Windows 10, version 1607 (or later) non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                    Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
                    DACL:
                    • Revision: 0x02
                    • Size: 0x0020
                    • Ace Count: 0x001
                    • Ace[00]-------------------------
                      AceType:0x00
                      (ACCESS\_ALLOWED_ACE_TYPE)
                      AceSize:0x0018
                      InheritFlags:0x00
                      Access Mask:0x00020000
                      AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

                      SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | |Earlier non-domain controller |-|-|No access check is performed by default.| ## Policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 7ac5a2faeb..1f35434f95 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -59,12 +59,12 @@ You can perform this task by using the Group Policy Management Console for an Ap

                    Use an installed packaged app as a reference

                    Use an installed packaged app as a reference

                    If selected, AppLocker requires you to choose an app that is already installed on which to base your new rule. AppLocker uses the publisher, package name and package version to define the rule.

                    You want the Sales group only to use the app named Microsoft.BingMaps for its outside sales calls. The Microsoft.BingMaps app is already installed on the device where you are creating the rule, so you choose this option, and select the app from the list of apps installed on the computer and create the rule using this app as a reference.

                    Use a packaged app installer as a reference

                    Use a packaged app installer as a reference

                    If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.

                    Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.

                    Applies to Any publisher

                    This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.

                    -

                    Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.

                    Applies to Any publisher

                    This is the least restrictive scope condition for an Allow rule. It permits every packaged app to run or install.

                    +

                    Conversely, if this is a Deny rule, then this option is the most restrictive because it denies all apps from installing or running.

                    You want the Sales group to use any packaged app from any signed publisher. You set the permissions to allow the Sales group to be able to run any app.

                    Applies to a specific Publisher

                    Applies to a specific Publisher

                    This scopes the rule to all apps published by a particular publisher.

                    You want to allow all your users to install apps published by the publisher of Microsoft.BingMaps. You could select Microsoft.BingMaps as a reference and choose this rule scope.

                    Applies to a Package name

                    Applies to a Package name

                    This scopes the rule to all packages that share the publisher name and package name as the reference file.

                    You want to allow your Sales group to install any version of the Microsoft.BingMaps app. You could select the Microsoft.BingMaps app as a reference and choose this rule scope.

                    Applies to a Package version

                    Applies to a Package version

                    This scopes the rule to a particular version of the package.

                    You want to be very selective in what you allow. You do not want to implicitly trust all future updates of the Microsoft.BingMaps app. You can limit the scope of your rule to the version of the app currently installed on your reference computer.

                    Applying custom values to the rule

                    Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.

                    You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.

                    Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.

                    You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.
                    diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index 3cac5abbce..c43cf96fee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -99,9 +99,9 @@ The following table provides an example of how to list applications for each bus
                    ->Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. +>Note: AppLocker only supports publisher rules for Universal Windows apps. Therefore, collecting the installation path information for Universal Windows apps is not necessary. -Event processing +Event processing As you create your list of apps, you need to consider how to manage the events that are generated by user access, or you need to deny running those apps to make your users as productive as possible. The following list is an example of what to consider and what to record: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 90bf198903..35e51ee350 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -277,7 +277,7 @@ The following table is an example of what to consider and record.
                    -Policy maintenance policy +Policy maintenance policy When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies. The following table is an example of what to consider and record. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 5bfe8d38ed..1d132ac242 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -131,7 +131,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
                    -Event processing policy +Event processing policy @@ -169,7 +169,7 @@ An AppLocker policy deployment plan is the result of investigating which applica
                    -Policy maintenance policy +Policy maintenance policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 7baf71b5df..a8bfeff845 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -119,7 +119,7 @@ If your organization supports multiple Windows operating systems, app control po

                    AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see Requirements to use AppLocker.

                    -Note

                    If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                    +Note

                    If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

                    diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 2ddcbb332e..eab62e36b7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -119,7 +119,7 @@ The following table compares AppLocker to Software Restriction Policies.
                    -Application control function differences +Application control function differences The following table compares the application control functions of Software Restriction Policies (SRP) and AppLocker. @@ -141,7 +141,7 @@ The following table compares the application control functions of Software Restr

                    SRP policies can be applied to all Windows operating systems beginning with Windows XP and Windows Server 2003.

                    AppLocker policies apply only to those supported operating system versions and editions listed in Requirements to use AppLocker. But these systems can also use SRP.

                    -Note

                    Use different GPOs for SRP and AppLocker rules.

                    +Note

                    Use different GPOs for SRP and AppLocker rules.

                    diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md index e3271818c1..e5edff503e 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.md +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -1,110 +1,179 @@ # [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) -## [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) -## [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md) -## [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) -## [Design Guide](windows-firewall-with-advanced-security-design-guide.md) -### [Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) -### [Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -#### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md) -#### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md) -#### [Require Encryption](require-encryption-when-accessing-sensitive-network-resources.md) -#### [Restrict Access](restrict-access-to-only-specified-users-or-devices.md) -### [Mapping Goals to a Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) -#### [Basic Design](basic-firewall-policy-design.md) -#### [Domain Isolation Design](domain-isolation-policy-design.md) -#### [Server Isolation Design](server-isolation-policy-design.md) -#### [Certificate-based Isolation Design](certificate-based-isolation-policy-design.md) -### [Evaluating Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) -#### [Basic Design Example](firewall-policy-design-example.md) -#### [Domain Isolation Design Example](domain-isolation-policy-design-example.md) -#### [Server Isolation Design Example](server-isolation-policy-design-example.md) -#### [Certificate-based Isolation Design Example](certificate-based-isolation-policy-design-example.md) -### [Designing a Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) -#### [Gathering the Info You Need](gathering-the-information-you-need.md) -##### [Network](gathering-information-about-your-current-network-infrastructure.md) -##### [Active Directory](gathering-information-about-your-active-directory-deployment.md) -##### [Computers](gathering-information-about-your-devices.md) -##### [Other Relevant Information](gathering-other-relevant-information.md) -#### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md) -### [Planning Your Design](planning-your-windows-firewall-with-advanced-security-design.md) -#### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) -#### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) -##### [Exemption List](exemption-list.md) -##### [Isolated Domain](isolated-domain.md) -##### [Boundary Zone](boundary-zone.md) -##### [Encryption Zone](encryption-zone.md) -#### [Planning Server Isolation Zones](planning-server-isolation-zones.md) -#### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) + +## [Plan deployment]() + +### [Design guide](windows-firewall-with-advanced-security-design-guide.md) + +### [Design process](understanding-the-windows-firewall-with-advanced-security-design-process.md) + +### [Implementation goals]() +#### [Identify implementation goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +#### [Protect devices from unwanted network traffic](protect-devices-from-unwanted-network-traffic.md) +#### [Restrict access to only trusted devices](restrict-access-to-only-trusted-devices.md) +#### [Require encryption](require-encryption-when-accessing-sensitive-network-resources.md) +#### [Restrict access](restrict-access-to-only-specified-users-or-devices.md) + +### [Implementation designs]() +#### [Mapping goals to a design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) + +#### [Basic firewall design](basic-firewall-policy-design.md) +##### [Basic firewall design example](firewall-policy-design-example.md) + + +#### [Domain isolation design](domain-isolation-policy-design.md) +##### [Domain isolation design example](domain-isolation-policy-design-example.md) + + +#### [Server isolation design](server-isolation-policy-design.md) +##### [Server Isolation design example](server-isolation-policy-design-example.md) + + +#### [Certificate-based isolation design](certificate-based-isolation-policy-design.md) +##### [Certificate-based Isolation design example](certificate-based-isolation-policy-design-example.md) + +### [Design planning]() +#### [Planning your design](planning-your-windows-firewall-with-advanced-security-design.md) + +#### [Planning settings for a basic firewall policy](planning-settings-for-a-basic-firewall-policy.md) + +#### [Planning domain isolation zones]() +##### [Domain isolation zones](planning-domain-isolation-zones.md) +##### [Exemption list](exemption-list.md) +##### [Isolated domain](isolated-domain.md) +##### [Boundary zone](boundary-zone.md) +##### [Encryption zone](encryption-zone.md) + +#### [Planning server isolation zones](planning-server-isolation-zones.md) + +#### [Planning certificate-based authentication](planning-certificate-based-authentication.md) ##### [Documenting the Zones](documenting-the-zones.md) -##### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) -###### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md) -###### [Planning Network Access Groups](planning-network-access-groups.md) + +##### [Planning group policy deployment for your isolation zones](planning-group-policy-deployment-for-your-isolation-zones.md) +###### [Planning isolation groups for the zones](planning-isolation-groups-for-the-zones.md) +###### [Planning network access groups](planning-network-access-groups.md) + ###### [Planning the GPOs](planning-the-gpos.md) ####### [Firewall GPOs](firewall-gpos.md) ######## [GPO_DOMISO_Firewall](gpo-domiso-firewall.md) -####### [Isolated Domain GPOs](isolated-domain-gpos.md) +####### [Isolated domain GPOs](isolated-domain-gpos.md) ######## [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md) ######## [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md) -####### [Boundary Zone GPOs](boundary-zone-gpos.md) +####### [Boundary zone GPOs](boundary-zone-gpos.md) ######## [GPO_DOMISO_Boundary](gpo-domiso-boundary.md) -####### [Encryption Zone GPOs](encryption-zone-gpos.md) +####### [Encryption zone GPOs](encryption-zone-gpos.md) ######## [GPO_DOMISO_Encryption](gpo-domiso-encryption.md) -####### [Server Isolation GPOs](server-isolation-gpos.md) -###### [Planning GPO Deployment](planning-gpo-deployment.md) -### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) -## [Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) -### [Planning to Deploy](planning-to-deploy-windows-firewall-with-advanced-security.md) -### [Implementing Your Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) -### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) -### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md) -### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md) -### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md) -### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md) -### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) -#### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md) -#### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md) -#### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md) -#### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md) -### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) -#### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md) -#### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) -### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) -### [Procedures Used in This Guide](procedures-used-in-this-guide.md) -#### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) -#### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) -#### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) -#### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md) -#### [Configure Authentication Methods](configure-authentication-methods.md) -#### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md) -#### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) -#### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md) -#### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md) -#### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md) -#### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md) -#### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) -#### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md) -#### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) -#### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) -#### [Create a Group Policy Object](create-a-group-policy-object.md) -#### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) -#### [Create an Authentication Request Rule](create-an-authentication-request-rule.md) -#### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) -#### [Create an Inbound Port Rule](create-an-inbound-port-rule.md) -#### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) -#### [Create an Outbound Port Rule](create-an-outbound-port-rule.md) -#### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md) -#### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md) -#### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) -#### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md) -#### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md) -#### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md) -#### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md) -#### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) -#### [Modify GPO Filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) -#### [Open IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md) -#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md) -#### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) -#### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md) -#### [Restrict Server Access](restrict-server-access-to-members-of-a-group-only.md) -#### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md) -#### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md) +####### [Server isolation GPOs](server-isolation-gpos.md) + +###### [Planning GPO deployment](planning-gpo-deployment.md) + + +### [Planning to deploy](planning-to-deploy-windows-firewall-with-advanced-security.md) + + +## [Deployment guide]() +### [Deployment overview](windows-firewall-with-advanced-security-deployment-guide.md) + +### [Implementing your plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) + +### [Basic firewall deployment]() +#### [Checklist: Implementing a basic firewall policy design](checklist-implementing-a-basic-firewall-policy-design.md) + + + +### [Domain isolation deployment]() +#### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) + + + +### [Server isolation deployment]() +#### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) + + + +### [Certificate-based authentication]() +#### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) + + + +## [Best practices]() +### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md) +### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) +### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) + + +## [How-to]() +### [Add Production devices to the membership group for a zone](add-production-devices-to-the-membership-group-for-a-zone.md) +### [Add test devices to the membership group for a zone](add-test-devices-to-the-membership-group-for-a-zone.md) +### [Assign security group filters to the GPO](assign-security-group-filters-to-the-gpo.md) +### [Change rules from request to require mode](Change-Rules-From-Request-To-Require-Mode.Md) +### [Configure authentication methods](Configure-authentication-methods.md) +### [Configure data protection (Quick Mode) settings](configure-data-protection-quick-mode-settings.md) +### [Configure Group Policy to autoenroll and deploy certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md) +### [Configure key exchange (main mode) settings](configure-key-exchange-main-mode-settings.md) +### [Configure the rules to require encryption](configure-the-rules-to-require-encryption.md) +### [Configure the Windows Firewall log](configure-the-windows-firewall-log.md) +### [Configure the workstation authentication certificate template](configure-the-workstation-authentication-certificate-template.md) +### [Configure Windows Firewall to suppress notifications when a program is blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) +### [Confirm that certificates are deployed correctly](confirm-that-certificates-are-deployed-correctly.md) +### [Copy a GPO to create a new GPO](copy-a-gpo-to-create-a-new-gpo.md) +### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) +### [Create a Group Policy Object](create-a-group-policy-object.md) +### [Create an authentication exemption list rule](create-an-authentication-exemption-list-rule.md) +### [Create an authentication request rule](create-an-authentication-request-rule.md) +### [Create an inbound ICMP rule](create-an-inbound-icmp-rule.md) +### [Create an inbound port rule](create-an-inbound-port-rule.md) +### [Create an inbound program or service rule](create-an-inbound-program-or-service-rule.md) +### [Create an outbound port rule](create-an-outbound-port-rule.md) +### [Create an outbound program or service rule](create-an-outbound-program-or-service-rule.md) +### [Create inbound rules to support RPC](create-inbound-rules-to-support-rpc.md) +### [Create WMI filters for the GPO](create-wmi-filters-for-the-gpo.md) +### [Create Windows Firewall rules in Intune](create-windows-firewall-rules-in-intune.md) +### [Enable predefined inbound rules](enable-predefined-inbound-rules.md) +### [Enable predefined outbound rules](enable-predefined-outbound-rules.md) +### [Exempt ICMP from authentication](exempt-icmp-from-authentication.md) +### [Link the GPO to the domain](link-the-gpo-to-the-domain.md) +### [Modify GPO filters](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) +### [Open IP security policies](open-the-group-policy-management-console-to-ip-security-policies.md) +### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall.md) +### [Open Group Policy](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) +### [Open Windows Firewall](open-windows-firewall-with-advanced-security.md) +### [Restrict server access](restrict-server-access-to-members-of-a-group-only.md) +### [Enable Windows Firewall](turn-on-windows-firewall-and-configure-default-behavior.md) +### [Verify Network Traffic](verify-that-network-traffic-is-authenticated.md) + + +## [References]() +### [Checklist: Creating Group Policy objects](checklist-creating-group-policy-objects.md) +### [Checklist: Creating inbound firewall rules](checklist-creating-inbound-firewall-rules.md) +### [Checklist: Creating outbound firewall rules](checklist-creating-outbound-firewall-rules.md) +### [Checklist: Configuring basic firewall settings](checklist-configuring-basic-firewall-settings.md) + + +### [Checklist: Configuring rules for the isolated domain](checklist-configuring-rules-for-the-isolated-domain.md) +### [Checklist: Configuring rules for the boundary zone](checklist-configuring-rules-for-the-boundary-zone.md) +### [Checklist: Configuring rules for the encryption zone](checklist-configuring-rules-for-the-encryption-zone.md) +### [Checklist: Configuring rules for an isolated server zone](checklist-configuring-rules-for-an-isolated-server-zone.md) + +### [Checklist: Configuring rules for servers in a standalone isolated server zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md) +### [Checklist: Creating rules for clients of a standalone isolated server zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md) + + +### [Appendix A: Sample GPO template files for settings used in this guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) + + + +## [Troubleshooting]() +### [Troubleshooting UWP app connectivity issues in Windows Firewall](troubleshooting-uwp-firewall.md) + + + + + + + + + + + + + diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 71775ab476..38ec0654bb 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 08/17/2017 --- -# Certificate-based Isolation Policy Design +# Certificate-based isolation policy design **Applies to** - Windows 10 @@ -35,7 +35,7 @@ For Windows devices that are part of an Active Directory domain, you can use Gro For more info about this design: -- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md). @@ -45,4 +45,4 @@ For more info about this design: - For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md). -**Next:** [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) + diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md index 4d6b02ef58..ec38163418 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md @@ -25,13 +25,14 @@ ms.date: 08/17/2017 This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design. ->**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist +> [!NOTE] +> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist **Checklist: Implementing certificate-based authentication** | Task | Reference | | - | - | -| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
                    [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
                    [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | +| Review important concepts and examples for certificate-based authentication to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
                    [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
                    [Planning Certificate-based Authentication](planning-certificate-based-authentication.md) | | Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| | | Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| | Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md index 139618cb53..be895718b3 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md @@ -25,7 +25,8 @@ ms.date: 08/17/2017 This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. ->**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +> [!NOTE] +> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). @@ -33,7 +34,7 @@ The procedures in this section use the Group Policy MMC snap-ins to configure th | Task | Reference | | - | - | -| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Domain Isolation Policy Design](domain-isolation-policy-design.md)
                    [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
                    [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | +| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security implementation goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Domain Isolation Policy Design](domain-isolation-policy-design.md)
                    [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
                    [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) | | Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| | Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| | Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md index 05aad0007e..0435b698be 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md @@ -27,13 +27,14 @@ This checklist contains procedures for creating a server isolation policy design This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. ->**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. +> [!NOTE] +> Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist. **Checklist: Implementing a standalone server isolation policy design** | Task | Reference | | - | - | -| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Server Isolation Policy Design](server-isolation-policy-design.md)
                    [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
                    [Planning Server Isolation Zones](planning-server-isolation-zones.md) | +| Review important concepts and examples for the server isolation policy design to determine if this design meets your implementation goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
                    [Server Isolation Policy Design](server-isolation-policy-design.md)
                    [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
                    [Planning Server Isolation Zones](planning-server-isolation-zones.md) | | Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| | Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| | Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 948932fb53..df754926bf 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -50,8 +50,8 @@ Characteristics of this design, as shown in the diagram, include the following: - Untrusted non-domain members (area D) - Devices that are not managed by your organization and have an unknown security configuration must have access only to those devices required for your organization to correctly conduct its business. Domain isolation exists to put a logical barrier between these untrusted Devices and your organization's devices. After implementing this design, your administrative team will have centralized management of the firewall and connection security rules applied to the devices in your organization. - ->**Important:**  This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. +> [!IMPORTANT] +> This design builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md), and in turn serves as the foundation for the [Server Isolation Policy Design](server-isolation-policy-design.md). If you plan to deploy all three, we recommend that you do the design work for all three together, and then deploy in the sequence presented. This design can be applied to Devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. @@ -59,7 +59,7 @@ In order to expand the isolated domain to include Devices that cannot be part of For more info about this design: -- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md). diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index a1b8a21886..ca7bc12d6f 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,5 +1,5 @@ --- -title: Firewall Policy Design Example (Windows 10) +title: Basic Firewall Policy Design Example (Windows 10) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 08/17/2017 --- -# Firewall Policy Design Example +# Basic Firewall Policy Design Example **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 5e3a16c452..96725d8ff3 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,6 +1,6 @@ --- -title: Identify Goals for your WFAS Deployment (Windows 10) -description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) Deployment Goals +title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows 10) +description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: ms.author: dansimp @@ -17,22 +17,21 @@ ms.topic: conceptual ms.date: 08/17/2017 --- -# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals - +# Identifying Windows Defender Firewall with Advanced Security implementation goals **Applies to** - Windows 10 - Windows Server 2016 -Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios. +Correctly identifying your Windows Defender Firewall with Advanced Security implementation goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your implementation goals. Prioritize and, if possible, combine your implementation goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall implementation goals presented in this guide that are relevant to your scenarios. -The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals: +The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall implementation goals: | Deployment goal tasks | Reference links | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals:

                    • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

                    • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

                    • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

                    • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
                    | -| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. |
                    • [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
                    | -| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
                    • [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

                    • [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
                    | +| Evaluate predefined Windows Defender Firewall with Advanced Security implementation goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined implementation goals:

                    • [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

                    • [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)

                    • [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)

                    • [Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)
                    | +| Map one goal or a combination of the predefined implementation goals to an existing Windows Defender Firewall with Advanced Security design. |
                    • [Mapping Your implementation goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
                    | +| Based on the status of your current infrastructure, document your implementation goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. |
                    • [Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

                    • [Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)
                    |
                    diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index c56fd15494..841c88ae5d 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -48,7 +48,7 @@ Use the following parent checklists in this section of the guide to become famil - [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) -- [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md) +- [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md) - [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md) diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 9c73c224b9..314389955f 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,6 +1,6 @@ --- -title: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design (Windows 10) -description: Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design +title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows 10) +description: Mapping your implementation goals to a Windows Firewall with Advanced Security design ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: ms.author: dansimp @@ -17,17 +17,17 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design +# Mapping your implementation goals to a Windows Firewall with Advanced Security design **Applies to** - Windows 10 - Windows Server 2016 -After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. +After you finish reviewing the existing Windows Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. +> [!IMPORTANT] +> The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. ->**Important:**  The first three designs presented in this guide build on each other to progress from simpler to more complex. Therefore during deployment, consider implementing them in the order presented. Each deployed design also provides a stable position from which to evaluate your progress, and to make sure that your goals are being met before you continue to the next design. - -Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security deployment goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security deployment goals to meet the needs of your organization. +Use the following table to determine which Windows Firewall with Advanced Security design maps to the appropriate combination of Windows Firewall with Advanced Security implementation goals for your organization. This table refers only to the Windows Firewall with Advanced Security designs as described in this guide. However, you can create a hybrid or custom Windows Firewall with Advanced Security design by using any combination of the Windows Firewall with Advanced Security implementation goals to meet the needs of your organization. | Deployment Goals | Basic Firewall Policy Design | Domain Isolation Policy Design | Server Isolation Policy Design | Certificate-based Isolation Policy Design | | - |- | - | - | - | diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index bce220a506..134a6bb928 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,6 +1,6 @@ --- -title: Open a GPO to Windows Defender Firewall (Windows 10) -description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security +title: Group Policy Management of Windows Defender Firewall (Windows 10) +description: Group Policy Management of Windows Defender Firewall with Advanced Security ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: ms.author: dansimp @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 04/02/2017 --- -# Open the Group Policy Management Console to Windows Defender Firewall +# Group Policy Management of Windows Defender Firewall **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index f37a7ebdea..5a7fcb44a2 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,6 +1,6 @@ --- title: Planning Domain Isolation Zones (Windows 10) -description: Planning Domain Isolation Zones +description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 188f4f2556..831200cf48 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,6 +1,6 @@ --- title: Planning GPO Deployment (Windows 10) -description: Planning GPO Deployment +description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 991bdcec0d..22f031c902 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,6 +1,6 @@ --- title: Planning Group Policy Deployment for Your Isolation Zones (Windows 10) -description: Planning Group Policy Deployment for Your Isolation Zones +description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 3043878e04..5cb6ff075c 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,6 +1,6 @@ --- title: Planning Network Access Groups (Windows 10) -description: Planning Network Access Groups +description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index f42eca057b..b1af014fa5 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,6 +1,6 @@ --- title: Planning Server Isolation Zones (Windows 10) -description: Planning Server Isolation Zones +description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index 8138bd8ee1..5a8cd1a017 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,6 +1,6 @@ --- title: Planning Settings for a Basic Firewall Policy (Windows 10) -description: Planning Settings for a Basic Firewall Policy +description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 78c49adcca..80b776ca44 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,6 +1,6 @@ --- title: Planning the GPOs (Windows 10) -description: Planning the GPOs +description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 6992965186..2caa25566a 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,6 +1,6 @@ --- title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10) -description: Planning Your Windows Defender Firewall with Advanced Security Design +description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index 2d37487be2..643f41ab14 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,6 +1,6 @@ --- title: Procedures Used in This Guide (Windows 10) -description: Procedures Used in This Guide +description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index a3ca3c4b6e..a05d8eb5a3 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,6 +1,6 @@ --- -title: Protect Devices from Unwanted Network Traffic (Windows 10) -description: Protect Devices from Unwanted Network Traffic +title: Protect devices from unwanted network traffic (Windows 10) +description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: ms.author: dansimp @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# Protect Devices from Unwanted Network Traffic +# Protect devices from unwanted network traffic **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 4f5c2b1cb0..a79aedce9d 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,6 +1,6 @@ --- title: Require Encryption When Accessing Sensitive Network Resources (Windows 10) -description: Require Encryption When Accessing Sensitive Network Resources +description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index cbdd8e51d9..27007f7718 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,6 +1,6 @@ --- -title: Restrict Access to Only Trusted Devices (Windows 10) -description: Restrict Access to Only Trusted Devices +title: Restrict access to only trusted devices (Windows 10) +description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: ms.author: dansimp @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 08/17/2017 --- -# Restrict Access to Only Trusted Devices +# Restrict access to only trusted devices **Applies to** - Windows 10 @@ -27,7 +27,8 @@ Your organizational network likely has a connection to the Internet. You also li To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method. ->**Note:**  Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain. +> [!NOTE] +> Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain. The protection provided by domain isolation can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index dbffb1b8f1..8286d47f26 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,6 +1,6 @@ --- title: Server Isolation GPOs (Windows 10) -description: Server Isolation GPOs +description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index b93e884682..daba2b5e2c 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,6 +1,6 @@ --- title: Server Isolation Policy Design Example (Windows 10) -description: Server Isolation Policy Design Example +description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 1eeea3dc76..d5c4333424 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,6 +1,6 @@ --- title: Server Isolation Policy Design (Windows 10) -description: Server Isolation Policy Design +description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: ms.author: dansimp @@ -43,13 +43,14 @@ Characteristics of this design include the following: To add support for server isolation, you must ensure that the authentication methods are compatible with the requirements of the isolated server. For example, if you want to authorize user accounts that are members of a NAG in addition to authorizing computer accounts, you must enable both user and computer authentication in your connection security rules. ->**Important:**  This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. +> [!IMPORTANT] +> This design builds on the [Domain Isolation Policy Design](domain-isolation-policy-design.md), which in turn builds on the [Basic Firewall Policy Design](basic-firewall-policy-design.md). If you plan to deploy all three designs, do the design work for all three together, and then deploy in the sequence presented. This design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the connection security rules. For more info about this design: -- This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). +- This design coincides with the implementation goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), [Restrict Access to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md), and [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md). - To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md). diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md new file mode 100644 index 0000000000..6071427eda --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -0,0 +1,1328 @@ +--- +title: Troubleshooting UWP App Connectivity Issues in Windows Firewall +description: Troubleshooting UWP App Connectivity Issues in Windows Firewall + +ms.reviewer: +ms.author: dansimp +ms.prod: w10 +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: dansimp +manager: dansimp +ms.collection: M365-security-compliance +ms.topic: troubleshooting +--- + +# Troubleshooting UWP App Connectivity Issues + +This document is intended to help network admins, support engineers, and developers to +investigate UWP app network connectivity issues. + +This document guides you through steps to debug Universal Windows Platform (UWP) app network connectivity issues by providing practical examples. + +## Typical causes of connectivity issues + +UWP app network connectivity issues are typically caused by: + +1. The UWP app was not permitted to receive loopback traffic. This must be configured. By default, UWP apps are not allowed to receive loopback traffic. +2. The UWP app is missing the proper capability tokens. +3. The private range is configured incorrectly. For example, the private range is set incorrectly through GP/MDM policies, etc. + +To understand these causes more thoroughly, there are several concepts to review. + +The traffic of network packets (what's permitted and what’s not) on Windows is determined by the Windows Filtering Platform (WFP). When a UWP app +or the private range is configured incorrectly, it affects how the UWP app’s network traffic will be processed by WFP. + +When a packet is processed by WFP, the characteristics of that packet must explicitly match all the conditions of a filter to either be permitted or dropped to its target address. Connectivity issues typically happen when the packet does not match any of the filter conditions, leading the packet to be dropped by a default block filter. The presence of the default block +filters ensures network isolation for UWP applications. Specifically, it guarantees a network drop for a packet that does not have the correct capabilities for the resource it is trying to reach. This ensures the application’s granular access to each resource type and preventing the application from escaping its environment. + +For more information on the filter arbitration algorithm and network isolation, +see [Filter +Arbitration](https://docs.microsoft.com/windows/win32/fwp/filter-arbitration) +and +[Isolation](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation). + +The following sections cover debugging case examples for loopback and non-loopback UWP app network connectivity issues. + +> [!NOTE] +> As improvements to debugging and diagnostics in the Windows Filtering Platform are made, the trace examples in this document may not exactly match the +traces collected on previous releases of Windows. + +## Debugging UWP App Loopback scenarios + +If you need to establish a TCP/IP connection between two processes on the same host where one of them is a UWP app, you must enable loopback. + +To enable loopback for client outbound connections, run the following at a command prompt: + +```console +CheckNetIsolation.exe LoopbackExempt -a -n= +``` + +To enable loopback for server inbound connections, run the following at a +command prompt: +```console +CheckNetIsolation.exe LoopbackExempt -is -n= +``` +You can ensure loopback is enabled by checking the appx manifests of both the sender and receiver. + +For more information about loopback scenarios, see [Communicating with +localhost +(loopback)](https://docs.microsoft.com/windows/iot-core/develop-your-app/loopback). + +## Debugging Live Drops + +If the issue happened recently, but you find you are not able to reproduce the issue, go to Debugging Past Drops for the appropriate trace commands. + +If you can consistently reproduce the issue, then you can run the following in an admin command prompt to gather a fresh trace: + +```console +Netsh wfp capture start keywords=19 + +Netsh wfp capture stop +``` + +These commands generate a wfpdiag.cab. Inside the .cab exists a wfpdiag.xml, which contains any allow or drop netEvents and filters that existed during that repro. Without “keywords=19”, the trace will only collect drop netEvents. + +Inside the wfpdiag.xml, search for netEvents which have +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP as the netEvent type. To find the relevant drop events, search for the drop events with matching destination IP address, +package SID, or application ID name. The characters in the application ID name +will be separated by periods: + +```XML +(ex) + + +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.w.i.n.d.o.w.s.\\.s.y.s.t.e.m.3.2.\\.s.v.c.h.o.s.t...e.x.e... + + +``` + +The netEvent will have more information about the packet that was dropped including information about its capabilities, the filter that dropped the packet, and much more. + +## Case 1: UWP app connects to Internet target address with all capabilities + +In this example, the UWP app successfully connects to bing.com +[2620:1ec:c11::200]. + +A packet from a UWP app needs the correct networking capability token for the resource it is trying to reach. + +In this scenario, the app could successfully send a packet to the Internet target because it had an Internet capability token. + +The following shows the allow netEvent of the app connecting to the target IP. The netEvent contains information about the packet including its local address, +remote address, capabilities, etc. + +**Classify Allow netEvent, Wfpdiag-Case-1.xml** +```xml + +
                    + 2020-05-21T17:25:59.070Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V6 + 6 + 2001:4898:30:3:256c:e5ba:12f3:beb1 + 2620:1ec:c11::200 +52127 +443 +0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2993214446-1947230185-131795049-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
                    +FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW + + 125918 + 50 + 0 + 1 + 1 + + + +0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + +0 + + + + 125918 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_PERMIT + + + 121167 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + +                     +``` + +The following is the filter that permitted the packet to be sent to the target +address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was +allowed by Filter #125918, from the InternetClient Default Rule. + +**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml** +```xml + + {3389708e-f7ae-4ebc-a61a-f659065ab24e} + + InternetClient Default Rule + InternetClient Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + ad2b000000000000 + .+...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V6 + FWPM_SUBLAYER_MPSSVC_WSH + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_BYTE_ARRAY16_TYPE + :: + + + FWP_BYTE_ARRAY16_TYPE + ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 125918 + + FWP_UINT64 + 103079219136 + + +``` + +**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml** +```xml + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + +``` +This is the condition for checking capabilities in this filter. + +The important part of this condition is **S-1-15-3-1**, which is the capability SID +for **INTERNET_CLIENT** privileges. + +From the **netEvent** capabilities section, +capabilities from netEvent, Wfpdiag-Case-1.xml. +```xml + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + +``` +This shows the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the +filter. All the other conditions are also met for the filter, so the packet is +allowed. + +Something to note is that the only capability token required for the packet to +reach bing.com was the Internet client token, even though this example showed +the packet having all capabilities. + +## Case 2: UWP APP cannot reach Internet target address and has no capabilities + +In this example, the UWP app is unable to connect to bing.com +[2620:1ec:c11::200]. + +The following is a drop netEvent that was captured in the trace. + +**Classify Drop netEvent, Wfpdiag-Case-2.xml** +```xml + +
                    +2020-03-30T23:53:09.720Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V6 +6 +2001:4898:1a:1045:8469:3351:e6e2:543 +2620:1ec:c11::200 +63187 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0034002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...4...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2788718703-1626973220-3690764900-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
                    +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 + +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + +                     +``` +The first thing that you should check in the **netEvent** is the capabilities +field. In this example, the capabilities field is empty, indicating that the +UWP app was not configured with any capability tokens to allow it to connect to +a network. + +**Internal Fields from netEvent, Wfpdiag-Case-2.xml** +```xml + + +0000000000000000 + +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + +``` +The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop. + +**Classify Drop from netEvent, Wfpdiag-Case-2.xml** +```xml + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + +``` +If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that +the packet was dropped by a Block Outbound Default Rule filter. + +**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml** + +```xml + + {6d51582f-bcf8-42c4-afc9-e2ce7155c11b} +/t + **Block Outbound Default Rule** + Block Outbound Default Rule + + + {4b153735-1049-4480-aab4-d1b9bdc03710} + + b001000000000000 + ........ + + FWPM_LAYER_ALE_AUTH_CONNECT_V6 + {b3cdd441-af90-41ba-a745-7c6008ff2300} + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + + FWP_ACTION_BLOCK + + + 0 + + 68893 + + FWP_UINT64 + 68719476736 + + +``` + +A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in +the same sublayer. + +If the packet had the correct capability token, +**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a +non-default block filter and would have been permitted to reach bing.com. +Without the correct capability tokens, the packet will be explicitly dropped by +a default block outbound filter. + +## Case 3: UWP app cannot reach Internet target address without Internet Client capability + +In this example, the app is unable to connect to bing.com [2620:1ec:c11::200]. + +The app in this scenario only has private network capabilities (Client and +Server). The app is trying to connect to an Internet resource (bing.com), but +only has a private network token. Therefore, the packet will be dropped. + +**Classify Drop netEvent, Wfpdiag-Case-3.xml** +```xml + +
                    +2020-03-31T16:57:18.570Z + +FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET +FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET +FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET +FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET +FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET +FWPM_NET_EVENT_FLAG_APP_ID_SET +FWPM_NET_EVENT_FLAG_USER_ID_SET +FWPM_NET_EVENT_FLAG_IP_VERSION_SET +FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V6 +6 +2001:4898:1a:1045:9c65:7805:dd4a:cc4b +2620:1ec:c11::200 +64086 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e0035002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...5...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-2788718703-1626973220-3690764900-1000 +FWP_AF_INET6 +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
                    +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +68893 +50 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 +**** +**FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK** +**** +0 + + + +68893 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +68879 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + +                     +``` + +## Case 4: UWP app cannot reach Intranet target address without Private Network capability + +In this example, the UWP app is unable to reach the Intranet target address, +10.50.50.50, because it does not have a Private Network capability. + +**Classify Drop netEvent, Wfpdiag-Case-4.xml** +```xml + +
                    + 2020-05-22T21:29:28.601Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.216.117.17 + 10.50.50.50 + 52998 + 53 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-2993214446-1947230185-131795049-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
                    + FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + + 121180 + 48 + 0 + 1 + 1 + MS_FWP_DIRECTION_OUT + false + + 0 + 0 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + + 0 + + + + 121180 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_BLOCK + + + 121165 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + +                     +``` +## Case 5: UWP app cannot reach “Intranet” target address with Private Network capability + +In this example, the UWP app is unable to reach the Intranet target address, +10.1.1.1, even though it has a Private Network capability token. + +**Classify Drop netEvent, Wfpdiag-Case-5.xml** +```xml + +
                    + 2020-05-22T20:54:53.499Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.216.117.17 + 10.1.1.1 + 52956 + 53 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-2993214446-1947230185-131795049-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
                    + FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + + 121180 + 48 + 0 + 1 + 1 + MS_FWP_DIRECTION_OUT + false + + 0 + 0 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + + 0 + + + + 121180 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_BLOCK + + + 121165 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + +                     +``` +The following shows the filter that blocked the event: + +**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml** + +```xml + + {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6} + + Block Outbound Default Rule + Block Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + c029000000000000 + .)...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + + FWP_ACTION_BLOCK + + + 0 + + 121180 + + FWP_UINT64 + 274877906944 + + +``` +If the target was in the private range, then it should have been allowed by a +PrivateNetwork Outbound Default Rule filter. + +The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, +10.1.1.1, is not included in these filters it becomes clear that the address is not in the private range. Check the policies that configure the private range +on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach. + +**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml** +```xml + + {fd65507b-e356-4e2f-966f-0c9f9c1c6e78} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_EQUAL + + FWP_UINT32 + 1.1.1.1 + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129656 + + FWP_UINT64 + 144115600392724416 + + + + {b11b4f8a-222e-49d6-8d69-02728681d8bc} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 172.16.0.0 + + + FWP_UINT32 + 172.31.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129657 + + FWP_UINT64 + 36029209335832512 + + + + {21cd82bc-6077-4069-94bf-750e5a43ca23} + + PrivateNetwork Outbound Default Rule + PrivateNetwork Outbound Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + f22d000000000000 + .-...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 192.168.0.0 + + + FWP_UINT32 + 192.168.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 129658 + + FWP_UINT64 + 36029209335832512 + + +``` +## Debugging Past Drops + +If you are debugging a network drop from the past or from a remote machine, you +may have traces already collected from Feedback Hub, such as nettrace.etl and +wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the +netEvents of the reproduced event, and wfpstate.xml will contain the filters +that were present on the machine at the time. + +If you do not have a live repro or traces already collected, you can still +collect traces after the UWP network connectivity issue has happened by running +these commands in an admin command prompt + +```xml + + Netsh wfp show netevents + Netsh wfp show state +``` + +**Netsh wfp show netevents** creates netevents.xml, which contains the past +net events. **Netsh wfp show state** creates wfpstate.xml, which contains +the current filters present on the machine. + +Unfortunately, collecting traces after the UWP network connectivity issue is not +always reliable. + +NetEvents on the device are stored in a buffer. Once that buffer has reached +maximum capacity, the buffer will overwrite older net events. Due to the buffer +overwrite, it is possible that the collected netevents.xml will not contain the +net event associated with the UWP network connectivity issue. It could have been ov +overwritten. Additionally, filters on the device can get deleted and re-added +with different filterIds due to miscellaneous events on the device. Because of +this, a **filterId** from **netsh wfp show netevents** may not necessarily match any +filter in **netsh wfp show state** because that **filterId** may be outdated. + +If you can reproduce the UWP network connectivity issue consistently, we +recommend using the commands from Debugging Live Drops instead. + +Additionally, you can still follow the examples from Debugging Live Drops +section using the trace commands in this section, even if you do not have a live +repro. The **netEvents** and filters are stored in one file in Debugging Live Drops +as opposed to two separate files in the following Debugging Past Drops examples. + +## Case 7: Debugging Past Drop - UWP app cannot reach Internet target address and has no capabilities + +In this example, the UWP app is unable to connect to bing.com. + +Classify Drop Net Event, NetEvents-Case-7.xml + +```xml + +
                    +2020-05-04T22:04:07.039Z + +FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET +FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET +FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET +FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET +FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET +FWPM_NET_EVENT_FLAG_APP_ID_SET +FWPM_NET_EVENT_FLAG_USER_ID_SET +FWPM_NET_EVENT_FLAG_IP_VERSION_SET +FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + +FWP_IP_VERSION_V4 +6 +10.195.36.30 +204.79.197.200 +57062 +443 +0 + +5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310032002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 +\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. +.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.2...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + +S-1-5-21-1578316205-4060061518-881547182-1000 +FWP_AF_INET +S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + +0 + +
                    +FWPM_NET_EVENT_TYPE_CLASSIFY_DROP + +206064 +48 +0 +1 +1 +MS_FWP_DIRECTION_OUT +false + +0 +0 + + + +0000000000000000 + +0 + + + +206064 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH +FWP_ACTION_BLOCK + + +206049 +FWPP_SUBLAYER_INTERNAL_FIREWALL_WF +FWP_ACTION_PERMIT + + + +                     +``` + +The Internal fields lists no active capabilities, and the packet is dropped at +filter 206064. + +This is a default block rule filter, meaning the packet passed through every +filter that could have allowed it, but because conditions didn’t match for any +those filters, the packet fell to the filter which blocks any packet that the +Security Descriptor doesn’t match. + +**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml** + +```xml + +{f138d1ad-9293-478f-8519-c3368e796711} + +Block Outbound Default Rule +Block Outbound Default Rule + + +FWPM_PROVIDER_MPSSVC_WSH + +2e65000000000000 +.e...... + +FWPM_LAYER_ALE_AUTH_CONNECT_V4 +FWPM_SUBLAYER_MPSSVC_WSH + +FWP_EMPTY + + + +FWPM_CONDITION_ALE_PACKAGE_ID +FWP_MATCH_NOT_EQUAL + +FWP_SID +S-1-0-0 + + + + +FWP_ACTION_BLOCK + + +0 + +206064 + +FWP_UINT64 +274877906944 + + +``` +## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities + +In this example, the UWP app successfully connects to bing.com [204.79.197.200]. + +**Classify Allow Net Event, NetEvents-Case-8.xml** + +```xml + +
                    + 2020-05-04T18:49:55.101Z + + FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET + FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET + FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET + FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET + FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET + FWPM_NET_EVENT_FLAG_APP_ID_SET + FWPM_NET_EVENT_FLAG_USER_ID_SET + FWPM_NET_EVENT_FLAG_IP_VERSION_SET + FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET + + FWP_IP_VERSION_V4 + 6 + 10.195.36.30 + 204.79.197.200 + 61673 + 443 + 0 + + 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000 + \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m. + .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e... + + S-1-5-21-1578316205-4060061518-881547182-1000 + FWP_AF_INET + S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936 + + 0 + +
                    + FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW + + 208757 + 48 + 0 + 1 + 1 + + + + 0000000000000000 + + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT + FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER + FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK + + 0 + + + + 208757 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH + FWP_ACTION_PERMIT + + + 206049 + FWPP_SUBLAYER_INTERNAL_FIREWALL_WF + FWP_ACTION_PERMIT + + + +                     +``` +All capabilities are enabled and the resulting filter determining the flow of the packet is 208757. + +The filter stated above with action permit: + +**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml** +```xml + + {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5} + + InternetClient Default Rule + InternetClient Default Rule + + + FWPM_PROVIDER_MPSSVC_WSH + + e167000000000000 + .g...... + + FWPM_LAYER_ALE_AUTH_CONNECT_V4 + FWPM_SUBLAYER_MPSSVC_WSH + + FWP_EMPTY + + + + FWPM_CONDITION_ALE_PACKAGE_ID + FWP_MATCH_NOT_EQUAL + + FWP_SID + S-1-0-0 + + + + FWPM_CONDITION_IP_REMOTE_ADDRESS + FWP_MATCH_RANGE + + FWP_RANGE_TYPE + + + FWP_UINT32 + 0.0.0.0 + + + FWP_UINT32 + 255.255.255.255 + + + + + + FWPM_CONDITION_ORIGINAL_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_CURRENT_PROFILE_ID + FWP_MATCH_EQUAL + + FWP_UINT32 + 1 + + + + FWPM_CONDITION_ALE_USER_ID + FWP_MATCH_EQUAL + + FWP_SECURITY_DESCRIPTOR_TYPE + O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN) + + + + + FWP_ACTION_PERMIT + + + 0 + + 208757 + + FWP_UINT64 + 412316868544 + + +``` +The capabilities field in a netEvent was added to the traces in the Windows 10 +May 2019 Update. diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index 26796b6814..0449d6b01f 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -20,13 +20,12 @@ ms.author: dansimp Designing any deployment starts by performing several important tasks: -- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) +- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) -- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) +- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) -- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) -After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: +After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics: - [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 7cbeb23689..a7178f39fe 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,6 +1,6 @@ --- title: Verify That Network Traffic Is Authenticated (Windows 10) -description: Verify That Network Traffic Is Authenticated +description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index d91723c3d2..ddb0304065 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,6 +1,6 @@ --- -title: Deploy Windows Defender Firewall with Advanced Security (Windows 10) -description: Windows Defender Firewall with Advanced Security Deployment Guide +title: Windows Defender Firewall with Advanced Security deployment overview (Windows 10) +description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: ms.author: dansimp @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 08/17/2017 --- -# Windows Defender Firewall with Advanced Security Deployment Guide +# Windows Defender Firewall with Advanced Security deployment overview **Applies to** - Windows 10 @@ -46,8 +46,8 @@ After you select your design and gather the required information about the zones - [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md) Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design. - ->**Caution:**  We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. +> [!CAUTION] +> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies. In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded.   @@ -61,10 +61,4 @@ This guide does not provide: - Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication. -## Overview of Windows Defender Firewall with Advanced Security - -Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. - -The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. - For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 70c8912478..d6b2ed3cde 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10) -description: Windows Defender Firewall with Advanced Security Design Guide +title: Windows Defender Firewall with Advanced Security design guide (Windows 10) +description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: ms.author: dansimp @@ -17,8 +17,7 @@ ms.topic: conceptual ms.date: 10/05/2017 --- -# Windows Defender Firewall with Advanced Security -Design Guide +# Windows Defender Firewall with Advanced Security design guide **Applies to** - Windows 10 @@ -40,7 +39,7 @@ Windows Defender Firewall should be part of a comprehensive security solution th To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory. -You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here: +You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here: - **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized. @@ -68,9 +67,8 @@ Deployment Guide at these locations: | Topic | Description | - | - | | [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. | -| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. | -| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. | -| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. | +| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. | +| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. | | [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. | | [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. | | [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). | diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 3573bb28b5..9718aa85cf 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -25,10 +25,17 @@ ms.custom: asr This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. +## Overview of Windows Defender Firewall with Advanced Security + +Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user. + +The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment. + + + ## Feature description -Windows Defender Firewall with Advanced Security -is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. +Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy. ## Practical applications @@ -41,12 +48,4 @@ To help address your organizational network security challenges, Windows Defende - **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). -## In this section -| Topic | Description -| - | - | -| [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Microsoft Store apps that run on devices. | -| [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. | -| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. | -| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. | -| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. | diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md index 2b22a606de..c2522f3e4c 100644 --- a/windows/whats-new/get-started-with-1709.md +++ b/windows/whats-new/get-started-with-1709.md @@ -1,6 +1,6 @@ --- title: Get started with Windows 10, version 1709 -description: Learn the dos and don'ts for getting started with Windows 10, version 1709. +description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. keywords: ["get started", "windows 10", "fall creators update", "1709"] ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index ba0090d559..309ce421df 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -1,7 +1,7 @@ --- title: What's new in Windows 10, version 1809 ms.reviewer: -description: New and updated features in Windows 10, version 1809 +description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"] ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 8518f5c4af..8c86914b6b 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -124,6 +124,16 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. - Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215). +## Networking + +### Wi-Fi 6 and WPA3 + +Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks. + +### TEAP + +In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea). + ## Virtualization ### Windows Sandbox